SuSE 9.1, firewall and samba client
Hi, I set: FW_SERVICES_EXT_TCP="139" FW_SERVICES_EXT_UDP="137 138" FW_ALLOW_FW_BROADCAST="yes" #SuSEfirewall2 stop #SuSEfirewall2 start #nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d After stopping fw everything works #SuSEfirewall2 stop #nmblookup -M KFY 157.218.65.108 KFY<1d> Does someone can give me note what is wrong or what else should I test? Thank you Stepan
Stepan wrote regarding '[SLE] SuSE 9.1, firewall and samba client' on Wed, Sep 08 at 07:55:
Hi, I set: FW_SERVICES_EXT_TCP="139" FW_SERVICES_EXT_UDP="137 138" FW_ALLOW_FW_BROADCAST="yes"
#SuSEfirewall2 stop #SuSEfirewall2 start #nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d
After stopping fw everything works #SuSEfirewall2 stop #nmblookup -M KFY 157.218.65.108 KFY<1d>
Does someone can give me note what is wrong or what else should I test?
You might also open up tcp 445, for the sake of completeness... :) In addition, are you sure that that machine's on the external device and not the internal device? You might open those ports on the INT and/or DMZ interfaces as well. Are you running in quickmode? You'll need to open those ports in FW_SERVICES_QUICK instead. Check the value of FW_SERVICE_SAMBA="yes", too. --Danny
On Wed, 8 Sep 2004, Danny Sauer wrote:
Stepan wrote regarding '[SLE] SuSE 9.1, firewall and samba client' on Wed, Sep 08 at 07:55:
Hi, I set: FW_SERVICES_EXT_TCP="139" FW_SERVICES_EXT_UDP="137 138" FW_ALLOW_FW_BROADCAST="yes"
#SuSEfirewall2 stop #SuSEfirewall2 start #nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d
After stopping fw everything works #SuSEfirewall2 stop #nmblookup -M KFY 157.218.65.108 KFY<1d>
Does someone can give me note what is wrong or what else should I test?
You might also open up tcp 445, for the sake of completeness... :)
In addition, are you sure that that machine's on the external device and not the internal device? You might open those ports on the INT and/or DMZ interfaces as well. Are you running in quickmode? You'll need to For ilustration I opened EXT, DMZ and INT for TCP port 139 and 445 and EXT, DMZ and INT for UDP port 137 and 138. I have FW__QUICKMODE="no" and I set FW_SERVICE_SAMBA="yes" (even if I don't want samba server, I need to be only client). But still get same result: # nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d
open those ports in FW_SERVICES_QUICK instead. Check the value of FW_SERVICE_SAMBA="yes", too.
--Danny
Any other suggestion will be appreciated. Best regards Stepan
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Wed, Sep 08 at 12:06: [...]
For ilustration I opened EXT, DMZ and INT for TCP port 139 and 445 and EXT, DMZ and INT for UDP port 137 and 138. I have FW__QUICKMODE="no" and I set FW_SERVICE_SAMBA="yes" (even if I don't want samba server, I need to be only client). But still get same result: # nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d
Is there a master browser on your network? Are you querying a win 95 machine (which requires the -r option)? Is KFY a machine or domain name? Can you look up the name of a machine by name or IP: nmblookup windowsserver nmblookup -A 1.2.3.4 What output do you get if you run "nmblookup -d3 -M KFY" --Danny
On Wed, 8 Sep 2004, Danny Sauer wrote:
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Wed, Sep 08 at 12:06: [...]
For ilustration I opened EXT, DMZ and INT for TCP port 139 and 445 and EXT, DMZ and INT for UDP port 137 and 138. I have FW__QUICKMODE="no" and I set FW_SERVICE_SAMBA="yes" (even if I don't want samba server, I need to be only client). But still get same result: # nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d
Is there a master browser on your network? Yes there is but I have to tell that we have not identified problems with resolving names. I always test the MS network if it was working correctly.
