Samba Firewall Issue with Allowing Highports
I had a problem in which some of my machines can't see any workgroups on my network without disabling the firewall or setting FW_ALLOW_INCOMING_HIGHPORTS_UDP to yes. Log entries that would show up each time look similar to this. SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:10:b5:8d:af:fb:00:0c:6e:63:11:af:08:00 SRC=192.168.0.2 DST=192.168.0.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=139 DF PROTO=UDP SPT=137 DPT=1028 LEN=70 I don't want to disable my firewall and the FW_ALLOW_INCOMING_HIGHPORTS_UDP option is deprecated and will soon be taken out. Is there another solution to this problem?
On Saturday 22 April 2006 14:47, Andres Mejia wrote:
I had a problem in which some of my machines can't see any workgroups on my network...
Hi Andre, I gather from your brief description that you're running different versions on these machines... i.e. a mix of, say, 9.x to 10.0? I seem to recall configuring the samba client on earlier systems... maybe 8.2/9.0/9.1/9.2... and I did *not* have this problem but (again, I *think*) at 9.3 and now 10.0 I must drop the firewall to configure the samba client (to 'browse' to and select the local workgroup) as well as to access it, once configured. Does this sound like the same problem? regards, Carl
They're all 10.0 machines. I found another solution already. There's an option in sysconfig for setting trusted nets in the firewall. FW_TRUSTED_NETS is what it's called. I set all my machines with this option. I'm going to use this option instead of allowing all highports through the firewall. Thanks On Saturday 22 April 2006 23:01, Carl Hartung wrote:
On Saturday 22 April 2006 14:47, Andres Mejia wrote:
I had a problem in which some of my machines can't see any workgroups on my network...
Hi Andre,
I gather from your brief description that you're running different versions on these machines... i.e. a mix of, say, 9.x to 10.0?
I seem to recall configuring the samba client on earlier systems... maybe 8.2/9.0/9.1/9.2... and I did *not* have this problem but (again, I *think*) at 9.3 and now 10.0 I must drop the firewall to configure the samba client (to 'browse' to and select the local workgroup) as well as to access it, once configured.
Does this sound like the same problem?
regards,
Carl
On Sunday 23 April 2006 09:33, Andres Mejia wrote:
They're all 10.0 machines. I found another solution already. There's an option in sysconfig for setting trusted nets in the firewall. FW_TRUSTED_NETS is what it's called. I set all my machines with this option. I'm going to use this option instead of allowing all highports through the firewall.
Would you mind sharing the settings that worked for you? I just tried the following (points to a single local M$ box) and Konqueror is still unable to find the workgroup "WORKGROUP" when the firewall is up. 192.168.1.45,tcp,udp,139,445 regards, Carl
On Sunday 23 April 2006 10:21, Carl Hartung wrote:
... Konqueror is still unable to find the workgroup "WORKGROUP" when the firewall is up.
Addendum: Konqueror doesn't find the workgroup but it *does* gain access to the host using "smb://192.168.1.45/" :-) I can live with that! Thanks, Andres! Carl
On 23/04/06 08:21, Carl Hartung wrote:
On Sunday 23 April 2006 09:33, Andres Mejia wrote:
They're all 10.0 machines. I found another solution already. There's an option in sysconfig for setting trusted nets in the firewall. FW_TRUSTED_NETS is what it's called. I set all my machines with this option. I'm going to use this option instead of allowing all highports through the firewall.
Would you mind sharing the settings that worked for you? I just tried the following (points to a single local M$ box) and Konqueror is still unable to find the workgroup "WORKGROUP" when the firewall is up.
192.168.1.45,tcp,udp,139,445
In general: FW_SERVICES_INT_TCP="microsoft-ds netbios-dgm netbios-ns netbios-ssn" FW_SERVICES_INT_UDP="netbios-ns" and on any samba server: FW_ALLOW_FW_BROADCAST_INT="netbios-ns" Setting TRUSTED_NETS will open the ports on all network interfaces, and it is certainly not necessary to open -all- highports for UDP. FYI, the port numbers are (see /etc/services) netbios-ns 137 netbios-dgm 138 netbios-ssn 139 microsoft-ds 445
On Sunday 23 April 2006 14:25, Darryl Gregorash wrote:
In general:
FW_SERVICES_INT_TCP="microsoft-ds netbios-dgm netbios-ns netbios-ssn" FW_SERVICES_INT_UDP="netbios-ns"
and on any samba server:
FW_ALLOW_FW_BROADCAST_INT="netbios-ns"
Setting TRUSTED_NETS will open the ports on all network interfaces, and it is certainly not necessary to open -all- highports for UDP.
