[opensuse] Firewall rules for SAMBA
Hi ListMates, Would anyone know if it's possible to create firewall rules to allow only certain IP address to enter my Linux Server (Opensuse 12.2 x86_64) running samba (3.6.7-48.12.1.x86_64) from outside so that I can map samba shares from remote locations (windows XP). For example, I would like to ONLY allow ip address 94.90.115.82 (ports tcp 139 & 445) and drop all other ip address trying to access those ports. Actually, I have 3 remote locations so there would actually be 3 different ip addresses to define. Thanks for any help. Best regards. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-11-04 13:01, Otto Rodusek wrote:
Hi ListMates,
Would anyone know if it's possible to create firewall rules to allow only certain IP address to enter my Linux Server (Opensuse 12.2 x86_64) running samba (3.6.7-48.12.1.x86_64) from outside so that I can map samba shares from remote locations (windows XP). For example, I would like to ONLY allow ip address 94.90.115.82 (ports tcp 139 & 445) and drop all other ip address trying to access those ports. Actually, I have 3 remote locations so there would actually be 3 different ip addresses to define. Thanks for any help. Best regards.
FW_TRUSTED_NETS="94.90.115.82,tcp,port1, 94.90.115.82,tcp,port2, \ 94.90.115.82,tcp,port3, 94.90.115.82,tcp,port4" I don't remember the exact ports right now, but they are four. Add all the IPs in a single line, or use the backslash, although not officially supported. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCWZAsACgkQja8UbcUWM1ysggD+P/HtLlE4ZEO/HDzUtDYRwlW5 /CU+BSyzvv5mwoyNWLIA+gPcWFbatzO5W3v/vtvVnhczdcV1rotgTxXn66D4Kw0e =TyZT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 4/11/12 8:48 PM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2012-11-04 13:01, Otto Rodusek wrote:
Hi ListMates,
Would anyone know if it's possible to create firewall rules to allow only certain IP address to enter my Linux Server (Opensuse 12.2 x86_64) running samba (3.6.7-48.12.1.x86_64) from outside so that I can map samba shares from remote locations (windows XP). For example, I would like to ONLY allow ip address 94.90.115.82 (ports tcp 139 & 445) and drop all other ip address trying to access those ports. Actually, I have 3 remote locations so there would actually be 3 different ip addresses to define. Thanks for any help. Best regards. FW_TRUSTED_NETS="94.90.115.82,tcp,port1, 94.90.115.82,tcp,port2, \ 94.90.115.82,tcp,port3, 94.90.115.82,tcp,port4"
I don't remember the exact ports right now, but they are four. Add all the IPs in a single line, or use the backslash, although not officially supported.
- -- Cheers / Saludos,
Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iF4EAREIAAYFAlCWZAsACgkQja8UbcUWM1ysggD+P/HtLlE4ZEO/HDzUtDYRwlW5 /CU+BSyzvv5mwoyNWLIA+gPcWFbatzO5W3v/vtvVnhczdcV1rotgTxXn66D4Kw0e =TyZT -----END PGP SIGNATURE----- Hi Carlos,
Thanks for the quick reply. I have made the mods to /etc/sysconfig/SuSefirewall2, I assume this is the correct place? It will remain there even after updates/upgrades or will I need to make this change every time after updates? Also, from google the ports seem to be as follows: tcp: 139, 445 and udp: 137, 138,139. I hope I got it right - will know after testing!! Thanks. Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-11-04 14:53, Otto Rodusek wrote:
Thanks for the quick reply. I have made the mods to /etc/sysconfig/SuSefirewall2, I assume this is the correct place?
Yes.
It will remain there even after updates/upgrades or will I need to make this change every time after updates?
It remains. If you use the multiline syntax, it breaks on upgrades.
Also, from google the ports seem to be as follows:
tcp: 139, 445 and udp: 137, 138,139. I hope I got it right - will know after testing!! Thanks. Otto.
