[opensuse] samba ports and SuSEfirewall2
I have writted a /etc/smb.conf to connect to a multimedia NAS (please don't laugh. I now nothing about Samba): [global] workgroup = MSHOME security = share [lynnsmb] path = /home/lsmb public = yes guest ok = yes read only = no browseable = yes I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me. The NAS gives me a password prompt. With the firewall _disabled_ It connects fine without password and enables me to watch films and listen to mp3's etc which are stored on my laptop. /var/log/warn nor /var/log/messages nor /var/log/firewall give any clue. Could someone tell me which ports I need to open? L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me. The NAS gives me a password prompt. With the firewall _disabled_ It connects fine without password and enables me to watch films and listen to mp3's etc which are stored on my laptop. /var/log/warn nor /var/log/messages nor /var/log/firewall give any clue. Could someone tell me which ports I need to open?
L x
In Yast2 firewall add samba services , server and client. It should open them up for you. That's what I have on my linux machine.BUT...If I'm reading your e-mail right....you're trying to connect to the NAS. So if the NAS is where you're installing the samba services, then make sure you also add users and machines using smbpasswd on that machine. Check out http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ for a samba howto. -- Michael S. Dunsavage -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-04-07 at 14:17 +0200, lynn wrote:
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me.
How exactly are they opened?
The NAS gives me a password prompt. With the firewall _disabled_ It connects fine without password and enables me to watch films and listen to mp3's etc which are stored on my laptop. /var/log/warn nor /var/log/messages nor /var/log/firewall give any clue. Could someone tell me which ports I need to open?
I use the following config: FW_TRUSTED_NETS="192.168.1.X,tcp,microsoft-ds \ 192.168.1.X,tcp,netbios-ssn \ 192.168.1.X,udp,netbios-dgm \ 192.168.1.X,udp,netbios-ns" Substitute the IP for that of your device, of course. This should work for the device to connect to your computer, and it is not the only method. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknbVVQACgkQtTMYHG2NR9UycQCffeyaY0UiN2NKia2MZ43FqXIF 4boAnRDWYU7qOoznrKVY7/UBl6e3Dt+5 =1ybf -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 07 April 2009 15:29:48 Carlos E. R. wrote:
"192.168.1.X,tcp,microsoft-ds \ 192.168.1.X,tcp,netbios-ssn \ 192.168.1.X,udp,netbios-dgm \ 192.168.1.X,udp,netbios-ns"
Tried that too with the IP of the NAS, restarted SuSEfirewall2. Still the NAS can't connect to me. It will only connect when the firewall is turned off so it must be something to do with the firewall on my laptop no? Still nothing in the logs. Saludos, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-04-07 at 16:37 +0200, lynn wrote:
On Tuesday 07 April 2009 15:29:48 Carlos E. R. wrote:
"192.168.1.X,tcp,microsoft-ds \ 192.168.1.X,tcp,netbios-ssn \ 192.168.1.X,udp,netbios-dgm \ 192.168.1.X,udp,netbios-ns"
Tried that too with the IP of the NAS, restarted SuSEfirewall2. Still the NAS can't connect to me. It will only connect when the firewall is turned off so it must be something to do with the firewall on my laptop no? Still nothing in the logs.
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" That should log everything. Also, you can try using "iptraf". It is a text app which can show all connections, attempted or successful, with ports. Better stop everything else using the network, or it will be difficult to spot what you look for. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknbazoACgkQtTMYHG2NR9W40ACfYwjT4WmjbLyluzqyZxEcVz1A FMMAoI571Pa3VT+FGwH8XoLBPw4eN7Gq =W1PS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 07 April 2009 17:03:08 Carlos E. R. wrote:
On Tuesday, 2009-04-07 at 16:37 +0200, lynn wrote:
On Tuesday 07 April 2009 15:29:48 Carlos E. R. wrote:
"192.168.1.X,tcp,microsoft-ds \ 192.168.1.X,tcp,netbios-ssn \ 192.168.1.X,udp,netbios-dgm \ 192.168.1.X,udp,netbios-ns"
Tried that too with the IP of the NAS, restarted SuSEfirewall2. Still the NAS can't connect to me. It will only connect when the firewall is turned off so it must be something to do with the firewall on my laptop no? Still nothing in the logs.
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes"
That should log everything.
Also, you can try using "iptraf". It is a text app which can show all connections, attempted or successful, with ports. Better stop everything else using the network, or it will be difficult to spot what you look for.
-- Cheers, Carlos E. R.
Hi It logs this Apr 7 18:25:38 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:27:cb:46:4e:08:00 SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=27065 DF PROTO=TCP SPT=445 DPT=53667 WINDOW=7240 Apr 7 18:29:11 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:91:1a:a5:e8:08:00 SRC=217.70.240.135 DST=192.168.1.3 LEN=122 TOS=0x00 PREC=0x00 TTL=59 ID=35663 DF PROTO=UDP SPT=53 DPT=41184 LEN=102 192.168.1.3 is my laptop, 1.4 the NAS and 217.70.240.135 my external IP. I just opened port 33 too. I have your stuff still in place in the firewall script. Still it can't connect to me. Cheers, Lynn x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-04-07 at 18:40 +0200, lynn wrote:
"192.168.1.X,tcp,microsoft-ds \ 192.168.1.X,tcp,netbios-ssn \ 192.168.1.X,udp,netbios-dgm \ 192.168.1.X,udp,netbios-ns"
Apr 7 18:25:38 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:27:cb:46:4e:08:00 SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=27065 DF PROTO=TCP SPT=445 DPT=53667 WINDOW=7240
445 is microsoft-ds, which is already opened by the rule above. I don't know what -EST is, but the -ACC is that the packed was accepted, not stopped.
