Date: Wed, 7 Mar 2001 09:41:09 +1100 From: Murray Taylor <mtaylor@bytecraft.com.au> To: "'Mike Meyer'" <mwm@mired.org> Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: RE: Firewalls and Samba Message-ID: <710709BB8B02D311942E006067441810544281@MELEXC01>
next in thread | raw e-mail | index | archive | help
hi Mike I had a thought last night .... the tun0 device is initialised to 10.0.0.1/0 as a throw-away number for the ISP dynamic address handshake ..... rule 1100 specifically blocks all access to the 10 net as shown 01100 4572 236407 deny ip from 10.0.0.0/8 to any via tun0 and it obviously works.... So I deleted that rule and voila, we are in ..... only by the grace of the default pass all rule as shown on the script capture below The W95 test was a reboot, which tries to attach two samba shares during thw boot (among six other NT server shares also) The modem is connected to the FreeBSD box but no line to the PSTN, and it remained quiescent through all this. The security log only shows accounting clearances cheers mjt ---------------8< script capture Script started on Wed Mar 7 09:04:26 2001 spyder# ipfw show 00100 1414 85448 allow ip from any to any via lo0 00150 7982 1440975 allow ip from any to any via fxp0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from any to 10.0.0.0/8 via tun0 00400 0 0 deny ip from any to 172.16.0.0/12 via tun0 00500 0 0 deny ip from any to 192.168.0.0/16 via tun0 00600 0 0 deny ip from any to 0.0.0.0/8 via tun0 00700 0 0 deny ip from any to 169.254.0.0/16 via tun0 00800 0 0 deny ip from any to 192.0.2.0/24 via tun0 00900 0 0 deny ip from any to 224.0.0.0/4 via tun0 01000 0 0 deny ip from any to 240.0.0.0/4 via tun0 01100 4572 236407 deny ip from 10.0.0.0/8 to any via tun0 01200 0 0 deny ip from 172.16.0.0/12 to any via tun0 01300 0 0 deny ip from 192.168.0.0/16 to any via tun0 01400 0 0 deny ip from 0.0.0.0/8 to any via tun0 01500 0 0 deny ip from 169.254.0.0/16 to any via tun0 01600 0 0 deny ip from 192.0.2.0/24 to any via tun0 01700 0 0 deny ip from 224.0.0.0/4 to any via tun0 01800 0 0 deny ip from 240.0.0.0/4 to any via tun0 01900 0 0 allow tcp from any to any established 02000 0 0 allow ip from any to any frag 02100 0 0 deny log logamount 100 tcp from any to any in recv tun0 setup 02200 0 0 allow tcp from any to any setup 65535 0 0 allow ip from any to any spyder# ipfw delete 1100 spyder# ipfw show 00100 1414 85448 allow ip from any to any via lo0 00150 7982 1440975 allow ip from any to any via fxp0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from any to 10.0.0.0/8 via tun0 00400 0 0 deny ip from any to 172.16.0.0/12 via tun0 00500 0 0 deny ip from any to 192.168.0.0/16 via tun0 00600 0 0 deny ip from any to 0.0.0.0/8 via tun0 00700 0 0 deny ip from any to 169.254.0.0/16 via tun0 00800 0 0 deny ip from any to 192.0.2.0/24 via tun0 00900 0 0 deny ip from any to 224.0.0.0/4 via tun0 01000 0 0 deny ip from any to 240.0.0.0/4 via tun0 01200 0 0 deny ip from 172.16.0.0/12 to any via tun0 01300 0 0 deny ip from 192.168.0.0/16 to any via tun0 01400 0 0 deny ip from 0.0.0.0/8 to any via tun0 01500 0 0 deny ip from 169.254.0.0/16 to any via tun0 01600 0 0 deny ip from 192.0.2.0/24 to any via tun0 01700 0 0 deny ip from 224.0.0.0/4 to any via tun0 01800 0 0 deny ip from 240.0.0.0/4 to any via tun0 01900 0 0 allow tcp from any to any established 02000 0 0 allow ip from any to any frag 02100 0 0 deny log logamount 100 tcp from any to any in recv tun0 setup 02200 0 0 allow tcp from any to any setup 65535 0 0 allow ip from any to any spyder# sysctl -w net.inet.ip.fw.enable=1 net.inet.ip.fw.enable: 0 -> 1 spyder# echo 'test w95 here' test w95 here spyder# ipfw show 00100 1442 87640 allow ip from any to any via lo0 00150 8720 1571985 allow ip from any to any via fxp0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from any to 10.0.0.0/8 via tun0 00400 0 0 deny ip from any to 172.16.0.0/12 via tun0 00500 0 0 deny ip from any to 192.168.0.0/16 via tun0 00600 0 0 deny ip from any to 0.0.0.0/8 via tun0 00700 0 0 deny ip from any to 169.254.0.0/16 via tun0 00800 0 0 deny ip from any to 192.0.2.0/24 via tun0 00900 0 0 deny ip from any to 224.0.0.0/4 via tun0 01000 0 0 deny ip from any to 240.0.0.0/4 via tun0 01200 0 0 deny ip from 172.16.0.0/12 to any via tun0 01300 0 0 deny ip from 192.168.0.0/16 to any via tun0 01400 0 0 deny ip from 0.0.0.0/8 to any via tun0 01500 0 0 deny ip from 169.254.0.0/16 to any via tun0 01600 0 0 deny ip from 192.0.2.0/24 to any via tun0 01700 0 0 deny ip from 224.0.0.0/4 to any via tun0 01800 0 0 deny ip from 240.0.0.0/4 to any via tun0 01900 0 0 allow tcp from any to any established 02000 0 0 allow ip from any to any frag 02100 0 0 deny log logamount 100 tcp from any to any in recv tun0 setup 02200 0 0 allow tcp from any to any setup 65535 274 14085 allow ip from any to any spyder# exit exit Script done on Wed Mar 7 09:11:45 2001 > -----Original Message----- > From: Mike Meyer [SMTP:mwm@mired.org] > Sent: Tuesday, 6 March 2001 22:50 > To: Murray Taylor > Cc: questions@freebsd.org > Subject: Re: Firewalls and Samba > > Murray Taylor <mtaylor@bytecraft.com.au> types: > > Why is the firewall stopping Samba ??? > > I don't see anything obviously wrong in the firewall. On the other > hand, the behavior seems to indicate the problem is the firewall. > > So - what's /var/log/security say? How about ipfw show both before and > after samba has failed? > > <mike > > > OS - FreeBSD 4.2 > > Samba - 2.0.7 > > > > The general network is based on NT 4 servers with a PDC and BDC server, > > WINS servers, and DHCP addressing for all but the main servers. > > This is the first machine on the network that is FreeBSD. > > (There WILL be more if I have my way ;-) > > > > As such the Samba settings have been set to prevent > > browser elections etc. > > > > Until the Firewall was setup, all has been OK. > > > > Given the following Samba config file and the attached > > firewall rules, can it please be determined what is > > stoppping W95 explorer from finding the Samba shares? > > > > >> This also all applies to W98 << > > > > Upon Windoze boot, if net.inet.ip.fw.enable = 1, the shares are > > not visible, and indeed W95 thinks that Spyder is not on the network. > > > > If I set sysctl net.inet.ip.fw.enable = 0, W95 can immediately > > see the shares, both home and the webadmin share. > > > > Then I can reset net.inet.ip.fw.enable = 1, and Spyder and its > > shares remain visible to those who have already accessed them. > > > > Note that Spyder is pingable, telnetable, web browsable at all times > > from machines on our intranet > > > > EXAMPLE 1 > > If I select a Samba share with the firewall enabled, wait till W95 > > shows its hourglass, then quickly open the firewall via a telnet > > session, W95 then drops the hourglass and opens the share... so > > it appears that W95 is getting caught on something in a retry loop > > > > EXAMPLE 2 > > If I boot with the firewall enabled, W95 gets hung trying to reattach > > the shares. > > Cancelling the attachment allows the boot to continue. > > Explorer cannot open the shares and thinks