LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewall & Samba (https://www.linuxquestions.org/questions/linux-security-4/firewall-and-samba-540394/)

jsparksa 03-25-2007 03:33 AM
Firewall & Samba
 
After much experimentation, I have a question concerning Samba and Firewall security. I am running Suse 10.0, SuseFirewall2 and Samba 3.0.20b-3.8-1162-SUSE.

I have setup shares from Suse to the outside world and all is well in that regard.

The Suse PC cannot browse the domain/ workgroup without a workaround. (In my case, my domain.)

If I shutdown the FW and browse the network, all is well. I can restart the FW and I can continue to browse the network with the FW enabled.

If I logoff and log back on, I must again shutdown the FW before I can browse the network.

I have assigned the NIC interface to "Internal" and I have enabled Samba Server, I have also enabled TCP ports 137 and 138 and UDP port 139. (BTW: I type ports 137, 138, 139, 445 into the TCP and UDP enabled ports, and the FW configurator removed TCP 139, 445 and UDP 137, 138 & 445.)

Specifically what I want is to be able to boot the machine with the FW enabled and browse the network without a special workaround.

Thanks in advance for your help,

Jim

P.S.

When the FW is re-enabled, I can see the computers in my domain, but I cannot see the shares on one (Windows) PC. (Shares on other PC are available.) If I disable the FW, I can browse all of the shares on all of the PC's in the network: (1) Suse 10, (2) Suse 9.1, (3) Colllax (Linux w/ Windows domain), and (4) Windows XP Pro.

jsparksa 03-25-2007 05:28 AM
software vs hardware firewall
 
Maybe a more important question: Is the Suse firewall needed while I am using a router with firewall. I am using a Netgear FVS-318 router.

I just ran a test where I disabled the SW FW and then I went to the "Shields Up!" website (https://www.grc.com/x/ne.dll?bh0bkyd2 or http://www.grc.com) and after I ran their tests, it was determined that my PC is very secure with respect to open ports and file shares.

Opinions concerning SW vs HW firewalls are greatly appreciated.


Thanks again, Jim

(I just read a message that stated that "you are never safe!" and it suggested running a log checker. It is so easy to spot someone elses question after I have posted my own.)

:-)

win32sux 03-25-2007 12:25 PM
Quote:
Originally Posted by jsparksa
I have assigned the NIC interface to "Internal" and I have enabled Samba Server, I have also enabled TCP ports 137 and 138 and UDP port 139. (BTW: I type ports 137, 138, 139, 445 into the TCP and UDP enabled ports, and the FW configurator removed TCP 139, 445 and UDP 137, 138 & 445.)
it's my understanding that the ports you need are:

Code:
--> 137/UDP (NETBIOS Name Service)
--> 138/UDP (NETBIOS Datagram Service)
--> 139/TCP (NETBIOS Session Service)
--> 445/TCP (Microsoft Naked CIFS)
if you enable logging on your firewall, i would expect to see packets to these ports getting sent to DROP/REJECT by your current firewall rules...

jsparksa 03-25-2007 01:32 PM
Firewall & Samba update
 
The follow explanation is my understanding of how the Suse FW works:

The interface to Suse FW allows rules to be created in two ways: (1) by "common" service name, and (2) by port or ip protocol. I selected "Samba Server" by common service name and then I typed port 137 138 139 and 445 into the allowed ports for TCP and UDP. If the FW interface recognizes that a port manually entered is associated with a "common" service name, it will remove the port from the list and add the common name to the list of services.

So Suse listed "Samba Service" under "allowed service" and it listed 137 TCP and 138, 139 and 445 UDP ports under "Additional allowed ports."

___

I see by the log that UDP 137 is being dropped. How do I get the FW to allow UDP 137. If I manually type UDP 137, it is removed and I assumed until now that UDP 137 was covered by a common service name as described above.

I do not know how to manipulate iptables manually, i.e without the FW interface. I feel like I am so close to the solution and I cannot get the last part.