Apr 7 18:29:11 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:91:1a:a5:e8:08:00 SRC=217.70.240.135 DST=192.168.1.3 LEN=122 TOS=0x00 PREC=0x00 TTL=59 ID=35663 DF PROTO=UDP SPT=53 DPT=41184 LEN=102
- From internet to your laptop, accepted. Not related.
just opened port 33 too. I have your stuff still in place in the firewall script. Still it can't connect to me.
Then use ethereal aka wireshark to debug the connection. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknbpNUACgkQtTMYHG2NR9UEOgCaAuS1laDczxSJvThOc1zCBVZN If8AniBkDPJu/OVZ2TQNWxV8lijv2ovb =g661 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
just opened port 33 too. I have your stuff still in place in the firewall script. Still it can't connect to me.
Then use ethereal aka wireshark to debug the connection.
(Carlos: hubiera puesto 53 no 33) I think I'm asking too much. I use the laptop in different environments and always disable the firewall just to let me work. It's at home I use the multimedia box. I'll try the ethereal stuff after I've listened to AC-DC Black Ice. Thanks ever so much for your patience. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 07 April 2009 15:29:48 Carlos E. R. wrote:
On Tuesday, 2009-04-07 at 14:17 +0200, lynn wrote:
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me.
How exactly are they opened?
FW_SERVICES_EXT_TCP="135 137 138 139 445" L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 07 April 2009 09:39:21 am lynn wrote:
On Tuesday 07 April 2009 15:29:48 Carlos E. R. wrote:
On Tuesday, 2009-04-07 at 14:17 +0200, lynn wrote:
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me.
How exactly are they opened?
FW_SERVICES_EXT_TCP="135 137 138 139 445" L x
Not all are TCP, but /etc/services is not helpful to say exactly which one is. It is listed both for all: epmap 135/tcp # DCE endpoint resolution epmap 135/udp # DCE endpoint resolution netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp # NETBIOS Name Service netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp # NETBIOS Datagram Service netbios-ssn 139/tcp # NETBIOS Session Service netbios-ssn 139/udp # NETBIOS Session Service microsoft-ds 445/tcp # Microsoft-DS microsoft-ds 445/udp # Microsoft-DS So you may list UDP as well. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 07 April 2009 21:45:41 Rajko M. wrote:
On Tuesday 07 April 2009 09:39:21 am lynn wrote:
On Tuesday 07 April 2009 15:29:48 Carlos E. R. wrote:
On Tuesday, 2009-04-07 at 14:17 +0200, lynn wrote:
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me.
How exactly are they opened?
FW_SERVICES_EXT_TCP="135 137 138 139 445" L x
Not all are TCP, but /etc/services is not helpful to say exactly which one is. It is listed both for all:
epmap 135/tcp # DCE endpoint resolution epmap 135/udp # DCE endpoint resolution
netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp # NETBIOS Name Service netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp # NETBIOS Datagram Service netbios-ssn 139/tcp # NETBIOS Session Service netbios-ssn 139/udp # NETBIOS Session Service
microsoft-ds 445/tcp # Microsoft-DS microsoft-ds 445/udp # Microsoft-DS
So you may list UDP as well.
-- Regards, Rajko Hi OK, I opened the same UDP port numbers too. Still the NAS cannot connect to me. Thanks anyway, it narrows it down a bit.
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 07 April 2009 03:11:30 pm lynn wrote: ....
Hi OK, I opened the same UDP port numbers too. Still the NAS cannot connect to me. Thanks anyway, it narrows it down a bit.
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Try to see with Wireshark (ex etheral). It is included in distro and even in very simple configuration can tell you what is wrong. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Try to see with Wireshark (ex etheral). It is included in distro and even in very simple configuration can tell you what is wrong.
Hi here is the wireshark output. Any idea what it means? If you have a minute? I've no idea! http://sierraberniaschool.com/lynn.txt L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
lynn schreef:
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Try to see with Wireshark (ex etheral). It is included in distro and even in very simple configuration can tell you what is wrong.
Hi here is the wireshark output. Any idea what it means? If you have a minute? I've no idea!
http://sierraberniaschool.com/lynn.txt
L x
What happens if you move your adapter into the internal zone? (it is not pretty, but at least something. SFW has been a pain in the ass for years now if it concerns 'sharing'. I can't even connect from the same machine to my own shares, with the firewal on..but strange enough, there are people who seem to manage..) -- Have a nice day ;) Oddball aka M9. OS: Linux 2.6.29-60-default i686 Huidige gebruiker: oddball@EEEPC-901-ROB Systeem: openSUSE 11.1 (i586) KDE: 4.2.2 (KDE 4.2.2) "release 110" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 08 April 2009 03:00:23 am Oddball wrote:
..but strange enough, there are people who seem to manage..)
Yeah, I've heard that too. Though, just rumors. No one wants to come up with clean advice, so I guess it was like, after a lot of attempts, it worked, somehow. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi here is the wireshark output. Any idea what it means? If you have a minute? I've no idea!
http://sierraberniaschool.com/lynn.txt
L x
What happens if you move your adapter into the internal zone?
It connects to me fine. But then there's no point:-(
(it is not pretty, but at least something. SFW has been a pain in the ass for years now if it concerns 'sharing'. I can't even connect from the same machine to my own shares, with the firewal on..but strange enough, there are people who seem to manage..)
Oh dear. On my work lan with 2 interfaces it works fine. But then again I've no cifs stuff to mess me around. It's just nfs and it just works. Always. this cift stuff is just at home. I have a nice sound system and the NAS controls it. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 08 April 2009 02:45:06 am lynn wrote:
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Try to see with Wireshark (ex etheral). It is included in distro and even in very simple configuration can tell you what is wrong.