The numbers look familiar. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCWd6EACgkQja8UbcUWM1yRxwD+ImmUlBdfC+R9UptYarMAixD1 SFevLxosN4j7wDvBmI0A/jdc5cr5cAh0J4cXTtV1xluCKnH59GxQw3hYSzZEAXXO =VyYx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Nov 4, 2012 at 8:11 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2012-11-04 14:53, Otto Rodusek wrote:
Thanks for the quick reply. I have made the mods to /etc/sysconfig/SuSefirewall2, I assume this is the correct place?
Yes.
It will remain there even after updates/upgrades or will I need to make this change every time after updates?
It remains. If you use the multiline syntax, it breaks on upgrades.
Also, from google the ports seem to be as follows:
tcp: 139, 445 and udp: 137, 138,139. I hope I got it right - will know after testing!! Thanks. Otto.
The numbers look familiar.
Yes, and you can see them here, as well: cbell@circe:~> egrep 'netbios|microsoft-ds' /etc/services netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp # NETBIOS Name Service netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp # NETBIOS Datagram Service netbios-ssn 139/tcp # NETBIOS Session Service netbios-ssn 139/udp # NETBIOS Session Service microsoft-ds 445/tcp # Microsoft-DS microsoft-ds 445/udp # Microsoft-DS cbell@circe:~> Also, your mix of which to allow for udp or tcp looks correct based on the configuration YaST provided for me on my home network with Samba with the exception of 139 (netbios-ssn) which is only open on tcp: cbell@circe:~> sudo /usr/sbin/iptables -L | egrep 'netbios|microsoft-ds' | grep tcp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssnflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP " ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-dsflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP " ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds cbell@circe:~> sudo /usr/sbin/iptables -L | egrep 'netbios|microsoft-ds' | grep udp ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere udp spt:netbios-ns ctstate RELATED ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm cbell@circe:~> (You may need to paste that into an editor or something to widen the line length). -- Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/04/2012 04:01 AM, Otto Rodusek wrote:
Hi ListMates,
Would anyone know if it's possible to create firewall rules to allow only certain IP address to enter my Linux Server (Opensuse 12.2 x86_64) running samba (3.6.7-48.12.1.x86_64) from outside so that I can map samba shares from remote locations (windows XP). For example, I would like to ONLY allow ip address 94.90.115.82 (ports tcp 139 & 445) and drop all other ip address trying to access those ports. Actually, I have 3 remote locations so there would actually be 3 different ip addresses to define. Thanks for any help. Best regards.
Hi Otto, Being "able" to do this is one thing, but the question "should" you do it is another. Microsoft networking (SMB) was designed for use on local subnets, and barely worked there. I've heard that SMB doesn't do well with long round-trip packet times, maybe other protocols like webdav might be a better choice? Security is another potential problem. Limiting access to specified IP address would certainly help, but AFAIK the traffic itself isn't encrypted. Setting up a VPN, which does encrypt traffic, would be a much safer choice. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 5/11/12 8:20 AM, Christofer C. Bell wrote:
On Sun, Nov 4, 2012 at 8:11 AM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2012-11-04 14:53, Otto Rodusek wrote:
Thanks for the quick reply. I have made the mods to /etc/sysconfig/SuSefirewall2, I assume this is the correct place? Yes.
It will remain there even after updates/upgrades or will I need to make this change every time after updates? It remains. If you use the multiline syntax, it breaks on upgrades.