FYI, the port numbers are (see /etc/services)
netbios-ns 137 netbios-dgm 138 netbios-ssn 139 microsoft-ds 445
Thanks, Darryl! I know this information is readily available but it somehow seemed to elude me whenever I tried to find it. Much appreciated! Carl
On Sunday 23 April 2006 14:25, Darryl Gregorash wrote:
In general:
FW_SERVICES_INT_TCP="microsoft-ds netbios-dgm netbios-ns netbios-ssn" FW_SERVICES_INT_UDP="netbios-ns"
Don't you mean FW_SERVICES_EXT_TCP AND FW_SERVICES_EXT_UDP? Also, netbios-dgm is a udp protocol.
and on any samba server:
FW_ALLOW_FW_BROADCAST_INT="netbios-ns"
Setting TRUSTED_NETS will open the ports on all network interfaces, and it is certainly not necessary to open -all- highports for UDP.
Here was my problem. SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:10:b5:8d:af:fb:00:0c:6e:63:11:af:08:00 SRC=192.168.0.2 DST=192.168.0.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=139 DF PROTO=UDP SPT=137 DPT=1028 LEN=70 Packets were being dropped because of the destination ports that were being chosen. Here you see DPT=1028, but I saw ports being randomly picked between 1024 and 1030.
On Sunday 23 April 2006 15:43, Andres Mejia wrote:
FW_SERVICES_INT_TCP="microsoft-ds netbios-dgm netbios-ns netbios-ssn" FW_SERVICES_INT_UDP="netbios-ns"
Don't you mean FW_SERVICES_EXT_TCP AND FW_SERVICES_EXT_UDP? Also, netbios-dgm is a udp protocol.
You may be right, Andres (my eyes are weary and blurring already!) but I entered what Darryl posted and I've now got complete access to the M$ box with SuSEFirewall2 up. I'm able to browse to it in GNOME using both Nautilus (network icon > host icon) and Konqueror (smb://workgroup). Thanks to both of you! Carl
On 23/04/06 13:43, Andres Mejia wrote:
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:10:b5:8d:af:fb:00:0c:6e:63:11:af:08:00 SRC=192.168.0.2 DST=192.168.0.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=139 DF PROTO=UDP SPT=137 DPT=1028 LEN=70
Packets were being dropped because of the destination ports that were being chosen. Here you see DPT=1028, but I saw ports being randomly picked between 1024 and 1030.
You've never said which machine this was taken from, but I am certain it is from your client machine. It is also a unicast packet, so it is certainly in response to something else that was already sent by that machine -- a samba server simply just does not emit an arbitrary unicast message on port 137 with some arbitrary port as the destination. It is absolutely impossible to know why any particular network packet was dropped without knowing all the details of the firewall configuration. What do you get from running this on the client machine: iptables-save |grep -i input_ext
Here's what I got. I placed it in an attachment. On Sunday 23 April 2006 18:32, Darryl Gregorash wrote:
On 23/04/06 13:43, Andres Mejia wrote:
SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:10:b5:8d:af:fb:00:0c:6e:63:11:af:08:00 SRC=192.168.0.2 DST=192.168.0.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=139 DF PROTO=UDP SPT=137 DPT=1028 LEN=70
Packets were being dropped because of the destination ports that were being chosen. Here you see DPT=1028, but I saw ports being randomly picked between 1024 and 1030.
You've never said which machine this was taken from, but I am certain it is from your client machine. It is also a unicast packet, so it is certainly in response to something else that was already sent by that machine -- a samba server simply just does not emit an arbitrary unicast message on port 137 with some arbitrary port as the destination.
It is absolutely impossible to know why any particular network packet was dropped without knowing all the details of the firewall configuration. What do you get from running this on the client machine:
iptables-save |grep -i input_ext
On 23/04/06 16:59, Andres Mejia wrote:
Here's what I got. I placed it in an attachment.
Ok, I can't see what is wrong just from this output. Please forward privately your file /etc/sysconfig/SuSEfirewall2 together with the complete output of: iptables-save /sbin/SuSEfirewall2 debug |grep -v ip6 I will summarize anything I find to the list.
I set 192.168.0.0/24 in FW_TRUSTED_NETS to allow all machines on my network to pass through the firewall. In your case, I think you're going to need to set it to 192.168.1.0/24. v/r, Andres On Sunday 23 April 2006 10:21, Carl Hartung wrote:
Would you mind sharing the settings that worked for you? I just tried the following (points to a single local M$ box) and Konqueror is still unable to find the workgroup "WORKGROUP" when the firewall is up.
192.168.1.45,tcp,udp,139,445
regards,
Carl
participants (3)
-
Andres Mejia
-
Carl Hartung
-
Darryl Gregorash