Hi here is the wireshark output. Any idea what it means? If you have a minute? I've no idea!
Me neither ;-)
The report quits when Tp-LinkT finally starts negotiation who's going to be boss on the net ie. Local Master. Let them talk a bit more. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 8 Apr 2009 17:15:06 lynn wrote:
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Try to see with Wireshark (ex etheral). It is included in distro and even in very simple configuration can tell you what is wrong.
Hi here is the wireshark output. Any idea what it means? If you have a minute? I've no idea!
http://sierraberniaschool.com/lynn.txt
L x
Lynn, Either the firewall is blocking broadcasts from outside (the NAS side) to inside (the server side) or it is blocking outgoing netbios packets. The NAS box is trying to do a netbios name query to determine the address of the server - it is then getting no response so it tries a DNS query (which goes to your ISP's DNS, which probably doesn't know where your server is anyway, since it is on your internal network). The NAS box then tries to force a browser election by claiming to be the master browser for your network (your server 192.168.1.3 probably should be the master browser). Apart from DNS, nowhere do I see the server responding to the netbios name queries and (as Rajko noted elsewhere) your trace finishes before the browser election is completed. Does your ADSL router have a built-in firewall? If so, can I suggest that you enable that and turn off Suse Firewall? That's how I run my network - I have in fact 2 routers between the network and the outside world - a wireless router/switch inside the network which talks to the DSL/VoIP modem/router that is the interface to outside. Both of these devices have firewalls enabled (probably a bit over the top - one would do) so I dont' bother with the software firewall (SuSE Firewall) on the server and all Windoze boxes have their Windoze firewall turned off too. That way, all machines talking to the server are inside the firewall and I don't have to worry about access problems between machines (it also helps that I'm the only user, apart from the wife very occassionally). HTH. Rodney. -- =================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ===================================================
Rodney Baker schreef:
On Wed, 8 Apr 2009 17:15:06 lynn wrote:
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Try to see with Wireshark (ex etheral). It is included in distro and even in very simple configuration can tell you what is wrong.
Hi here is the wireshark output. Any idea what it means? If you have a minute? I've no idea!
http://sierraberniaschool.com/lynn.txt
L x
Lynn,
Either the firewall is blocking broadcasts from outside (the NAS side) to inside (the server side) or it is blocking outgoing netbios packets. The NAS box is trying to do a netbios name query to determine the address of the server - it is then getting no response so it tries a DNS query (which goes to your ISP's DNS, which probably doesn't know where your server is anyway, since it is on your internal network).
The NAS box then tries to force a browser election by claiming to be the master browser for your network (your server 192.168.1.3 probably should be the master browser). Apart from DNS, nowhere do I see the server responding to the netbios name queries and (as Rajko noted elsewhere) your trace finishes before the browser election is completed.
Does your ADSL router have a built-in firewall? If so, can I suggest that you enable that and turn off Suse Firewall? That's how I run my network - I have in fact 2 routers between the network and the outside world - a wireless router/switch inside the network which talks to the DSL/VoIP modem/router that is the interface to outside. Both of these devices have firewalls enabled (probably a bit over the top - one would do) so I dont' bother with the software firewall (SuSE Firewall) on the server and all Windoze boxes have their Windoze firewall turned off too.
That way, all machines talking to the server are inside the firewall and I don't have to worry about access problems between machines (it also helps that I'm the only user, apart from the wife very occassionally).
HTH.
Rodney.
This is a sane setup, and indeed, one routerfirewall will do, (...i do not use SFW either, as it too big hassle to get it to work, and *keep* working after upgrades..) -- Have a nice day ;) Oddball aka M9. OS: Linux 2.6.29-60-default i686 Huidige gebruiker: oddball@EEEPC-901-ROB Systeem: openSUSE 11.1 (i586) KDE: 4.2.2 (KDE 4.2.2) "release 110" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-04-08 at 11:15 +0200, Oddball wrote:
This is a sane setup, and indeed, one routerfirewall will do, (...i do not use SFW either, as it too big hassle to get it to work, and *keep* working after upgrades..)
Mine works fine, but I agree that getting it to work with samba may be... "touchy" :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkncf2cACgkQtTMYHG2NR9UtAQCcDxeVHLa3HH9NVdvTEiKUOfV6 EhwAn0RJiZ9DqoeHpsz0Szmf+NrWg3ue =Aw4s -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-04-08 at 18:30 +0930, Rodney Baker wrote:
Either the firewall is blocking broadcasts from outside (the NAS side) to inside (the server side) or it is blocking outgoing netbios packets. The NAS box is trying to do a netbios name query to determine the address of the server - it is then getting no response so it tries a DNS query (which goes to your ISP's DNS, which probably doesn't know where your server is anyway, since it is on your internal network).
That would be: FW_ALLOW_FW_BROADCAST_EXT="netbios-ns netbios-dgm" and, temporarily, to see them in the log: FW_IGNORE_FW_BROADCAST_EXT="no" - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkncgOkACgkQtTMYHG2NR9VgyQCghIeR7b10b5A77ZogMqtXemvZ jXkAnRAhDEBZTf5VKg7d5NJdSM8Imk69 =JQJE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 08 April 2009 11:00:28 Rodney Baker wrote:
On Wed, 8 Apr 2009 17:15:06 lynn wrote:
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Try to see with Wireshark (ex etheral). It is included in distro and even in very simple configuration can tell you what is wrong.
Hi here is the wireshark output. Any idea what it means? If you have a minute? I've no idea!
http://sierraberniaschool.com/lynn.txt
L x
Lynn,
Either the firewall is blocking broadcasts from outside (the NAS side) to inside (the server side) or it is blocking outgoing netbios packets. The NAS box is trying to do a netbios name query to determine the address of the server - it is then getting no response so it tries a DNS query (which goes to your ISP's DNS, which probably doesn't know where your server is anyway, since it is on your internal network).
