Hi, I setup my 10.3 firewall to 'protect firewall from internal zone'. The machine runs squid and I'm trying to get the users to authenticate themselves. I setup squid to use smb_auth but it doesn't work. When I stop the firewall, or disable 'protect firewall from internal zone' it works fine. I tracked it down to the udp-protocol that's used by smb_auth. The squid machine sends a request to the samba-server to port 137 (or is it 139, don't remember exactly). Samba responds from this port to the originating port. If I open that originating port in the firewall it works, but not for long. Sometime later another port is used as source and the responses from samba are dropped. I tried adding samba-server to the allowed services but this does not help. Any solution for this, besides disabling the "protection from internal zone" ? -- Met vriendelijke groeten, Koenraad Lelong
Hi, I setup my 10.3 firewall to 'protect firewall from internal zone'. The machine runs squid and I'm trying to get the users to authenticate themselves. I setup squid to use smb_auth but it doesn't work. When I stop the firewall, or disable 'protect firewall from internal zone' it works fine. I tracked it down to the udp-protocol that's used by smb_auth. The squid machine sends a request to the samba-server to port 137 (or is it 139, don't remember exactly). Samba responds from this port to the originating port. If I open that originating port in the firewall it works, but not for long. Sometime later another port is used as source and the responses from samba are dropped. Correct me if I am wrong. Check your firewall log... If I remember correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific
Koenraad Lelong wrote: source-port. If so you can add a custom rule allowing all connections from that specific source port and from the samba server. If what I said is false, could you please provide the firewall log that states your claim ?
I tried adding samba-server to the allowed services but this does not help. Any solution for this, besides disabling the "protection from internal zone" ?
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rui Santos schreef:
Hi, ... Correct me if I am wrong. Check your firewall log... If I remember correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific
Koenraad Lelong wrote: source-port. If so you can add a custom rule allowing all connections from that specific source port and from the samba server.
It's a random port from the squid/firewall machine that goes to port 137 (I checked) on the samba-server and the response is blocked/dropped. I'll have to check how I can make such a custom rule. Never done this before. Thanks. -- Met vriendelijke groeten, Koenraad Lelong
Rui Santos schreef:
Hi, ... Correct me if I am wrong. Check your firewall log... If I remember correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific
Koenraad Lelong wrote: source-port. If so you can add a custom rule allowing all connections from that specific source port and from the samba server.
It's a random port from the squid/firewall machine that goes to port 137 (I checked) on the samba-server and the response is blocked/dropped. This is also what I stated. What I asked you to confirm is that if the response from the samba-server has a specific source port, mentioned in
Koenraad Lelong wrote: the firewall log as STP. So, you have to look in your firewall log for something like SRC=<samba-server IP> PROTO=UDP SPT=<specific port> If you still cannot advance, please continue with showing the firewall log file. There has to be a solution...
I'll have to check how I can make such a custom rule. Never done this before. Thanks.
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rui Santos schreef:
Rui Santos schreef:
Hi, ... Correct me if I am wrong. Check your firewall log... If I remember correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific
Koenraad Lelong wrote: source-port. If so you can add a custom rule allowing all connections from that specific source port and from the samba server.
It's a random port from the squid/firewall machine that goes to port 137 (I checked) on the samba-server and the response is blocked/dropped. This is also what I stated. What I asked you to confirm is that if the response from the samba-server has a specific source port, mentioned in
Koenraad Lelong wrote: the firewall log as STP. So, you have to look in your firewall log for something like SRC=<samba-server IP> PROTO=UDP SPT=<specific port>
Jul 9 15:21:06 lace3 kernel: SFW2-INint-DROP-DEFLT IN=bond0 OUT= MAC=00:1e:0b:bd:d3:62:00:0f:3d:f3:09:dd:08:00 SRC=192.168.0.4 DST=192.168.0.5 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1220 LEN=70 That's what I checked. SRC=samba-server DST=squid.
If you still cannot advance, please continue with showing the firewall log file. There has to be a solution...
I'll have to check how I can make such a custom rule. Never done this before. Thanks.
-- Met vriendelijke groeten, Koenraad Lelong
Koenraad Lelong wrote:
Rui Santos schreef:
Rui Santos schreef:
Hi, ... Correct me if I am wrong. Check your firewall log... If I remember correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific
Koenraad Lelong wrote: source-port. If so you can add a custom rule allowing all connections from that specific source port and from the samba server.
It's a random port from the squid/firewall machine that goes to port 137 (I checked) on the samba-server and the response is blocked/dropped. This is also what I stated. What I asked you to confirm is that if
Koenraad Lelong wrote: the response from the samba-server has a specific source port, mentioned in the firewall log as STP. So, you have to look in your firewall log for something like SRC=<samba-server IP> PROTO=UDP SPT=<specific port>
Jul 9 15:21:06 lace3 kernel: SFW2-INint-DROP-DEFLT IN=bond0 OUT= MAC=00:1e:0b:bd:d3:62:00:0f:3d:f3:09:dd:08:00 SRC=192.168.0.4 DST=192.168.0.5 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1220 LEN=70
That's what I checked. SRC=samba-server DST=squid. Great... That was I have anticipated on my first email...
