Hi, 192.168.0.255 is the broadcast address of your network. NMB lookups are performed via broadcasts, so this is OK. The firewall log entry is directly related to this behavior. By default, all incoming connections with your own IP address are blocked. Imagine a hostile machine on your subnet saying "Hi, my name is 192.168.0.10 and I want to do some stuff." Your box says "This can't be true, because 192.168.0.10 is already assigned to ME." This is called an anti-spoofing-rule and gets logged. Now, what about broadcasts? They are adressed to 192.168.0.255 and could be created by any machine on your subnet. The given source IP address is not a reliable information as it might be spoofed. So by default the incoming packet gets dropped, regardless if it was actually sent from your own box - the packet filter has no means to reliably determine that. Since everything works fine, it is quite safe to turn of logging for broadcast packets with the given properties. This is done by adding a custom rule to the anti-spoofing section of your /etc/sysconfig/scripts/SuSEfirewall2-custom: iptables -A INPUT -j DROP -p udp -s 192.168.0.10 -d 192.168.0.255 --sport 138 --dport 138 This silently drops these packets. Don't forget to activate the custom-config file in your main config file. If anything doesn't work, change the "DROP" target in the above line to "ACCEPT". Not that this could be a security risk (but I think a minimal one in your small local network). Best regards, Holger Am Freitag, 11. Juli 2003 18:21 schrieb Nigel Gaylard:
Hi All
Could someone please advise me on the following log entries. I am using Samba to serve a 3 windows clients but noticed the following in my log files (still learning linux and discovered log files recently). The firewall lists this message every few seconds and it appears to relate to Samba and more specifically the nmbd daemon. Samba is working so it purely the log file filling up with these entries that concerns me most. Secondly I tried using nmblookup -M SERVER and it tries the address 192.168.0.255 as the "nameserver" whereas the SAMBA server is 192.168.0.10. Samba is setup to be the wins server.
Many thanks
Nigel Gaylard
***EXTRACT from LOG FILES ****
Jul 11 15:15:18 server nmbd[1180]: [2003/07/11 15:15:18, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(291) Jul 11 15:15:18 server nmbd[1180]: become_domain_master_browser_bcast: Jul 11 15:15:18 server nmbd[1180]: Attempting to become domain master browser on workgroup MWDESIGNS on subnet 192.168.0.10 Jul 11 15:15:18 server nmbd[1180]: [2003/07/11 15:15:18, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(305) Jul 11 15:15:18 server nmbd[1180]: become_domain_master_browser_bcast: querying subnet 192.168.0.10 for domain master browser on workgroup MWDESIGNS Jul 11 15:15:28 server nmbd[1180]: [2003/07/11 15:15:28, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(114) Jul 11 15:15:28 server nmbd[1180]: ***** Jul 11 15:15:28 server nmbd[1180]: Jul 11 15:15:28 server nmbd[1180]: Samba server SERVER is now a domain master browser for workgroup MWDESIGNS on subnet 192.168.0.10 Jul 11 15:15:28 server nmbd[1180]: Jul 11 15:15:28 server nmbd[1180]: *****
Jul 11 16:03:27 server kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC= SRC=192.168.0.10 DST=192.168.0.255 LEN=256 TOS=0x00 PREC=0x00 TTL=64 ID=162 DF PROTO=UDP SPT=138 DPT=138 LEN=236 Jul 11 16:03:28 server nmbd[1470]: [2003/07/11 16:03:28, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(358) Jul 11 16:03:28 server nmbd[1470]: find_domain_master_name_query_fail: Jul 11 16:03:28 server nmbd[1470]: Unable to find the Domain Master Browser name MWDESIGNS<1b> for the workgroup MWDESIGNS. Jul 11 16:03:28 server nmbd[1470]: Unable to sync browse lists in this workgroup.