Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Mar 2001 10:08:53 +1100 
From:      Murray Taylor <mtaylor@bytecraft.com.au>
To:        "'Mike Meyer'" <mwm@mired.org>
Cc:        "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org>
Subject:   RE: Firewalls and Samba
Message-ID:  <710709BB8B02D311942E006067441810544283@MELEXC01>

next in thread | raw e-mail | index | archive | help
Ok, tun0 isnt connected yet but when our internal net
is renumbered to the 10.x.y.z range, it will have the phone
line connected.... BTW we are working towards a frame relay
connection also as the 'main path' which will be natd processed.
But the tun path is using its internal nat processing

Giver rule 150, and as all the Samba netbios stuff and other
conectivity is via the fxp0 port, there still seems to be a 
case of the Explorer stuff getting further than necessary
down the rule list. Or am I missing something else?

Will try your suggestions innabout an hour or so..
gotta DBA meting to go to now :-(

mjt
> -----Original Message-----
> From:	Mike Meyer [SMTP:mwm@mired.org]
> Sent:	Wednesday, 7 March 2001 09:54
> To:	Murray Taylor
> Cc:	'Mike Meyer'; 'freebsd-questions@freebsd.org'
> Subject:	RE: Firewalls and Samba
> 
> Murray Taylor <mtaylor@bytecraft.com.au> types:
> > hi Mike
> > 
> > I had a thought last night .... the tun0 device is initialised to
> 10.0.0.1/0
> > as a throw-away number for
> > the ISP dynamic address handshake .....
> > 
> > rule 1100 specifically blocks all access to the 10 net as shown
> > 
> > 01100    4572  236407 deny ip from 10.0.0.0/8 to any via tun0
> > 
> > and it obviously works....
> > 
> > So I deleted that rule and voila, we are in .....
> 
> Yup - you can see that it's what was blocking access in the "ipfw
> show" output below. Since tun0 isn't connected to anything, you have
> to wonder why that rule is being used here.
> 
> > only by the grace of the default pass all rule as shown on the script
> > capture below
> 
> Well, the only odd thing about that is that samba is apparently all
> udp - as rules 1900 and 2200 would show it allowing tcp through.
	[Murray Taylor]  yup Netbios seems to be udp ports 137 - 139