Thanks for your help,

Jim

win32sux 03-25-2007 01:38 PM
Quote:
Originally Posted by jsparksa
I see by the log that UDP 137 is being dropped. How do I get the FW to allow UDP 137. If I manually type UDP 137, it is removed and I assumed until now that UDP 137 was covered by a common service name as described above.
sorry, i'm not sure how the suse firewall works... :(

Quote:
I do not know how to manipulate iptables manually, i.e without the FW interface. I feel like I am so close to the solution and I cannot get the last part.
hang in there, i'm sure someone familiar with the suse firewall will post soon... in any case, you can execute an iptables rule as a temporary work-around (and as a test to make sure it helps with the problem) while you figure-out the suse thing:
Code:
iptables -I INPUT -i $LAN_IFACE -p UDP --dport 137 -j ACCEPT
replace $LAN_IFACE with the actual name of your LAN interface...

jsparksa 03-25-2007 03:36 PM
firewall samba cannot vrowse network
 
I used the iptables rule from a previous post and I am getting different log messages.

Ok lets forget the Suse FW, and I will learn what I need to know about iptables. Can someone coach me a bit in this matter?

I appear to no be having some type of broadcast issue:

Mar 25 16:19:49 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12504 PROTO=UDP SPT=137 DPT=137 LEN=58

I have a 4 pc network and I see multiple messages for each PC.

Once I have the correct rules, I can put them into a command file and execute them on system boot.


Thanks again,

Jim

Here is the log from the time of the boot where the FW has been started:


Mar 25 16:18:40 [hostname] SuSEfirewall2: Firewall rules successfully set
Mar 25 16:18:42 [hostname] kernel: SFW2-IN-ACC-RELATED IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:0f:b5:ea:dc:a4:08:00 SRC=192.168.233.1 DST=192.168.233.101 LEN=106 TOS=0x00 PREC=0x00 TTL=64 ID=4563 PROTO=UDP SPT=53 DPT=14201 LEN=86
Mar 25 16:18:43 [hostname] hp: unable to open /var/run/hpiod.port: No such file or directory: prnt/hpijs/hplip_api.c 75
Mar 25 16:18:44 [hostname] kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92
Mar 25 16:18:44 [hostname] kernel: SFW2-IN-ACC-RELATED IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:0f:b5:ea:dc:a4:08:00 SRC=192.168.233.1 DST=192.168.233.101 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=4564 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92 ]
Mar 25 16:19:16 [hostname] kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92
Mar 25 16:19:16 [hostname] kernel: SFW2-IN-ACC-RELATED IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:0f:b5:ea:dc:a4:08:00 SRC=192.168.233.1 DST=192.168.233.101 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=4565 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92 ]
Mar 25 16:19:29 [hostname] kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=246 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=226
Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12487 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12488 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12489 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12490 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12491 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12492 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12493 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12494 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12495 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12496 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12497 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12498 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12499 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12500 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:48 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12501 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:48 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12502 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:49 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12503 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:49 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12504 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12505 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12506 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12507 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12508 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:51 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12509 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:51 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12510 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:52 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12511 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:52 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12512 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:53 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12513 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:53 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12514 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:54 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12515 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:54 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12516 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:57 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12517 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:57 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12518 PROTO=UDP SPT=138 DPT=138 LEN=245
Mar 25 16:19:57 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12520 PROTO=UDP SPT=138 DPT=138 LEN=245
Mar 25 16:19:58 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12521 PROTO=UDP SPT=137 DPT=137 LEN=58
Mar 25 16:19:58 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12522 PROTO=UDP SPT=138 DPT=138 LEN=245
Mar 25 16:19:58 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12524 PROTO=UDP SPT=138 DPT=138 LEN=245
Mar 25 16:21:29 [hostname] kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=246 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=226

win32sux 03-25-2007 03:58 PM
i wrote a simple iptables script for you which does just samba and ping...

if you want, try it and report back:
Code:
#!/bin/sh

IPT="/sbin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.233.0/24"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT

# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT

# NETBIOS Session Service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT

# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT

# ICMP Echo:
$IPT -A INPUT -p ICMP -i $LAN_IFACE -s $LAN_NET --icmp-type 8 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
PS: please use [code] tags when you post output and stuff like that - it makes it much easier to understand, and uses less screen space... :)

jsparksa 03-25-2007 11:02 PM
Firewall & Samba
 
I created a script from your code. Thank you very much!!

If I run the script from the command line, the network is browsable.