The NAS box then tries to force a browser election by claiming to be the master browser for your network (your server 192.168.1.3 probably should be the master browser). Apart from DNS, nowhere do I see the server responding to the netbios name queries and (as Rajko noted elsewhere) your trace finishes before the browser election is completed.
Does your ADSL router have a built-in firewall? If so, can I suggest that you enable that and turn off Suse Firewall? That's how I run my network - I have in fact 2 routers between the network and the outside world - a wireless router/switch inside the network which talks to the DSL/VoIP modem/router that is the interface to outside. Both of these devices have firewalls enabled (probably a bit over the top - one would do) so I dont' bother with the software firewall (SuSE Firewall) on the server and all Windoze boxes have their Windoze firewall turned off too.
That way, all machines talking to the server are inside the firewall and I don't have to worry about access problems between machines (it also helps that I'm the only user, apart from the wife very occassionally).
HTH.
Rodney.
Phew. Thanks for taking all that time Rodney. Yes. The adsl router does have a firewall. It's a good idea if SuSEfirewall2 doesn't work. It has these options: Enable DOS and Portscan Protection : SYN attack : FIN/URG/PSH attack : Ping Attack : Xmas Tree attack : TCP reset attack : Null scanning attack : Ping of Death attack : SYN/RST SYN/FIN attack : Which would you suggest setting to 'yes' bearing in mind the my NAS runs a bittorrent client (ctorrent with dctcs). There's also NAT which I've no ports forwarded except ALG as follows(the d- link default I think): PPTP : IPSec (VPN Passthrough) : RTSP (Online Video Streaming) : Windows/MSN Messenger : (automatically disabled if UPnP is enabled) FTP : H.323 (Video Conferencing) : SIP : Isn't just NAT good enough for what I want to do? Listen to mp3's and avi's I have on my laptop? If no one can connect to me from the outside then I'm OK internally on the lan no? Cheers, L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-04-08 at 13:37 +0200, lynn wrote: ...
Phew. Thanks for taking all that time Rodney. Yes. The adsl router does have a firewall. It's a good idea if SuSEfirewall2 doesn't work. It has these options:
Enable DOS and Portscan Protection : SYN attack : FIN/URG/PSH attack : Ping Attack : Xmas Tree attack : TCP reset attack : Null scanning attack : Ping of Death attack : SYN/RST SYN/FIN attack :
Which would you suggest setting to 'yes' bearing in mind the my NAS runs a bittorrent client (ctorrent with dctcs).
All :-) But of course, I don't know your router. For torrent, you'd need to forward some ports for it, I think.
Isn't just NAT good enough for what I want to do?
Suposedly. I'm a bit paranoid and prefer to have SuSEfirewall up, too. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkncj+cACgkQtTMYHG2NR9XkXgCfcs8qgVL8uJRrje5CnrkxhXck CXEAn2HpmWOuDBuVJmYbFN11azWU5pUs =5JtB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 8 Apr 2009 21:07:45 lynn wrote:
[...]
Phew. Thanks for taking all that time Rodney. Yes. The adsl router does have a firewall. It's a good idea if SuSEfirewall2 doesn't work. It has these options:
You're welcome. Actually, scanning log and seeing the problem took less time than writing the email. Before going too far it may be worth trying the recipe that Carlos mentioned in an earlier reply. I'd be interested to see if it does fix the problem (in other words, if I correctly interpreted what I saw in the wireshark capture file).
Enable DOS and Portscan Protection : SYN attack : FIN/URG/PSH attack : Ping Attack : Xmas Tree attack : TCP reset attack : Null scanning attack : Ping of Death attack : SYN/RST SYN/FIN attack :
Which would you suggest setting to 'yes' bearing in mind the my NAS runs a bittorrent client (ctorrent with dctcs).
I concur with Carlos. Set them all. If you enable UPnP then the bittorrent client will be able to automatically "punch" a hole in the firewall as required. That is what UPnP is for - to allow aware applications and firewalls to open and close access on an as-needed basis. In extreme cases it could be seen as a security risk - whether you use it or not is entirely up to you. I have used it on my Linksys router and it does work but the torrent client needs to be UPnP enabled. Your NAS box doco's should detail what config is needed if it is supported.
There's also NAT which I've no ports forwarded except ALG as follows(the d- link default I think):
PPTP : IPSec (VPN Passthrough) : RTSP (Online Video Streaming) : Windows/MSN Messenger : (automatically disabled if UPnP is enabled) FTP : H.323 (Video Conferencing) : SIP :
I would not have any NAT ports forwarded from the outside world unless absolutely necessary (i.e. either you or someone you trust needs to access your network from outside the firewall) and then only very selectively e.g. ssh (for remote admin), https (for webmail perhaps - I've used it for that in the past) and that's about it. You probably don't neet PPTP or IPSec unless you're running a VPN to another site. You don't need RTSP unless you're streaming media to others elsewhere on the net (and IMHO you'd probably be crazy to try that over a dsl connection), MSN Messenger (or its Linux equivalent) maybe if you use instant messaging, H.323 most likely not needed and SIP only if you use a VoIP service (e.g. Skype or another IP telephony service) from inside your LAN and want to receive incoming calls.
Isn't just NAT good enough for what I want to do? Listen to mp3's and avi's I have on my laptop? If no one can connect to me from the outside then I'm OK internally on the lan no?
You only need NAT if you want to connect to a box on your lan from outside the firewall (i.e. elsewhere on the internet). If you have no need to accept incoming connections from outside, turn it all OFF.
Cheers, L x
-- =================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ===================================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2009-04-09 at 00:30 +0930, Rodney Baker wrote: ...
