Firewall & Samba
After much experimentation, I have a question concerning Samba and Firewall security. I am running Suse 10.0, SuseFirewall2 and Samba 3.0.20b-3.8-1162-SUSE.
I have setup shares from Suse to the outside world and all is well in that regard. The Suse PC cannot browse the domain/ workgroup without a workaround. (In my case, my domain.) If I shutdown the FW and browse the network, all is well. I can restart the FW and I can continue to browse the network with the FW enabled. If I logoff and log back on, I must again shutdown the FW before I can browse the network. I have assigned the NIC interface to "Internal" and I have enabled Samba Server, I have also enabled TCP ports 137 and 138 and UDP port 139. (BTW: I type ports 137, 138, 139, 445 into the TCP and UDP enabled ports, and the FW configurator removed TCP 139, 445 and UDP 137, 138 & 445.) Specifically what I want is to be able to boot the machine with the FW enabled and browse the network without a special workaround. Thanks in advance for your help, Jim P.S. When the FW is re-enabled, I can see the computers in my domain, but I cannot see the shares on one (Windows) PC. (Shares on other PC are available.) If I disable the FW, I can browse all of the shares on all of the PC's in the network: (1) Suse 10, (2) Suse 9.1, (3) Colllax (Linux w/ Windows domain), and (4) Windows XP Pro. |
software vs hardware firewall
Maybe a more important question: Is the Suse firewall needed while I am using a router with firewall. I am using a Netgear FVS-318 router.
I just ran a test where I disabled the SW FW and then I went to the "Shields Up!" website (https://www.grc.com/x/ne.dll?bh0bkyd2 or http://www.grc.com) and after I ran their tests, it was determined that my PC is very secure with respect to open ports and file shares. Opinions concerning SW vs HW firewalls are greatly appreciated. Thanks again, Jim (I just read a message that stated that "you are never safe!" and it suggested running a log checker. It is so easy to spot someone elses question after I have posted my own.) :-) |
Quote:
Code:
--> 137/UDP (NETBIOS Name Service) |
Firewall & Samba update
The follow explanation is my understanding of how the Suse FW works:
The interface to Suse FW allows rules to be created in two ways: (1) by "common" service name, and (2) by port or ip protocol. I selected "Samba Server" by common service name and then I typed port 137 138 139 and 445 into the allowed ports for TCP and UDP. If the FW interface recognizes that a port manually entered is associated with a "common" service name, it will remove the port from the list and add the common name to the list of services. So Suse listed "Samba Service" under "allowed service" and it listed 137 TCP and 138, 139 and 445 UDP ports under "Additional allowed ports." ___ I see by the log that UDP 137 is being dropped. How do I get the FW to allow UDP 137. If I manually type UDP 137, it is removed and I assumed until now that UDP 137 was covered by a common service name as described above. I do not know how to manipulate iptables manually, i.e without the FW interface. I feel like I am so close to the solution and I cannot get the last part. Thanks for your help, Jim |
Quote:
Quote:
Code:
iptables -I INPUT -i $LAN_IFACE -p UDP --dport 137 -j ACCEPT |
firewall samba cannot vrowse network
I used the iptables rule from a previous post and I am getting different log messages.
Ok lets forget the Suse FW, and I will learn what I need to know about iptables. Can someone coach me a bit in this matter? I appear to no be having some type of broadcast issue: Mar 25 16:19:49 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12504 PROTO=UDP SPT=137 DPT=137 LEN=58 I have a 4 pc network and I see multiple messages for each PC. Once I have the correct rules, I can put them into a command file and execute them on system boot. Thanks again, Jim Here is the log from the time of the boot where the FW has been started: Mar 25 16:18:40 [hostname] SuSEfirewall2: Firewall rules successfully set Mar 25 16:18:42 [hostname] kernel: SFW2-IN-ACC-RELATED IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:0f:b5:ea:dc:a4:08:00 SRC=192.168.233.1 DST=192.168.233.101 LEN=106 TOS=0x00 PREC=0x00 TTL=64 ID=4563 PROTO=UDP SPT=53 DPT=14201 LEN=86 Mar 25 16:18:43 [hostname] hp: unable to open /var/run/hpiod.port: No such file or directory: prnt/hpijs/hplip_api.c 75 Mar 25 16:18:44 [hostname] kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92 Mar 25 16:18:44 [hostname] kernel: SFW2-IN-ACC-RELATED IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:0f:b5:ea:dc:a4:08:00 SRC=192.168.233.1 DST=192.168.233.101 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=4564 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92 ] Mar 25 16:19:16 [hostname] kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92 Mar 25 16:19:16 [hostname] kernel: SFW2-IN-ACC-RELATED IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:0f:b5:ea:dc:a4:08:00 SRC=192.168.233.1 DST=192.168.233.101 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=4565 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.233.101 DST=224.0.0.251 LEN=112 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=92 ] Mar 25 16:19:29 [hostname] kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=246 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=226 Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12487 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12488 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:44:08:00 SRC=192.168.233.102 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12489 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:45 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12490 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12491 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12492 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12493 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:46 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12494 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12495 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12496 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12497 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12498 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12499 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:47 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12500 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:48 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12501 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:48 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12502 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:49 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12503 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:49 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12504 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12505 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12506 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12507 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:50 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12508 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:51 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12509 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:51 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12510 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:52 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12511 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:52 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12512 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:53 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12513 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:53 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12514 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:54 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12515 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:54 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12516 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:57 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12517 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:57 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12518 PROTO=UDP SPT=138 DPT=138 LEN=245 Mar 25 16:19:57 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12520 PROTO=UDP SPT=138 DPT=138 LEN=245 Mar 25 16:19:58 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=12521 PROTO=UDP SPT=137 DPT=137 LEN=58 Mar 25 16:19:58 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.106 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12522 PROTO=UDP SPT=138 DPT=138 LEN=245 Mar 25 16:19:58 [hostname] kernel: SFW2-DROP-BCASTi IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:04:7b:38:1c:08:00 SRC=192.168.233.103 DST=192.168.233.255 LEN=265 TOS=0x00 PREC=0x00 TTL=128 ID=12524 PROTO=UDP SPT=138 DPT=138 LEN=245 Mar 25 16:21:29 [hostname] kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=246 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=226 |
i wrote a simple iptables script for you which does just samba and ping...
if you want, try it and report back: Code:
#!/bin/sh |
Firewall & Samba
I created a script from your code. Thank you very much!!