Then I added the script to /etc/init.d/boot.local, which is run just before the system enters run-level 5, and after I rebooted, the network was not browsable.

Is there a better place to put the script?

Sorry about the lengthy post before, but I cannot seem to locate a button for "code tags" as described in the help section. I have smileys and formatting options, but no code tag button.

I am going to put this issue away for the night

Thanks for your help, Jim


I am receiving these type of log messages now.

Is there another rule for port & broadcasting??

Mar 25 23:24:13 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1026 LEN=70
Mar 25 23:24:13 jsparksa kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1026 DPT=137 LEN=58
Mar 25 23:24:13 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1026 LEN=70
Mar 25 23:24:13 jsparksa kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1026 DPT=137 LEN=58
Mar 25 23:24:13 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1026 LEN=70
Mar 25 23:24:13 jsparksa kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1026 DPT=137 LEN=58

win32sux 03-25-2007 11:43 PM
Quote:
Originally Posted by jsparksa
I created a script from your code. Thank you very much!!

If I run the script from the command line, the network is browsable.

Then I added the script to /etc/init.d/boot.local, which is run just before the system enters run-level 5, and after I rebooted, the network was not browsable.

Is there a better place to put the script?
well, if suse has the "service" command like red hat does, then what you'd do is this, right after executing the script:
Code:
service iptables save
Quote:
I am receiving these type of log messages now.

Is there another rule for port & broadcasting??
if your log file is getting cluttered, there's a couple things you can do... first, you can establish a limit to the amount of logging which occurs, like:
Code:
$IPT -A INPUT -j LOG -m limit --log-prefix "INPUT DROP: "
you can also send to DROP packets which you don't care about before they have a chance to get sent to LOG, like:
Code:
$IPT -A INPUT -d 255.255.255.255 -j DROP
$IPT -A INPUT -d 192.168.233.255 -j DROP
$IPT -A INPUT -j LOG -m limit --log-prefix "INPUT DROP: "

jsparksa 03-26-2007 08:45 AM
First a question. It is my impression that all(*) linux firewalls use iptables as the underlying infrastructure, and that the different firewall products provide a front end interfaces to the user to create iptable rules. Some interfaces are more user-friendy than others and some interfaces may offer more fuctionallity to manipulate all of the possible type of rules that may be needed for any possible configuration.

Regarding the latest reply (# 9), I do not know which log messages are clutter and which are worth investigating. I am nobody's expert in the area of networking and security. I have a good knowledge in some areas and large gaps in knowledge in other areas.

Suse does not have a service command! What does the RedHat service command do? I can look for a similar function in Suse.

I found a command, iptables-save and this command dumps the iptables rules to a text file. I have posted my configuration to my wedsite @

http://jsparksa.homeip.net/iptables.txt

Please let me know if using my website is improper ettiquete for linuxquestions.org.

Thanks, Jim

(*) All is almost a dangerous as never!