Isn't just NAT good enough for what I want to do? Listen to mp3's and avi's I have on my laptop? If no one can connect to me from the outside then I'm OK internally on the lan no?
You only need NAT if you want to connect to a box on your lan from outside the firewall (i.e. elsewhere on the internet). If you have no need to accept incoming connections from outside, turn it all OFF.
I thought NAT was used the other way round, to connect one or more machines on the local net (many IPs) to the internet (one outgoing IP). Ie, it is what allows several machines with different local IPs to browse internet, sharing the only one internet address they have. :-? Or what I describe has a different name? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkndNcsACgkQtTMYHG2NR9W6YQCeJZQ1W9M8peBdmCqeeLP0s7rv wgcAn2frPY5UMuenVInopKUMct3IuqfD =Ad/M -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 9 Apr 2009 09:09:54 Carlos E. R. wrote:
On Thursday, 2009-04-09 at 00:30 +0930, Rodney Baker wrote:
...
Isn't just NAT good enough for what I want to do? Listen to mp3's and avi's I have on my laptop? If no one can connect to me from the outside then I'm OK internally on the lan no?
You only need NAT if you want to connect to a box on your lan from outside the firewall (i.e. elsewhere on the internet). If you have no need to accept incoming connections from outside, turn it all OFF.
I thought NAT was used the other way round, to connect one or more machines on the local net (many IPs) to the internet (one outgoing IP). Ie, it is what allows several machines with different local IPs to browse internet, sharing the only one internet address they have.
:-?
Or what I describe has a different name?
-- Cheers, Carlos E. R.
Actually, you're right - NAT is used for outgoing connections to route replies back to the originating host on the internal network, but that is generally transparent to the user once enabled. The specific configurations Lynn mentioned were more likely related to Port Forwarding, which works together with NAT to translate incoming connections to a specified port on the public IP address to a known port on an internal IP address. e.g. if your public ip address is 123.0.123.1 and you have an ssh server running on 10.1.1.1 on your internal network, you would translate a tcp port on the outside interface to port 22 on the box running the ssh server like 123.0.123.1:50001 -> 10.1.1.1:22 So incoming ssh connections would need to connect to 123.0.123.1:50001 and this would be automatically redirected to 10.1.1.1 on port 22. Outgoing connections via an NAT interface are handled transparently like I said earlier i.e. if 10.1.1.1 requests an http transfer from 1.2.3.4 (which appears to the remote server as if from 123.0.123.1, your public ip address), replies from 1.2.3.4 to 123.0.123.1 are automatically routed back to 10.1.1.1. Hopefully we're both working on the same page now...:-) Rodney. -- =================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ===================================================
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2009-04-07 at 22:11 +0200, lynn wrote:
Hi OK, I opened the same UDP port numbers too. Still the NAS cannot connect to me.
You should be able to see the rejected ports in the log.
FWIW, the NAS uses BusyBox Linux. Not sure if I can ask questions about that here.
Well, you are trying to connec a linux thing to an opensuse machine... I see no problem there. The funny thing is that, those nas boxes are linux inside, yet insist on using a windows protocol to share files, instead of a linux protocol. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknbyZsACgkQtTMYHG2NR9WWuwCfYPyhIzUtayEsqQPhY8UQf8ML pWAAn1P9g/v7ZeO8z3UIsUpMOveLbvwe =dwAV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
lynn wrote:
I have writted a /etc/smb.conf to connect to a multimedia NAS (please don't laugh. I now nothing about Samba):
[global] workgroup = MSHOME security = share [lynnsmb] path = /home/lsmb public = yes guest ok = yes read only = no browseable = yes
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me. The NAS gives me a password prompt. With the firewall _disabled_ It connects fine without password and enables me to watch films and listen to mp3's etc which are stored on my laptop. /var/log/warn nor /var/log/messages nor /var/log/firewall give any clue. Could someone tell me which ports I need to open?
L x
L, Try adding the following as a global option in smb.conf: smb ports = 139 -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 09 April 2009 06:41:50 David C. Rankin wrote:
lynn wrote:
I have writted a /etc/smb.conf to connect to a multimedia NAS (please don't laugh. I now nothing about Samba):
[global] workgroup = MSHOME security = share [lynnsmb] path = /home/lsmb public = yes guest ok = yes read only = no browseable = yes
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me. The NAS gives me a password prompt. With the firewall _disabled_ It connects fine without password and enables me to watch films and listen to mp3's etc which are stored on my laptop. /var/log/warn nor /var/log/messages nor /var/log/firewall give any clue. Could someone tell me which ports I need to open?
L x
L,
Try adding the following as a global option in smb.conf:
smb ports = 139
Give that man a big cigar: Apr 9 18:13:29 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:27:cb:46:4e:08:00:00 SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15886 DF PROTO=TCP SPT=1955 DPT=139 WINDOW=15660 RES=0x00 ACK URGP=0 OPT (0101080A0016A4F40022FBEC) NAS connects to laptop through firewall! L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 09 April 2009 11:22:00 am lynn wrote:
Try adding the following as a global option in smb.conf:
smb ports = 139
Give that man a big cigar:
Apr 9 18:13:29 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:27:cb:46:4e:08:00:00 SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15886 DF PROTO=TCP SPT=1955 DPT=139 WINDOW=15660 RES=0x00 ACK URGP=0 OPT (0101080A0016A4F40022FBEC)
NAS connects to laptop through firewall!
