Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] Help with Samba / Suse Firewall
  • From: Holger Schletz <h.schletz@xxxxxxxxx>
  • Date: Sat, 12 Jul 2003 13:46:34 +0200
  • Message-id: <200307121346.34559.h.schletz@xxxxxxxxx>
Hi,

192.168.0.255 is the broadcast address of your network. NMB lookups are
performed via broadcasts, so this is OK.

The firewall log entry is directly related to this behavior. By default, all
incoming connections with your own IP address are blocked.
Imagine a hostile machine on your subnet saying "Hi, my name is 192.168.0.10
and I want to do some stuff." Your box says "This can't be true, because
192.168.0.10 is already assigned to ME." This is called an anti-spoofing-rule
and gets logged.
Now, what about broadcasts? They are adressed to 192.168.0.255 and could be
created by any machine on your subnet. The given source IP address is not a
reliable information as it might be spoofed. So by default the incoming
packet gets dropped, regardless if it was actually sent from your own box -
the packet filter has no means to reliably determine that.

Since everything works fine, it is quite safe to turn of logging for broadcast
packets with the given properties. This is done by adding a custom rule to
the anti-spoofing section of your
/etc/sysconfig/scripts/SuSEfirewall2-custom:

iptables -A INPUT -j DROP -p udp -s 192.168.0.10 -d 192.168.0.255 --sport 138
--dport 138

This silently drops these packets. Don't forget to activate the custom-config
file in your main config file.

If anything doesn't work, change the "DROP" target in the above line to
"ACCEPT". Not that this could be a security risk (but I think a minimal one
in your small local network).


Best regards,
Holger


Am Freitag, 11. Juli 2003 18:21 schrieb Nigel Gaylard:
> Hi All
>
> Could someone please advise me on the following log entries. I am using
> Samba to serve a 3 windows clients but noticed the following in my log
> files (still learning linux and discovered log files recently). The
> firewall lists this message every few seconds and it appears to relate to
> Samba and more specifically the nmbd daemon. Samba is working so it purely
> the log file filling up with these entries that concerns me most. Secondly
> I tried using nmblookup -M SERVER and it tries the address 192.168.0.255 as
> the
> "nameserver" whereas the SAMBA server is 192.168.0.10. Samba is setup to be
> the wins server.
>
> Many thanks
>
> Nigel Gaylard
>
>
> ***EXTRACT from LOG FILES ****
>
> Jul 11 15:15:18 server nmbd[1180]: [2003/07/11 15:15:18, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(291)
> Jul 11 15:15:18 server nmbd[1180]: become_domain_master_browser_bcast:
> Jul 11 15:15:18 server nmbd[1180]: Attempting to become domain master
> browser on workgroup MWDESIGNS on subnet 192.168.0.10
> Jul 11 15:15:18 server nmbd[1180]: [2003/07/11 15:15:18, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(305)
> Jul 11 15:15:18 server nmbd[1180]: become_domain_master_browser_bcast:
> querying subnet 192.168.0.10 for domain master browser on workgroup
> MWDESIGNS
> Jul 11 15:15:28 server nmbd[1180]: [2003/07/11 15:15:28, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_stage2(114)
> Jul 11 15:15:28 server nmbd[1180]: *****
> Jul 11 15:15:28 server nmbd[1180]:
> Jul 11 15:15:28 server nmbd[1180]: Samba server SERVER is now a domain
> master browser for workgroup MWDESIGNS on subnet 192.168.0.10
> Jul 11 15:15:28 server nmbd[1180]:
> Jul 11 15:15:28 server nmbd[1180]: *****
>
> Jul 11 16:03:27 server kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=eth0 OUT= MAC=
> SRC=192.168.0.10 DST=192.168.0.255 LEN=256 TOS=0x00 PREC=0x00 TTL=64 ID=162
> DF PROTO=UDP SPT=138 DPT=138 LEN=236
> Jul 11 16:03:28 server nmbd[1470]: [2003/07/11 16:03:28, 0]
> nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(358)
> Jul 11 16:03:28 server nmbd[1470]: find_domain_master_name_query_fail:
> Jul 11 16:03:28 server nmbd[1470]: Unable to find the Domain Master
> Browser name MWDESIGNS<1b> for the workgroup MWDESIGNS.
> Jul 11 16:03:28 server nmbd[1470]: Unable to sync browse lists in this
> workgroup.


< Previous Next >
Follow Ups
References