I found code tags!!
Code:
# Generated by iptables-save v1.3.3 on Mon Mar 26 08:15:20 2007
*mangle
:PREROUTING ACCEPT [1065802:1147263999]
:INPUT ACCEPT [1065802:1147263999]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [726588:453463597]
:POSTROUTING ACCEPT [726873:453494731]
COMMIT
# Completed on Mon Mar 26 08:15:20 2007
# Generated by iptables-save v1.3.3 on Mon Mar 26 08:15:20 2007
*nat
:PREROUTING ACCEPT [510:78292]
:POSTROUTING ACCEPT [258:27466]
:OUTPUT ACCEPT [258:27466]
COMMIT
# Completed on Mon Mar 26 08:15:20 2007
# Generated by iptables-save v1.3.3 on Mon Mar 26 08:15:20 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_int - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "SFW2-IN-ACC-RELATED " --log-tcp-options --log-ip-options
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 631 -j LOG --log-prefix "SFW2-ACC-BCASTi " --log-tcp-options --log-ip-options
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 631 -j ACCEPT
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j LOG --log-prefix "SFW2-ACC-BCASTi " --log-tcp-options --log-ip-options
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j ACCEPT
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j LOG --log-prefix "SFW2-ACC-BCASTi " --log-tcp-options --log-ip-options
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j ACCEPT
-A input_int -m pkttype --pkt-type broadcast -j LOG --log-prefix "SFW2-DROP-BCASTi " --log-tcp-options --log-ip-options
-A input_int -m pkttype --pkt-type broadcast -j DROP
-A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INint-ACC-SOURCEQUENCH " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INint-ACC-PING " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INint-ACC-ICMP " --log-tcp-options --log-ip-options
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_int -p tcp -m tcp --dport 137 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 137 -j ACCEPT
-A input_int -p tcp -m tcp --dport 138 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 138 -j ACCEPT
-A input_int -p tcp -m tcp --dport 139 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 139 -j ACCEPT
-A input_int -p tcp -m tcp --dport 21 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 21 -j ACCEPT
-A input_int -p tcp -m tcp --dport 23 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 23 -j ACCEPT
-A input_int -p tcp -m tcp --dport 445 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 445 -j ACCEPT
-A input_int -p tcp -m tcp --dport 515 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 515 -j ACCEPT
-A input_int -p tcp -m tcp --dport 5801 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 5801 -j ACCEPT
-A input_int -p tcp -m tcp --dport 5901 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 5901 -j ACCEPT
-A input_int -p tcp -m tcp --dport 631 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 631 -j ACCEPT
-A input_int -p tcp -m tcp --dport 9100 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 9100 -j ACCEPT
-A input_int -p tcp -m tcp --dport 80 -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 80 -j ACCEPT
-A input_int -p udp -m udp --dport 137 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 137 -j ACCEPT
-A input_int -p udp -m udp --dport 138 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 138 -j ACCEPT
-A input_int -p udp -m udp --dport 139 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 139 -j ACCEPT
-A input_int -p udp -m udp --dport 21 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 21 -j ACCEPT
-A input_int -p udp -m udp --dport 23 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 23 -j ACCEPT
-A input_int -p udp -m udp --dport 445 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 445 -j ACCEPT
-A input_int -p udp -m udp --dport 515 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 515 -j ACCEPT
-A input_int -p udp -m udp --dport 9100 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 9100 -j ACCEPT
-A input_int -p udp -m udp --dport 68 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 68 -j ACCEPT
-A input_int -p udp -m udp --dport 631 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 631 -j ACCEPT
-A input_int -p udp -m udp --dport 427 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 427 -j ACCEPT
-A input_int -p udp -m udp --dport 69 -j LOG --log-prefix "SFW2-INint-ACC-UDP " --log-tcp-options --log-ip-options
-A input_int -p udp -m udp --dport 69 -j ACCEPT
-A input_int -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Mon Mar 26 08:15:20 2007

win32sux 03-26-2007 06:33 PM
Quote:
Originally Posted by jsparksa
First a question. It is my impression that all(*) linux firewalls use iptables as the underlying infrastructure, and that the different firewall products provide a front end interfaces to the user to create iptable rules. Some interfaces are more user-friendy than others and some interfaces may offer more fuctionallity to manipulate all of the possible type of rules that may be needed for any possible configuration.
your impression is correct... but keep in mind that iptables is just a configuration tool, the underlying infrastructure is netfilter...

Quote:
Regarding the latest reply (# 9), I do not know which log messages are clutter and which are worth investigating. I am nobody's expert in the area of networking and security. I have a good knowledge in some areas and large gaps in knowledge in other areas.
well, clutter is subjective... what's clutter for me might not be clutter for you, and vice versa... broadcasts, however, are considered clutter by a lot of people, so it's what i used in my example...

Quote:
Suse does not have a service command! What does the RedHat service command do? I can look for a similar function in Suse.

I found a command, iptables-save and this command dumps the iptables rules to a text file. I have posted my configuration to my wedsite @

http://jsparksa.homeip.net/iptables.txt

Please let me know if using my website is improper ettiquete for linuxquestions.org.
the iptables-save command is fine, as long as you can find which file suse expects the configuration to be in... try something like this and reboot to check:
Code:
iptables-save > /etc/sysconfig/iptables
you disabled the suse firewall, right??

posting that link to your config at home doesn't violate any rule, but of course we really prefer to have stuff posted in here instead...

jsparksa 03-26-2007 10:06 PM
firewall & samba
 
Accidental posting.

jsparksa 03-27-2007 10:51 PM
firewall & samba
 
I am repeating much information, but I discovered that I can see one of the machines and its shares while the FW is initially running.