that > > Spyder is not on the net. > > After disabling the firewall, the shares are still not visible > > from other programs (ie Notepad), unless and until > > I have selected the shares once in Explorer. > > Then all is AOK. > > I can then enable the firewall and continue. > > > > I have a NAI Sniffer capture file available of the attempt to connect > > Explorer > > with the firewall active... which seems to me to show a successful > > connection?? > > > > Most of the ipfw rules are taken from the 'simple' setting in > rc.firewall. > > Rule 150 is my last attempt to open the door.... > > > > The firewall is defaulted to accept at present > > > > ************* > > The 128.1.2.x numbers are a historical 'hangover' from early company > > intranet days and are being changed to 10.1.2.x this Friday evening > > (the ancient chinese curse 'May you live in interesting times' > > will probably apply on this day/night...) > > > > The firewall rules are established at present, but the modem will not be > > physically connected to tun0's serial port until after Friday > > ************* > > > > I am currently considering this a firewall problem, not a Samba problem > > so am only posting it to -net and -questions at present. > > > > Murray Taylor > > Project Engineer > > > > Bytecraft P/L +61 3 9587 2555 > > +61 3 9587 1614 fax > > mtaylor@bytecraft.com.au > > > > > > ----------8<-------smb.conf > > # Samba config file created using SWAT > > # from 128.1.2.48 (128.1.2.48) > > # Date: 2001/02/28 10:03:54 > > > > # Global parameters > > [global] > > workgroup = BYTEMELB > > netbios name = SPYDER > > interfaces = fxp0 > > security = DOMAIN > > encrypt passwords = Yes > > password server = * > > os level = 0 > > local master = No > > wins server = 128.1.2.3 > > guest account = pcguest > > > > [homes] > > comment = Home Directories > > writeable = Yes > > browseable = No > > > > [webadmin] > > comment = Web Administrators > > path = /usr/web > > valid users = @webadmin > > writeable = Yes > > browseable = No > > > > ----------8<-------ipfw list output > > 00100 allow ip from any to any via lo0 > > 00150 allow ip from any to any via fxp0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from any to 10.0.0.0/8 via tun0 > > 00400 deny ip from any to 172.16.0.0/12 via tun0 > > 00500 deny ip from any to 192.168.0.0/16 via tun0 > > 00600 deny ip from any to 0.0.0.0/8 via tun0 > > 00700 deny ip from any to 169.254.0.0/16 via tun0 > > 00800 deny ip from any to 192.0.2.0/24 via tun0 > > 00900 deny ip from any to 224.0.0.0/4 via tun0 > > 01000 deny ip from any to 240.0.0.0/4 via tun0 > > 01100 deny ip from 10.0.0.0/8 to any via tun0 > > 01200 deny ip from 172.16.0.0/12 to any via tun0 > > 01300 deny ip from 192.168.0.0/16 to any via tun0 > > 01400 deny ip from 0.0.0.0/8 to any via tun0 > > 01500 deny ip from 169.254.0.0/16 to any via tun0 > > 01600 deny ip from 192.0.2.0/24 to any via tun0 > > 01700 deny ip from 224.0.0.0/4 to any via tun0 > > 01800 deny ip from 240.0.0.0/4 to any via tun0 > > 01900 allow tcp from any to any established > > 02000 allow ip from any to any frag > > 02100 deny log logamount 100 tcp from any to any in > > recv tun0 setup > > 02200 allow tcp from any to any setup > > 65535 allow ip from any to any > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > -- > Mike Meyer <mwm@mired.org> > http://www.mired.org/home/mwm/ > Independent WWW/Perforce/FreeBSD/Unix consultant, email for more > information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?710709BB8B02D311942E006067441810544281>