That is interesting. If firewall is down it works, but Samba doesn't use port 139 unless it configured to do so, which means that connection goes somewhere else, and that is blocked by firewall. Isn't that bug? -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/10/2009 02:48 PM, Rajko M. wrote:
On Thursday 09 April 2009 11:22:00 am lynn wrote:
Try adding the following as a global option in smb.conf:
smb ports = 139
Give that man a big cigar:
Apr 9 18:13:29 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:27:cb:46:4e:08:00:00 SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15886 DF PROTO=TCP SPT=1955 DPT=139 WINDOW=15660 RES=0x00 ACK URGP=0 OPT (0101080A0016A4F40022FBEC)
NAS connects to laptop through firewall!
That is interesting.
If firewall is down it works, but Samba doesn't use port 139 unless it configured to do so, which means that connection goes somewhere else, and that is blocked by firewall.
Isn't that bug?
If it is Windows higher than 2000, it will first try to connect on tcp port 445. If samba is configured to only listen on 139, it will listen to both 445 and 139 tcp. I have also found port 445 to be more problematic. Did Lynn have port 445 tcp open as well? -- Joe Morris Registered Linux user 231871 running openSUSE 11.1 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2009-04-10 at 21:49 +0800, Joe Morris wrote: El 2009-04-10 a las 21:49 +0800, Joe Morris escribió:
That is interesting.
If firewall is down it works, but Samba doesn't use port 139 unless it configured to do so, which means that connection goes somewhere else, and that is blocked by firewall.
Isn't that bug?
If it is Windows higher than 2000, it will first try to connect on tcp port 445. If samba is configured to only listen on 139, it will listen to both 445 and 139 tcp. I have also found port 445 to be more problematic. Did Lynn have port 445 tcp open as well?
She should; I told her I use this rule: FW_TRUSTED_NETS="192.168.1.X,tcp,microsoft-ds \ 192.168.1.X,tcp,netbios-ssn \ 192.168.1.X,udp,netbios-dgm \ 192.168.1.X,udp,netbios-ns" 445 is microsoft-dsm and 139 is netbios-ssn. I don't know what exact configuration she has at the moment. However, the other side is not windows, but linux using samba (busybox). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAknfnBIACgkQtTMYHG2NR9Vl4QCfSjCJ+lySh2VA4GEGN0ACWQFE VMYAn0BAJ6cBTE5w7qfPvaMpuUQyiGBS =af7x -----END PGP SIGNATURE-----
If it is Windows higher than 2000, it will first try to connect on tcp port 445.
It isn't windows anything. It's BusyBox but just as bad. Everything needs patching or tweaking. Lynn officially has: [global] smb ports = 139 FW_SERVICES_EXT_TCP="139" FW_SERVICES_EXT_UDP="139" FW_TRUSTED_NETS="192.168.1.4/32" L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-04-11 at 10:59 +0200, lynn wrote:
FW_SERVICES_EXT_TCP="139" FW_SERVICES_EXT_UDP="139" FW_TRUSTED_NETS="192.168.1.4/32"
This essentially opens _all_ ports to packets coming from that IP. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkngctIACgkQtTMYHG2NR9VLCQCfUHKfCr5zhD1FBIqelEIcz7Bb UBIAnRvVXQutWc8NIfWoXOiAkGzJNFO6 =RnZN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
lynn wrote:
On Thursday 09 April 2009 06:41:50 David C. Rankin wrote:
lynn wrote:
I have writted a /etc/smb.conf to connect to a multimedia NAS (please don't laugh. I now nothing about Samba):
[global] workgroup = MSHOME security = share [lynnsmb] path = /home/lsmb public = yes guest ok = yes read only = no browseable = yes
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me. The NAS gives me a password prompt. With the firewall _disabled_ It connects fine without password and enables me to watch films and listen to mp3's etc which are stored on my laptop. /var/log/warn nor /var/log/messages nor /var/log/firewall give any clue. Could someone tell me which ports I need to open?
L x L,
Try adding the following as a global option in smb.conf:
smb ports = 139
Give that man a big cigar:
Apr 9 18:13:29 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:27:cb:46:4e:08:00:00 SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15886 DF PROTO=TCP SPT=1955 DPT=139 WINDOW=15660 RES=0x00 ACK URGP=0 OPT (0101080A0016A4F40022FBEC)
NAS connects to laptop through firewall!
L x
Whoop! I'll take a Macenudo (sp? I don't smoke) "Even a blind squirrel finds a nut -- every once in a while." Setting smb ports = 139 gets rid of a bunch of chatter in your logs as well by telling samba to stick with the standard ports. For some reason, and I forget when, MS started trying to talk smb over port 445 which caused nothing but headaches: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/cfgsmarts.html <quote> If run using NetBIOS mode (the most common method) it is important that the parameter smb ports = 139 should be specified in the primary smb.conf file. Failure to do this will result in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain the functionality that is specified in the primary smb.conf file. The use of NetBIOS over TCP/IP using only TCP port 139 means that the use of the %L macro is fully enabled. If the smb ports = 139 is not specified (the default is 445 139, or if the value of this parameter is set at 139 445 then the %L macro is not serviceable. </quote> -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 10 April 2009 20:02:13 David C. Rankin wrote:
lynn wrote:
On Thursday 09 April 2009 06:41:50 David C. Rankin wrote:
lynn wrote:
I have writted a /etc/smb.conf to connect to a multimedia NAS (please don't laugh. I now nothing about Samba):
[global] workgroup = MSHOME security = share [lynnsmb] path = /home/lsmb public = yes guest ok = yes read only = no browseable = yes
I have SuSEfirewall2 running with ports 135 137 138 139 and 445 found by Googleing open but it won't connect to me. The NAS gives me a password prompt. With the firewall _disabled_ It connects fine without password and enables me to watch films and listen to mp3's etc which are stored on my laptop. /var/log/warn nor /var/log/messages nor /var/log/firewall give any clue. Could someone tell me which ports I need to open?