Thanks for the clarification of netfilters.

I have gone back to the Suse FW, since I confirmed that iptables is behind the scenes. I am not completely comfortable with my knowledge of iptables, but I can now see how the rules are derived from the settings entered into the FW GUI interface.

I have been continuing to experiment, and I discovered that I can browse the domain controller server.

net 192.168.233.xxx

102 == Suse 10.0: the machine I am trying to fix.

110 == Collax domain controller, a linux server acting as an NT DC. Running FW.

106 == Windows XP Pro running Panda software A/V and FW. (Desktop)
103 == same via wireless adapter

101 == Suse 9.x w/ FW.

104 == Windows XP Pro running Panda software A/V and FW. (laptop not always running)



The primary purpose of the Collax server is the DC, and before last night I did not realize that I was able to browse it from the troubled PC with the FW on. I do not normally do anything with this machine while it is running.

I am not able to browse the domain: message is "unable to find any workgroups in your local network. The may be caused by an enabled firewall."

When I browse the other machines, besides the Collax server, I get the message: "could not connect to host for smb://(computername)/

Again, if I turn the FW off, I can browse the entire network.

Additionally, if I browse the network with the FW off and I leave the konqueror window open, I can restart the FW and continue the browse the network. That is, I can browse until I logoff and login again.


Thanks again and again, Jim


here is the latest log files with some comments:

Code:
Mar 27 17:33:24 jsparksa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
Mar 27 17:33:24 jsparksa SuSEfirewall2: /var/lock/SuSEfirewall2.booting exists which means system boot in progress, exit.
...
Mar 27 17:33:29 jsparksa nmbd[5996]: [2007/03/27 17:33:29, 0] param/loadparm.c:map_parameter(2653)
Mar 27 17:33:29 jsparksa nmbd[5996]:  Unknown parameter encountered: "print cache time"
Mar 27 17:33:29 jsparksa nmbd[5996]: [2007/03/27 17:33:29, 0] param/loadparm.c:lp_do_parameter(3402)
Mar 27 17:33:29 jsparksa nmbd[5996]:  Ignoring unknown parameter "print cache time"
...
Mar 27 17:33:40 jsparksa smbd[6429]: [2007/03/27 17:33:40, 0] param/loadparm.c:map_parameter(2653)
Mar 27 17:33:40 jsparksa smbd[6429]:  Unknown parameter encountered: "print cache time"
Mar 27 17:33:40 jsparksa smbd[6429]: [2007/03/27 17:33:40, 0] param/loadparm.c:lp_do_parameter(3402)
Mar 27 17:33:40 jsparksa smbd[6429]:  Ignoring unknown parameter "print cache time"
...
Mar 27 17:33:40 jsparksa smbd[6429]: [2007/03/27 17:33:40, 0] printing/print_cups.c:cups_cache_reload(85)
Mar 27 17:33:40 jsparksa smbd[6429]:  Unable to connect to CUPS server localhost - Connection refused
Mar 27 17:33:40 jsparksa smbd[6429]: [2007/03/27 17:33:40, 0] printing/print_cups.c:cups_cache_reload(85)
Mar 27 17:33:40 jsparksa smbd[6429]:  Unable to connect to CUPS server localhost - Connection refused
...
Mar 27 17:33:51 jsparksa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
Mar 27 17:33:51 jsparksa SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Mar 27 17:33:52 jsparksa SuSEfirewall2: batch committing...
Mar 27 17:33:52 jsparksa SuSEfirewall2: Firewall rules successfully set



Mar 27 17:33:58 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92
Mar 27 17:34:24 jsparksa hp: unable to open /var/run/hpiod.port: No such file or directory: prnt/hpijs/hplip_api.c 75
Mar 27 17:34:30 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92
Mar 27 17:34:30 jsparksa modprobe: FATAL: Error inserting sonypi (/lib/modules/2.6.13-15.15-default/kernel/drivers/char/sonypi.ko): No such device

...  I do not know if the following two messages are important?