Also, from google the ports seem to be as follows:
tcp: 139, 445 and udp: 137, 138,139. I hope I got it right - will know after testing!! Thanks. Otto. The numbers look familiar. Yes, and you can see them here, as well:
cbell@circe:~> egrep 'netbios|microsoft-ds' /etc/services netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp # NETBIOS Name Service netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp # NETBIOS Datagram Service netbios-ssn 139/tcp # NETBIOS Session Service netbios-ssn 139/udp # NETBIOS Session Service microsoft-ds 445/tcp # Microsoft-DS microsoft-ds 445/udp # Microsoft-DS cbell@circe:~>
Also, your mix of which to allow for udp or tcp looks correct based on the configuration YaST provided for me on my home network with Samba with the exception of 139 (netbios-ssn) which is only open on tcp:
cbell@circe:~> sudo /usr/sbin/iptables -L | egrep 'netbios|microsoft-ds' | grep tcp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssnflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP " ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-dsflags: FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP " ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds cbell@circe:~> sudo /usr/sbin/iptables -L | egrep 'netbios|microsoft-ds' | grep udp ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-dgm ACCEPT udp -- anywhere anywhere udp spt:netbios-ns ctstate RELATED ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm cbell@circe:~>
(You may need to paste that into an editor or something to widen the line length).
-- Chris Hi Chris,
Thanks for this info - really useful to have and file for future reference - exactly what I needed!! Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 5/11/12 11:10 AM, Lew Wolfgang wrote:
On 11/04/2012 04:01 AM, Otto Rodusek wrote:
Hi ListMates,
Would anyone know if it's possible to create firewall rules to allow only certain IP address to enter my Linux Server (Opensuse 12.2 x86_64) running samba (3.6.7-48.12.1.x86_64) from outside so that I can map samba shares from remote locations (windows XP). For example, I would like to ONLY allow ip address 94.90.115.82 (ports tcp 139 & 445) and drop all other ip address trying to access those ports. Actually, I have 3 remote locations so there would actually be 3 different ip addresses to define. Thanks for any help. Best regards.
Hi Otto,
Being "able" to do this is one thing, but the question "should" you do it is another. Microsoft networking (SMB) was designed for use on local subnets, and barely worked there. I've heard that SMB doesn't do well with long round-trip packet times, maybe other protocols like webdav might be a better choice?
Security is another potential problem. Limiting access to specified IP address would certainly help, but AFAIK the traffic itself isn't encrypted. Setting up a VPN, which does encrypt traffic, would be a much safer choice.
Regards, Lew
Hi Lew, Yep, I have already considered all the above. Right now I have a situation where I have a user (A) that has an HP-MSR900 router with a 20Mbps synchronous (both upload/download) connection with fixed IP address (1 Linux Opensuse 12.2 server and 8 windows XP users), and 2 remote users (B - 1 windows XP user) & (C - 1 windows 7 user), both have a Cisco 881 router with a 10Mbps synchronous connection and also fixed IP addresses. I need to connect to a common database used by all users (A, B & C) on the Linux system using a Samba share, and I need to check the relative performance, so I want to set up a very simple method to perform this test. Once completed and satisfied, I definitely plan to get a VPN in place (B --> A & C --> A) and connect the samba share as if "locally" connected. The reason I don't do this now is I've little expertise in setting up the Cisco routers (the CISCO GUI sucks big time and is completely unusable to set up the VPN and as such requires CISCO IOS CLI expertise to set up and hence a cost involved to get that done and until I'm satisfied of performance I don't want to waste my customer's $$$$). I definitely want to implement a "hardware" VPN solution via the router software, versus using - say pptpd on Opensuse - as I want as little as possible user interaction. Again, I'd like to thank you for your comments and suggestions (which I do hope to eventually implement). Otto. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 2012-11-04 at 19:10 -0800, Lew Wolfgang wrote:
Being "able" to do this is one thing, but the question "should" you do it is another. Microsoft networking (SMB) was designed for use on local subnets, and barely worked there. I've heard that SMB doesn't do well with long round-trip packet times,
Indeed. We had serious problems with servers in Europe and clients in the Caribean because of too high latency. One option is the use of TCP-accelerators, which i would not recommend, as they are rather expensive and just fooling the TCP-protocol. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Carlos E. R.
-
Christofer C. Bell
-
Hans Witvliet
-
Lew Wolfgang
-
Otto Rodusek