Now you have two options: 1) Use Yast -> Security and Users -> Firewall -> Custom Rules -> Firewall Zone: Internal -> Add a souce 192.168.0.4 with UDP protocol with source port 127. 2) Place FW_SERVICES_ACCEPT_INT="192.168.0.4,udp,,127" onto /etc/sysconfig/SuSEfirewall2 and restart your SuSE firewall with rcSuSEfirewall2 restart Hope it helps... Rui
If you still cannot advance, please continue with showing the firewall log file. There has to be a solution...
I'll have to check how I can make such a custom rule. Never done this before. Thanks.
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rui Santos wrote:
Koenraad Lelong wrote:
Rui Santos schreef:
Rui Santos schreef:
Koenraad Lelong wrote:
Hi, ... Correct me if I am wrong. Check your firewall log... If I remember correctly, although your squid machine initiates the connection on a semi-ramdom port, the samba server replies to it, with a specific source-port. If so you can add a custom rule allowing all connections from that specific source port and from the samba server.
It's a random port from the squid/firewall machine that goes to port 137 (I checked) on the samba-server and the response is blocked/dropped. This is also what I stated. What I asked you to confirm is that if
Koenraad Lelong wrote: the response from the samba-server has a specific source port, mentioned in the firewall log as STP. So, you have to look in your firewall log for something like SRC=<samba-server IP> PROTO=UDP SPT=<specific port>
Jul 9 15:21:06 lace3 kernel: SFW2-INint-DROP-DEFLT IN=bond0 OUT= MAC=00:1e:0b:bd:d3:62:00:0f:3d:f3:09:dd:08:00 SRC=192.168.0.4 DST=192.168.0.5 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1220 LEN=70
That's what I checked. SRC=samba-server DST=squid. Great... That was I have anticipated on my first email...
Now you have two options: 1) Use Yast -> Security and Users -> Firewall -> Custom Rules -> Firewall Zone: Internal -> Add a souce 192.168.0.4 with UDP protocol with source port 137. 2) Place FW_SERVICES_ACCEPT_INT="192.168.0.4,udp,,137" onto /etc/sysconfig/SuSEfirewall2 and restart your SuSE firewall with rcSuSEfirewall2 restart
It should be port 137 instead of 127. Bad typo... sorry...
Hope it helps... Rui
If you still cannot advance, please continue with showing the firewall log file. There has to be a solution...
I'll have to check how I can make such a custom rule. Never done this before. Thanks.
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rui Santos wrote:
Now you have two options: 1) Use Yast -> Security and Users -> Firewall -> Custom Rules -> Firewall Zone: Internal -> Add a souce 192.168.0.4 with UDP protocol with source port 127. 2) Place FW_SERVICES_ACCEPT_INT="192.168.0.4,udp,,127" onto /etc/sysconfig/SuSEfirewall2 and restart your SuSE firewall with rcSuSEfirewall2 restart
It's a long while since I did anything like this ... but doesn't that open the proxy to attack on any other udp port, as long as the attacker uses port 127 on his machine? IIRC one solution is to match the incoming packet against the original outgoing one. Does SuSEfirewall have that sort of capability, or some alternative? Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dave Howorth wrote:
Rui Santos wrote:
Now you have two options: 1) Use Yast -> Security and Users -> Firewall -> Custom Rules -> Firewall Zone: Internal -> Add a souce 192.168.0.4 with UDP protocol with source port 127. 2) Place FW_SERVICES_ACCEPT_INT="192.168.0.4,udp,,127" onto /etc/sysconfig/SuSEfirewall2 and restart your SuSE firewall with rcSuSEfirewall2 restart
It's a long while since I did anything like this ... but doesn't that open the proxy to attack on any other udp port, as long as the attacker uses port 127 on his machine? IIRC one solution is to match the incoming packet against the original outgoing one. Does SuSEfirewall have that sort of capability, or some alternative?
I don't think so. The firewall will only accept packets originating from IP 192.168.0.4. All other IP's are rejected/droped... The syntax is "SOURCE_IP,PROTOCOL,DPORT,SPORT"
Cheers, Dave
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rui Santos wrote:
I don't think so. The firewall will only accept packets originating from IP 192.168.0.4. All other IP's are rejected/droped... The syntax is "SOURCE_IP,PROTOCOL,DPORT,SPORT"
Ah, true. It's just the samba server responding, not every box on the network. That's alright, then :) Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Dave Howorth
-
Koenraad Lelong
-
Rui Santos