Re: [suse-security] SuSEfirewall2 and SMB UDP Ports
Make sure to restart the firewall after you made a change to it. Ok, that's not the problem. "rcfirewall restart" should do it... :-) (I alos tried a complete restart...)
FW_SERVICE_SAMBA="no"
Same effect, as SuSEFirewall2 checks rc.config --> "Warning: detected START_SMB=yes in /etc/rc.config, enabling FW_SERVICE_SMB!".
Thats the point where in /sbin/SuSEfirewall the udp ports will be enabled if it yes. Simple way is to go there and add an interface with -i option to determine that only traffic from internal is ok.
Was a little bit late when I wrote it, so I forgot to say that I allredy tried this: smb.conf-->"interfaces = eth0" (same effect with 192.168.0.0/24) Thanks, Flo
Was a little bit late when I wrote it, so I forgot to say that I allredy tried this: smb.conf-->"interfaces = eth0" (same effect with 192.168.0.0/24)
that's only the half of the truth you have to say bind interfaces only = Yes too and the with netstat -anp | grep -i listen you'll smb see bound to your interface Yours Michael Appeldorn
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | that's only the half of the truth | | you have to say | | bind interfaces only = Yes | That was the problem, was trying this option just as I got your mail! Thanks a lot, Flo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAjye7IsACgkQk+lziOWgzw2soQCfVd9xd2Dw1jMT3HJ/tG+cH8ZP RVEAn3hVvSlnrFE8Z1DldGApP0UwFVzj =4CNe -----END PGP SIGNATURE-----
Seems like you have this option turned on. FW_SERVICE_AUTODETECT="yes" Turn it off and you should be fine.
Make sure to restart the firewall after you made a change to it. Ok, that's not the problem. "rcfirewall restart" should do it... :-) (I alos tried a complete restart...)
FW_SERVICE_SAMBA="no"
Same effect, as SuSEFirewall2 checks rc.config --> "Warning: detected START_SMB=yes in /etc/rc.config, enabling FW_SERVICE_SMB!".
Thats the point where in /sbin/SuSEfirewall the udp ports will be enabled if it yes. Simple way is to go there and add an interface with -i option to determine that only traffic from internal is ok.
Was a little bit late when I wrote it, so I forgot to say that I allredy tried this: smb.conf-->"interfaces = eth0" (same effect with 192.168.0.0/24)
Thanks, Flo
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (3)
-
Alex Levit
-
Florian Flad
-
Michael Appeldorn