Are you querying a win 95 machine (which requires the -r option)? No, usualy it is a MS NT, MS 2000 or MS XP. Is KFY a machine or domain name? It is a workgroup.
Can you look up the name of a machine by name or IP: nmblookup windowsserver nmblookup -A 1.2.3.4 What output do you get if you run "nmblookup -d3 -M KFY" # nmblookup -d3 -M KFY lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface ip=157.218.65.109 bcast=157.218.65.255 nmask=255.255.255.0 Socket opened. querying KFY on 157.218.65.255 Got a positive name query response from 157.218.65.59 ( 157.218.65.59 ) 157.218.65.59 KFY<1d>
When this ocure then: # nmblookup hiden-eqp querying hiden-eqp on 157.218.65.255 name_query failed to find name hiden-eqp When I swith off FW then it works. Anything else what can be tested or viewed? Thank you Stepan
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Thu, Sep 09 at 11:18:
On Wed, 8 Sep 2004, Danny Sauer wrote:
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Wed, Sep 08 at 12:06: [...]
For ilustration I opened EXT, DMZ and INT for TCP port 139 and 445 and EXT, DMZ and INT for UDP port 137 and 138. I have FW__QUICKMODE="no" and I set FW_SERVICE_SAMBA="yes" (even if I don't want samba server, I need to be only client). But still get same result: # nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d
Is there a master browser on your network? Yes there is but I have to tell that we have not identified problems with resolving names. I always test the MS network if it was working correctly.
Are you querying a win 95 machine (which requires the -r option)? No, usualy it is a MS NT, MS 2000 or MS XP. Is KFY a machine or domain name? It is a workgroup.
Can you look up the name of a machine by name or IP: nmblookup windowsserver nmblookup -A 1.2.3.4 What output do you get if you run "nmblookup -d3 -M KFY" # nmblookup -d3 -M KFY lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface ip=157.218.65.109 bcast=157.218.65.255 nmask=255.255.255.0 Socket opened. querying KFY on 157.218.65.255 Got a positive name query response from 157.218.65.59 ( 157.218.65.59 ) 157.218.65.59 KFY<1d>
Is this with the firewall on or off?
When this ocure then: # nmblookup hiden-eqp querying hiden-eqp on 157.218.65.255 name_query failed to find name hiden-eqp
When I swith off FW then it works. Anything else what can be tested or viewed?
Basically, at this point I'd suggest that you fire up a sniffer on your network somewhere, and see if the broadcast is going out & if a response is being generated. Either your firewall is either blocking the outgoing packet or the incoming packet, or the machine just isn't responding. Since it works without the firewall, the firewall must be the problem. Try starting the firewall, then run iptables -F OUTPUT iptables -P OUTPUT ACCEPT See if it works. If so, then the outgoing rules aren't breaking it. Same deal with input - restart the firewall and run iptables -F INPUT iptables -P INPUT ACCEPT If it works then, something on the input chain is blocking the response. Restart the firewall and check out the output of IPTABLES -L. You should be able to see what the heck's blocking the traffic. --Danny
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Thu, Sep 09 at 11:18:
On Wed, 8 Sep 2004, Danny Sauer wrote:
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Wed, Sep 08 at 12:06: [...]
For ilustration I opened EXT, DMZ and INT for TCP port 139 and 445 and EXT, DMZ and INT for UDP port 137 and 138. I have FW__QUICKMODE="no" and I set FW_SERVICE_SAMBA="yes" (even if I don't want samba server, I need to be only client). But still get same result: # nmblookup -M KFY querying KFY on 157.218.65.255 name_query failed to find name KFY#1d
Is there a master browser on your network? Yes there is but I have to tell that we have not identified problems with resolving names. I always test the MS network if it was working correctly.
Are you querying a win 95 machine (which requires the -r option)? No, usualy it is a MS NT, MS 2000 or MS XP. Is KFY a machine or domain name? It is a workgroup.