L x
L,
Try adding the following as a global option in smb.conf:
smb ports = 139
Give that man a big cigar:
Apr 9 18:13:29 hh2 kernel: SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:12:f0:06:9c:da:00:21:27:cb:46:4e:08:00:00 SRC=192.168.1.4 DST=192.168.1.3 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=15886 DF PROTO=TCP SPT=1955 DPT=139 WINDOW=15660 RES=0x00 ACK URGP=0 OPT (0101080A0016A4F40022FBEC)
NAS connects to laptop through firewall!
L x
Whoop! I'll take a Macenudo (sp? I don't smoke)
Pues no. En Spanish Spanish it's simply no fumo. Maybe that's a Mexican Spanish term. Unless it's saying un Farias o un Partagas. No se.
"Even a blind squirrel finds a nut -- every once in a while."
Setting smb ports = 139 gets rid of a bunch of chatter in your logs as well by telling samba to stick with the standard ports. For some reason, and I forget when, MS started trying to talk smb over port 445 which caused nothing but headaches:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/cfgsmarts.html
<quote>
If run using NetBIOS mode (the most common method) it is important that the parameter smb ports = 139 should be specified in the primary smb.conf file. Failure to do this will result in Samba operating over TCP port 445 and problematic operation at best, and at worst only being able to obtain the functionality that is specified in the primary smb.conf file. The use of NetBIOS over TCP/IP using only TCP port 139 means that the use of the %L macro is fully enabled. If the smb ports = 139 is not specified (the default is 445 139, or if the value of this parameter is set at 139 445 then the %L macro is not serviceable.
</quote>
Phew! What is amazing is that NAS' use smb by default. What a mess. I've gone totally off the idea of NAS anyway. it's overpriced, low quality processor crippled nonsense. For less than a NAS which is any good like the dlink I can get a proper quiet=fan box running linux with an hdmi connector which will run torrent downloads, backup in the background and serve 20 home user folders. the NAS boxes at the same price crippled. A dlink 323 is brought to a standstill if you try and do more than two things at a time on it. There, I've said it! To get back on thread, I think it's important to remind ourselves that we are all guessing when it comes to SuSEfirewall2. Fortunately this was a problem at home being forced to use samba. Had I gone for the nice little proper computer with a big hard disk running nfs kernel server under a well documented Linux distro opensuse for example none of this time wasting for me and my loyal and ever so patient listeners would have. . . L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID:
Phew! What is amazing is that NAS' use smb by default.
Indeed. Instead of, or also, using ftp or nfs. After all, it is linux inside.
What a mess. I've gone totally off the idea of NAS anyway. it's overpriced, low quality processor crippled nonsense. For less than a NAS which is any good like the dlink I can get a proper quiet=fan box running linux with an hdmi connector which will run torrent downloads, backup in the background and serve 20 home user folders. the NAS boxes at the same price crippled. A dlink 323 is brought to a standstill if you try and do more than two things at a time on it.
There, I've said it!
I have a little box, overpriced, but I got it cheap, which sole purpose is to display terrestrial digital TV (TDT, televisón digital terrena), do time shift, and save recordings to a HD plugged into its USB port or via samba to a computer on the network. Yes, I had problems setting up samba; but not with the firewall, just samba itself. The firewall I figured myself, I have some practice. Samba is a maze to me. Being a linux machine inside has some advantages: there is a group of hackers that "publish" software upgrades for the box which are actually better than what the seller suplies. At least I'm covered till the hackers dissapear and go for a shinier box and let me stuck with my "antigualla", hopefully years later that the manuafacturer support disapears completely. The funny thing about these hacker types is that you have to subscribe to a forum in order to get the software, which is supposed to be open and free and gnu whatever. And I don't see their sources, even though they pushed the manufacturer to publish theirs (hidden somewhere in a maze of links in their web).
To get back on thread, I think it's important to remind ourselves that we are all guessing when it comes to SuSEfirewall2. Fortunately this was a problem at home being forced to use samba. Had I gone for the nice little proper computer with a big hard disk running nfs kernel server under a well documented Linux distro opensuse for example none of this time wasting for me and my loyal and ever so patient listeners would have. . .
The firewall is more or less documented. The configuration file (/etc/sysconfig/SuSEfirewall2) has inside lots of comments that explains what each option does. Did you read it? There is also a faq, or should say was, because it is not mantained anymore. Here: http://susefaq.sourceforge.net/guides/fw_manual.html It is dated 2002, but the basics remains the same. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkngd3IACgkQtTMYHG2NR9UvXACcCeElLpDMPJdRyN6YjBOjnuEK eAEAnjQhtOnE4J3C8VExXIBFa6/zwwJV =v0Qp -----END PGP SIGNATURE-----
The configuration file (/etc/sysconfig/SuSEfirewall2) has inside lots of comments that explains what each option does. Did you read it?
Yep. When Yast failed I read it and tried everything I could before restoring my backup SuSEfirewall2 script and starting this thread. I get the bit about FW_TRUSTED_NETS="192.168.1.4/32" opening all ports but strangely enough after I did that it only used 139 and finally connected with the firewall running. Security wise it doesn;t matter since it's just a NAS sitting beneath my televisor and it's behind my wireless router firewall anyway. I'm just so glad I don't have to use Samba in the workplace. It seems so unpredictable. But then so does SuSEfirewall2. I'm disillusioned that something as simple as this has taken so long to understand. BTW my NAS is a T50 from the Gallegos. It's a great idea but crippled by bugs in Busybox, out of date firmware, processor and lack of memory. For the price I could have got a little Acer with an hdmi port, AMD 64, 1024 memory and avoided all this Samba nonsense. They even look good too. Caveat E. Cheers and thanks for all your patience. L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
lynn wrote:
I'm just so glad I don't have to use Samba in the workplace. It seems so unpredictable. But then so does SuSEfirewall2. I'm disillusioned that something as simple as this has taken so long to understand.