Mar 27 17:36:09 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1025 LEN=70
Mar 27 17:36:30 jsparksa last message repeated 5 times
Mar 27 17:37:08 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.101 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=58389 PROTO=UDP SPT=137 DPT=1025 LEN=76
...
Mar 27 17:38:36 jsparksa kernel: SFW2-INint-ACC-TCP IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.101 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=58454 DF PROTO=TCP SPT=7045 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Mar 27 17:38:36 jsparksa kernel: SFW2-INint-ACC-TCP IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.101 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=58457 DF PROTO=TCP SPT=7046 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Mar 27 17:38:36 jsparksa kernel: SFW2-INint-ACC-TCP IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.101 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=58459 DF PROTO=TCP SPT=7044 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)

...  Are these SMBD messages important.  106 is a Win XP desktop.

Mar 27 17:38:36 jsparksa smbd[7286]: [2007/03/27 17:38:36, 0] lib/util_sock.c:write_data(554)
Mar 27 17:38:36 jsparksa smbd[7286]:  write_data: write failure in writing to client 192.168.233.106. Error Connection reset by peer
Mar 27 17:38:36 jsparksa smbd[7286]: [2007/03/27 17:38:36, 0] lib/util_sock.c:send_smb(762)
Mar 27 17:38:36 jsparksa smbd[7286]:  Error writing 4 bytes to client. -1. (Connection reset by peer)

***  I am logged in and I am browsing the different computers on the network. ***

Mar 27 22:04:49 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
Mar 27 22:04:50 jsparksa last message repeated 2 times
Mar 27 22:05:18 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
Mar 27 22:05:19 jsparksa last message repeated 2 times
Mar 27 22:07:01 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
Mar 27 22:07:02 jsparksa last message repeated 4 times
Mar 27 22:07:42 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
Mar 27 22:07:43 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
Mar 27 22:08:30 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.101 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=948 PROTO=UDP SPT=137 DPT=1027 LEN=76
Mar 27 22:08:30 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.101 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=949 PROTO=UDP SPT=137 DPT=1027 LEN=76
Mar 27 22:09:06 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
Mar 27 22:09:07 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
Mar 27 22:09:33 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1027 LEN=70
and here is iptables:

Code:
# Generated by iptables-save v1.3.3 on Mon Mar 26 23:50:42 2007
*mangle
:PREROUTING ACCEPT [880:517134]
:INPUT ACCEPT [879:516558]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1013:108381]
:POSTROUTING ACCEPT [1059:113401]
COMMIT
# Completed on Mon Mar 26 23:50:42 2007
# Generated by iptables-save v1.3.3 on Mon Mar 26 23:50:42 2007
*nat
:PREROUTING ACCEPT [23:3253]
:POSTROUTING ACCEPT [78:5819]
:OUTPUT ACCEPT [78:5819]
COMMIT
# Completed on Mon Mar 26 23:50:42 2007
# Generated by iptables-save v1.3.3 on Mon Mar 26 23:50:42 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9:468]
:forward_int - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 137 -j ACCEPT
-A input_int -p udp -m pkttype --pkt-type broadcast -m udp --dport 138 -j ACCEPT
-A input_int -m pkttype --pkt-type broadcast -j DROP
-A input_int -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 139 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 139 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 445 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 445 -j ACCEPT
-A input_int -p udp -m udp --dport 137 -j ACCEPT
-A input_int -p udp -m udp --dport 138 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_int -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Mon Mar 26 23:50:42 2007

jsparksa 03-28-2007 08:07 PM
I am in the home stretch now!!

First I mixed up two machines:

101 == Suse 10.0: the machine I am trying to fix.
102 == Suse 9.x w/ FW.

Then I started poking around configuration files in etc. I discovered that /etc/hosts was out of date. Last year I changed my net from 192.168.1.xxx to 192.168.233.xxx in order to install a VPN and I did not update this file.

Last year, I also installed the Collax DC and changed the samba configuration from a workgroup to a domain.

Now I can browse each machine individually with the FW enabled!


** I cannot, however, browse the root level domain with the FW enabled. ( smb:/ or smb://(domainname)/ )

If I disable the FW I can browse the root level domain . . .

Is there some configuration that I should verify for the domain?
(Yes, I did look at smb.conf.)

Thanks, Jim


All times are GMT -5. The time now is 06:28 PM.