If I run the script from the command line, the network is browsable. Then I added the script to /etc/init.d/boot.local, which is run just before the system enters run-level 5, and after I rebooted, the network was not browsable. Is there a better place to put the script? Sorry about the lengthy post before, but I cannot seem to locate a button for "code tags" as described in the help section. I have smileys and formatting options, but no code tag button. I am going to put this issue away for the night Thanks for your help, Jim I am receiving these type of log messages now. Is there another rule for port & broadcasting?? Mar 25 23:24:13 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1026 LEN=70 Mar 25 23:24:13 jsparksa kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1026 DPT=137 LEN=58 Mar 25 23:24:13 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1026 LEN=70 Mar 25 23:24:13 jsparksa kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1026 DPT=137 LEN=58 Mar 25 23:24:13 jsparksa kernel: SFW2-INint-DROP-DEFLT IN=eth0 OUT= MAC=00:e0:18:38:d4:6a:00:10:4b:0a:76:f5:08:00 SRC=192.168.233.110 DST=192.168.233.101 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=1026 LEN=70 Mar 25 23:24:13 jsparksa kernel: SFW2-INint-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.233.101 DST=192.168.233.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1026 DPT=137 LEN=58 |
Quote:
Code:
service iptables save Quote:
Code:
$IPT -A INPUT -j LOG -m limit --log-prefix "INPUT DROP: " Code:
$IPT -A INPUT -d 255.255.255.255 -j DROP |
First a question. It is my impression that all(*) linux firewalls use iptables as the underlying infrastructure, and that the different firewall products provide a front end interfaces to the user to create iptable rules. Some interfaces are more user-friendy than others and some interfaces may offer more fuctionallity to manipulate all of the possible type of rules that may be needed for any possible configuration.
Regarding the latest reply (# 9), I do not know which log messages are clutter and which are worth investigating. I am nobody's expert in the area of networking and security. I have a good knowledge in some areas and large gaps in knowledge in other areas. Suse does not have a service command! What does the RedHat service command do? I can look for a similar function in Suse. I found a command, iptables-save and this command dumps the iptables rules to a text file. I have posted my configuration to my wedsite @ http://jsparksa.homeip.net/iptables.txt Please let me know if using my website is improper ettiquete for linuxquestions.org. Thanks, Jim (*) All is almost a dangerous as never! I found code tags!! Code:
# Generated by iptables-save v1.3.3 on Mon Mar 26 08:15:20 2007 |
Quote:
Quote:
Quote:
Code:
iptables-save > /etc/sysconfig/iptables posting that link to your config at home doesn't violate any rule, but of course we really prefer to have stuff posted in here instead... |
firewall & samba
Accidental posting.
|
firewall & samba
I am repeating much information, but I discovered that I can see one of the machines and its shares while the FW is initially running.
Thanks for the clarification of netfilters. I have gone back to the Suse FW, since I confirmed that iptables is behind the scenes. I am not completely comfortable with my knowledge of iptables, but I can now see how the rules are derived from the settings entered into the FW GUI interface. I have been continuing to experiment, and I discovered that I can browse the domain controller server. net 192.168.233.xxx 102 == Suse 10.0: the machine I am trying to fix. 110 == Collax domain controller, a linux server acting as an NT DC. Running FW. 106 == Windows XP Pro running Panda software A/V and FW. (Desktop) 103 == same via wireless adapter 101 == Suse 9.x w/ FW. 104 == Windows XP Pro running Panda software A/V and FW. (laptop not always running) The primary purpose of the Collax server is the DC, and before last night I did not realize that I was able to browse it from the troubled PC with the FW on. I do not normally do anything with this machine while it is running. I am not able to browse the domain: message is "unable to find any workgroups in your local network. The may be caused by an enabled firewall." When I browse the other machines, besides the Collax server, I get the message: "could not connect to host for smb://(computername)/ Again, if I turn the FW off, I can browse the entire network. Additionally, if I browse the network with the FW off and I leave the konqueror window open, I can restart the FW and continue the browse the network. That is, I can browse until I logoff and login again. Thanks again and again, Jim here is the latest log files with some comments: Code:
Mar 27 17:33:24 jsparksa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. Code:
# Generated by iptables-save v1.3.3 on Mon Mar 26 23:50:42 2007 |
I am in the home stretch now!!
First I mixed up two machines: 101 == Suse 10.0: the machine I am trying to fix. 102 == Suse 9.x w/ FW. Then I started poking around configuration files in etc. I discovered that /etc/hosts was out of date. Last year I changed my net from 192.168.1.xxx to 192.168.233.xxx in order to install a VPN and I did not update this file. Last year, I also installed the Collax DC and changed the samba configuration from a workgroup to a domain. Now I can browse each machine individually with the FW enabled! ** I cannot, however, browse the root level domain with the FW enabled. ( smb:/ or smb://(domainname)/ ) If I disable the FW I can browse the root level domain . . . Is there some configuration that I should verify for the domain? (Yes, I did look at smb.conf.) Thanks, Jim |
All times are GMT -5. The time now is 06:28 PM. |