Samba seems rock solid in the workplace if you ask me. I've been using it on installations large and small for 10 years, so perhaps its the familiarity factor. On the firewall issue, I use shorewall, because, although its all managed with a collection of small files rather than a GUI it seems easier to understand and easier to maintain. Shorewall has shortcuts for common services like samba smtp ftp pop imap etc. The quickstart guide is all you need to get started. http://www.shorewall.net/shorewall_quickstart_guide.htm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I use shorewall, because, although its all managed with a collection of small files rather than a GUI it seems easier to understand and easier to maintain.
Hi John. On my lan I used Yast to configure SuSEfirewall2. That's GUI and it works out of the box on an nfs lan. With samba on a simple 2 box setup it doesn't. EOS. Folks, can we drop this now? i feel obliged to reply as I started this thread.but simply do not have the time to. I really do appreciate what you guys do and the time you spend here but I can't afford the time you do here. Thank you all once again for all the time you have given me. I really do feel guilty because this was not a work issue but a personal listening to music issue. Love from Lynn x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-04-12 at 16:02 +0200, lynn wrote:
I use shorewall, because, although its all managed with a collection of small files rather than a GUI it seems easier to understand and easier to maintain.
Hi John. On my lan I used Yast to configure SuSEfirewall2. That's GUI and it works out of the box on an nfs lan. With samba on a simple 2 box setup it doesn't. EOS.
Folks, can we drop this now? i feel obliged to reply as I started this thread.but simply do not have the time to. I really do appreciate what you guys do and the time you spend here but I can't afford the time you do here. Thank you all once again for all the time you have given me. I really do feel guilty because this was not a work issue but a personal listening to music issue.
Don't be :-) Be assured that many have taken note of this, for future possible use when we have to configure a samba with firewall next time ;-) (And there is nothing wrong with using linux for home. Many of us try things at home that later may we use on business, or simply help other professional chaps with our home brew experience ) Indeed, if the YaST GUI is unable to configure the firewall for use with samba, it deserves a bugzilla. It should have a "wizard" for "Hey, I want samba" and be done - and work. I don't know if there is, I don't use the firewall GUI. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkniCZMACgkQtTMYHG2NR9U9RgCfTOguz103SIuyakTrM5LA5gwb 75gAn3bdZFVA7HEQFkFzYBMZpSP8tsRz =IvQS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
@lynn: Don't feel obliged to answer. Topic is interesting for many of us, and we can chat long after original poster has no interest in it. On Sunday 12 April 2009 10:32:34 am Carlos E. R. wrote: ...
Indeed, if the YaST GUI is unable to configure the firewall for use with samba, it deserves a bugzilla. It should have a "wizard" for "Hey, I want samba" and be done - and work. I don't know if there is, I don't use the firewall GUI.
Talking about wizard, did you try to remove all entries from /etc/samba and
start Samba configuration module?
There is some kind of wizard, but IMHO, it is still for people that know what
they have to do. It leaves you with files in /etc/samba, but no users
defined, no hint to add users using
smbpasswd -a
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2009-04-11 at 20:22 +0200, lynn wrote:
The configuration file (/etc/sysconfig/SuSEfirewall2) has inside lots of comments that explains what each option does. Did you read it?
Yep. When Yast failed I read it and tried everything I could before restoring my backup SuSEfirewall2 script and starting this thread.
I don't use Yast to configure the firewall, it is confusing.
I get the bit about FW_TRUSTED_NETS="192.168.1.4/32" opening all ports but strangely enough after I did that it only used 139
No, it uses more.
and finally connected with the firewall running. Security wise it doesn;t matter since it's just a NAS sitting beneath my televisor and it's behind my wireless router firewall anyway.
It matters if somebody gets in and uses that IP.
I'm just so glad I don't have to use Samba in the workplace. It seems so unpredictable. But then so does SuSEfirewall2. I'm disillusioned that something as simple as this has taken so long to understand.
The firewall is very simple! >:-)
BTW my NAS is a T50 from the Gallegos. It's a great idea but crippled by bugs in Busybox, out of date firmware, processor and lack of memory. For the price I could have got a little Acer with an hdmi port, AMD 64, 1024 memory and avoided all this Samba nonsense. They even look good too. Caveat E.
If you buy a popular NAS you also get updates, from the manufacturer or from the hacker community (hacker is not "bad", that would be "cracker"). But yes, they are expensive things.
Cheers and thanks for all your patience. L x
Welcome :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkng9c0ACgkQtTMYHG2NR9UFvwCgkxnxBSmlSq49GfbI5zuktRM9 WJgAn3ChEfDMBPzV4vj9y4+AqrecIp4m =Jst9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
In <200904110819.23532.lynn@steve-ss.com>, lynn wrote:
On Friday 10 April 2009 20:02:13 David C. Rankin wrote:
lynn wrote:
Give that man a big cigar: Whoop! I'll take a Macenudo (sp? I don't smoke) Pues no. En Spanish Spanish it's simply no fumo. Maybe that's a Mexican Spanish term. Unless it's saying un Farias o un Partagas. No se.
A "Macenudo" is a type of cigar. The "sp?" in parenthesis is shorthand for "the preceding may not be spelled correctly". The "I don't smoke" is an explanation of why it may not be spelled correctly. So, David's post could be expanded to: "Whoop! I'll take a Macenudo cigar. I'm not sure if I spelled 'Macenudo' correctly, because I don't smoke." -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
participants (10)
-
Boyd Stephen Smith Jr. -
Carlos E. R. -
David C. Rankin -
Joe Morris -
John Andersen -
lynn -
Michael S. Dunsavage -
Oddball -
Rajko M. -
Rodney Baker