Can you look up the name of a machine by name or IP: nmblookup windowsserver nmblookup -A 1.2.3.4 What output do you get if you run "nmblookup -d3 -M KFY" # nmblookup -d3 -M KFY lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface ip=157.218.65.109 bcast=157.218.65.255 nmask=255.255.255.0 Socket opened. querying KFY on 157.218.65.255 Got a positive name query response from 157.218.65.59 ( 157.218.65.59 ) 157.218.65.59 KFY<1d>
Is this with the firewall on or off? Sorry, you are right. This was when I tested it without firewall. With it
On Thu, 9 Sep 2004, Danny Sauer wrote: then I got: querying KFY on 147.228.55.255 name_query failed to find name KFY#1d
Basically, at this point I'd suggest that you fire up a sniffer on your network somewhere, and see if the broadcast is going out & if a response is being generated. Either your firewall is either blocking the outgoing packet or the incoming packet, or the machine just isn't responding. Since it works without the firewall, the firewall must be the problem.
Try starting the firewall, then run iptables -F OUTPUT iptables -P OUTPUT ACCEPT
See if it works. If so, then the outgoing rules aren't breaking it. Same deal with input - restart the firewall and run iptables -F INPUT iptables -P INPUT ACCEPT
If it works then, something on the input chain is blocking the response. Restart the firewall and check out the output of IPTABLES -L. You should be able to see what the heck's blocking the traffic.
Ok, I'm going to play with it. Thank you for your time and Best regards Stepan
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Thu, Sep 09 at 12:33:
On Thu, 9 Sep 2004, Danny Sauer wrote:
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Thu, Sep 09 at 11:18: [...]
# nmblookup -d3 -M KFY lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface ip=157.218.65.109 bcast=157.218.65.255 nmask=255.255.255.0 Socket opened. querying KFY on 157.218.65.255 Got a positive name query response from 157.218.65.59 ( 157.218.65.59 ) 157.218.65.59 KFY<1d>
Is this with the firewall on or off? Sorry, you are right. This was when I tested it without firewall. With it then I got: querying KFY on 147.228.55.255 name_query failed to find name KFY#1d
Is there a reason that the IP address changes with the firewall off? You might look into that, too... Good luck. --Danny
Hi, after some time of looking into FW logs I found that the problem was (how easy to find, when a man knows what to look for:). From /var/log/messages Sep 10 20:15:03 nganga kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:06:5b:dd:a2:9d:00:60:52:06:97:20:08:00 SRC=157.218.65.59 DST=157.218.65.109 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=50979 PROTO=UDP SPT=137 DPT=2676 LEN=70 is clearly seen that master browser (157.218.65.59) send a UDP packet to my box on a port 2676. After enabling FW_SERVICES_EXT_UDP="137 138 2676" then I have got correct answer # nmblookup -M KFY querying KFY on 147.228.55.255 Got a positive name query response from 147.228.55.59 ( 147.228.55.59 ) 147.228.55.59 KFY<1d> That is for future when someone will have the same problems. But still I have a question why is this necesary? I couldn't find this setting anywhere. Is it a security problem? Thank you Stepan
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Fri, Sep 10 at 13:29:
Hi, after some time of looking into FW logs I found that the problem was (how easy to find, when a man knows what to look for:). From /var/log/messages
Sep 10 20:15:03 nganga kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:06:5b:dd:a2:9d:00:60:52:06:97:20:08:00 SRC=157.218.65.59 DST=157.218.65.109 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=50979 PROTO=UDP SPT=137 DPT=2676 LEN=70
is clearly seen that master browser (157.218.65.59) send a UDP packet to my box on a port 2676. After enabling FW_SERVICES_EXT_UDP="137 138 2676" then I have got correct answer
I'm just guessing here now, but nmblookup is probably randomly selecting 2676 as the source address when it sends the boradcast. I thought that smb was all over TCP, though? I guess you'd need a rule in there to catch "related" packets and allow them, then drop other packets. I'm not entirely sure if related works with UDP, though. That's for someone else to answer (or test). :) Look at the "cstate" iptables module for more info (in the iptables man page). --Danny
after some time of looking into FW logs I found that the problem was (how easy to find, when a man knows what to look for:). From /var/log/messages
Sep 10 20:15:03 nganga kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:06:5b:dd:a2:9d:00:60:52:06:97:20:08:00 SRC=157.218.65.59 DST=157.218.65.109 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=50979 PROTO=UDP SPT=137 DPT=2676 LEN=70
is clearly seen that master browser (157.218.65.59) send a UDP packet to my box on a port 2676. After enabling FW_SERVICES_EXT_UDP="137 138 2676" then I have got correct answer
I'm just guessing here now, but nmblookup is probably randomly selecting 2676 as the source address when it sends the boradcast. I thought that smb was all over TCP, though? I guess you'd need a rule in there to catch "related" packets and allow them, then drop other packets. I'm not entirely sure if related works with UDP, though. That's for someone else to answer (or test). :) Look at the "cstate" iptables module for more info (in the iptables man page). As usually you are "however" right. Now it use UDP 2715... But what should I try to find? Is it --ctstate or --state. I couldn't find any world cstate.
--Danny Best regards Stepan
Stepan wrote regarding 'Re: [SLE] SuSE 9.1, firewall and samba client' on Fri, Sep 10 at 14:05:
after some time of looking into FW logs I found that the problem was (how easy to find, when a man knows what to look for:). From /var/log/messages
Sep 10 20:15:03 nganga kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:06:5b:dd:a2:9d:00:60:52:06:97:20:08:00 SRC=157.218.65.59 DST=157.218.65.109 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=50979 PROTO=UDP SPT=137 DPT=2676 LEN=70
is clearly seen that master browser (157.218.65.59) send a UDP packet to my box on a port 2676. After enabling FW_SERVICES_EXT_UDP="137 138 2676" then I have got correct answer
I'm just guessing here now, but nmblookup is probably randomly selecting 2676 as the source address when it sends the boradcast. I thought that smb was all over TCP, though? I guess you'd need a rule in there to catch "related" packets and allow them, then drop other packets. I'm not entirely sure if related works with UDP, though. That's for someone else to answer (or test). :) Look at the "cstate" iptables module for more info (in the iptables man page).
As usually you are "however" right. Now it use UDP 2715... But what should I try to find? Is it --ctstate or --state. I couldn't find any world cstate.
Sorry - it's the "-m conntrack" module, probably with "--ctproto udp" and "--ctstate ESTABLISHED,RELATED" options that I was talking about. I use the conntrack version for everything, as I wasn't aware of the simpler appearing "state" module... More options = more power = better, right? :) --Danny
Hi, after updating firefox using a rpm from Mozilla project in ftp.suse.com/projects/mozilla/firefox/1.0PR it disappear a button UPDATE in menu:Tools->Extensions. So I have only button Uninstall and Options. I would like to use it (and not manual searching which extension has an update), but don't know hot to fix that. For any suggestion thank Stepan
Hi, to be able to play with firewall setting is there a way how to permanently (also after reboot) set rules and don't use SuSEfirewall2? Thank you Stepan
Stepan wrote regarding '[SLE] Setting iptables rules without useing SuSEfirewall2 script.' on Fri, Sep 10 at 10:54:
Hi, to be able to play with firewall setting is there a way how to permanently (also after reboot) set rules and don't use SuSEfirewall2?
You can 1) make your own init script (in /etc/init.d/ with symlinks, etc) 2) put the rules in boot.local 3) figure out how to modify the stuff SuSE Firewall calls 4) something else :) --Danny
On Friday 10 September 2004 10:56 am, Stepan Potocky wrote:
Hi, to be able to play with firewall setting is there a way how to permanently (also after reboot) set rules and don't use SuSEfirewall2?
Thank you Stepan
Use iptables-save to save the rules you like to a file. In /etc/init.d/boot.local use iptables-restore to re-install the saved rules from the file. -- Robert C. Paulsen, Jr. robert@paulsenonline.net
participants (3)
-
Danny Sauer -
Robert Paulsen -
Stepan Potocky