> I'd advice replacing the last two rules (2100 & 2200) with a set of
> rules allowing dns, ntp (if you need it), outgoing service setups and
> any incoming connections you want to allow (assuming you aren't going
> to use nat), then finally rule 2100 except apply it to ip, not just
> tcp.
> 
> 	<mike
> 
> > The W95 test was a reboot, which tries to attach two samba shares during
> thw
> > boot
> > (among six other NT server shares also)
> > 
> > The modem is connected to the FreeBSD box but no line to the PSTN, and
> it
> > remained
> > quiescent through all this.   
> > 
> > The security log only shows accounting clearances
> > 
> > cheers
> > mjt
> > 
> > 
> > ---------------8< script capture
> > Script started on Wed Mar  7 09:04:26 2001
> > spyder#	ipfw show
> > 
> > 00100 1414   85448 allow ip from any to any via lo0
> > 00150 7982 1440975 allow ip from any to any via fxp0
> > 00200    0       0 deny ip from any to 127.0.0.0/8
> > 00300    0       0 deny ip from any to 10.0.0.0/8 via tun0
> > 00400    0       0 deny ip from any to 172.16.0.0/12 via tun0
> > 00500    0       0 deny ip from any to 192.168.0.0/16 via tun0
> > 00600    0       0 deny ip from any to 0.0.0.0/8 via tun0
> > 00700    0       0 deny ip from any to 169.254.0.0/16 via tun0
> > 00800    0       0 deny ip from any to 192.0.2.0/24 via tun0
> > 00900    0       0 deny ip from any to 224.0.0.0/4 via tun0
> > 01000    0       0 deny ip from any to 240.0.0.0/4 via tun0
> > 01100 4572  236407 deny ip from 10.0.0.0/8 to any via tun0
> > 01200    0       0 deny ip from 172.16.0.0/12 to any via tun0
> > 01300    0       0 deny ip from 192.168.0.0/16 to any via tun0
> > 01400    0       0 deny ip from 0.0.0.0/8 to any via tun0
> > 01500    0       0 deny ip from 169.254.0.0/16 to any via tun0
> > 01600    0       0 deny ip from 192.0.2.0/24 to any via tun0
> > 01700    0       0 deny ip from 224.0.0.0/4 to any via tun0
> > 01800    0       0 deny ip from 240.0.0.0/4 to any via tun0
> > 01900    0       0 allow tcp from any to any established
> > 02000    0       0 allow ip from any to any frag
> > 02100    0       0 deny log logamount 100 tcp from any to any in recv
> tun0
> > setup
> > 02200    0       0 allow tcp from any to any setup
> > 65535    0       0 allow ip from any to any
> > spyder#	ipfw delete 1100
> > 
> > spyder#	ipfw show
> > 
> > 00100 1414   85448 allow ip from any to any via lo0
> > 00150 7982 1440975 allow ip from any to any via fxp0
> > 00200    0       0 deny ip from any to 127.0.0.0/8
> > 00300    0       0 deny ip from any to 10.0.0.0/8 via tun0
> > 00400    0       0 deny ip from any to 172.16.0.0/12 via tun0
> > 00500    0       0 deny ip from any to 192.168.0.0/16 via tun0
> > 00600    0       0 deny ip from any to 0.0.0.0/8 via tun0
> > 00700    0       0 deny ip from any to 169.254.0.0/16 via tun0
> > 00800    0       0 deny ip from any to 192.0.2.0/24 via tun0
> > 00900    0       0 deny ip from any to 224.0.0.0/4 via tun0
> > 01000    0       0 deny ip from any to 240.0.0.0/4 via tun0
> > 01200    0       0 deny ip from 172.16.0.0/12 to any via tun0
> > 01300    0       0 deny ip from 192.168.0.0/16 to any via tun0
> > 01400    0       0 deny ip from 0.0.0.0/8 to any via tun0
> > 01500    0       0 deny ip from 169.254.0.0/16 to any via tun0
> > 01600    0       0 deny ip from 192.0.2.0/24 to any via tun0
> > 01700    0       0 deny ip from 224.0.0.0/4 to any via tun0
> > 01800    0       0 deny ip from 240.0.0.0/4 to any via tun0
> > 01900    0       0 allow tcp from any to any established
> > 02000    0       0 allow ip from any to any frag
> > 02100    0       0 deny log logamount 100 tcp from any to any in recv
> tun0
> > setup
> > 02200    0       0 allow tcp from any to any setup
> > 65535    0       0 allow ip from any to any
> > spyder#	sysctl -w net.inet.ip.fw.enable=1
> > 
> > net.inet.ip.fw.enable: 0 -> 1
> > spyder#	echo 'test w95 here'
> > 
> > test w95 here
> > spyder#	ipfw show
> > 
> > 00100 1442   87640 allow ip from any to any via lo0
> > 00150 8720 1571985 allow ip from any to any via fxp0
> > 00200    0       0 deny ip from any to 127.0.0.0/8
> > 00300    0       0 deny ip from any to 10.0.0.0/8 via tun0
> > 00400    0       0 deny ip from any to 172.16.0.0/12 via tun0
> > 00500    0       0 deny ip from any to 192.168.0.0/16 via tun0
> > 00600    0       0 deny ip from any to 0.0.0.0/8 via tun0
> > 00700    0       0 deny ip from any to 169.254.0.0/16 via tun0
> > 00800    0       0 deny ip from any to 192.0.2.0/24 via tun0
> > 00900    0       0 deny ip from any to 224.0.0.0/4 via tun0
> > 01000    0       0 deny ip from any to 240.0.0.0/4 via tun0
> > 01200    0       0 deny ip from 172.16.0.0/12 to any via tun0
> > 01300    0       0 deny ip from 192.168.0.0/16 to any via tun0
> > 01400    0       0 deny ip from 0.0.0.0/8 to any via tun0
> > 01500    0       0 deny ip from 169.254.0.0/16 to any via tun0
> > 01600    0       0 deny ip from 192.0.2.0/24 to any via tun0
> > 01700    0       0 deny ip from 224.0.0.0/4 to any via tun0
> > 01800    0       0 deny ip from 240.0.0.0/4 to any via tun0
> > 01900    0       0 allow tcp from any to any established
> > 02000    0       0 allow ip from any to any frag
> > 02100    0       0 deny log logamount 100 tcp from any to any in recv
> tun0
> > setup
> > 02200    0       0 allow tcp from any to any setup
> > 65535  274   14085 allow ip from any to any
> > spyder#	exit
> > 
> > exit
> > 
> > Script done on Wed Mar  7 09:11:45 2001
> > 
> > > -----Original Message-----
> > > From:	Mike Meyer [SMTP:mwm@mired.org]
> > > Sent:	Tuesday, 6 March 2001 22:50
> > > To:	Murray Taylor
> > > Cc:	questions@freebsd.org
> > > Subject:	Re: Firewalls and Samba
> > > 
> > > Murray Taylor <mtaylor@bytecraft.com.au> types:
> > > > Why is the firewall stopping Samba ???
> > > 
> > > I don't see anything obviously wrong in the firewall. On the other
> > > hand, the behavior seems to indicate the problem is the firewall.
> > > 
> > > So - what's /var/log/security say? How about ipfw show both before and
> > > after samba has failed?
> > > 
> > > 	<mike
> > > 
> > > > OS - FreeBSD 4.2
> > > > Samba - 2.0.7
> > > > 
> > > > The general network is based on NT 4 servers with a PDC and BDC
> server,
> > > > WINS servers, and DHCP addressing for all but the main servers.
> > > > This is the first machine on the network that is FreeBSD.
> > > > (There WILL be more if I have my way ;-)
> > > > 
> > > > As such the Samba settings have been set to prevent 
> > > > browser elections etc. 
> > > > 
> > > > Until the Firewall was setup, all has been OK.
> > > > 
> > > > Given the following Samba config file and the attached
> > > > firewall rules, can it please be determined what is
> > > > stoppping W95 explorer from finding the Samba shares?
> > > > 
> > > > >> This also all applies to W98 <<
> > > > 
> > > > Upon Windoze boot, if net.inet.ip.fw.enable = 1, the shares are
> > > > not visible, and indeed W95 thinks that Spyder is not on the
> network.
> > > > 
> > > > If I set sysctl net.inet.ip.fw.enable = 0, W95 can immediately
> > > > see the shares, both home and the webadmin share.
> > > > 
> > > > Then I can reset net.inet.ip.fw.enable = 1, and Spyder and its
> > > > shares remain visible to those who have already accessed them.
> > > > 
> > > > Note that Spyder is pingable, telnetable, web browsable at all times
> > > > from machines on our intranet
> > > > 
> > > > EXAMPLE 1
> > > > If I select a Samba share with the firewall enabled, wait till W95
> > > > shows its hourglass, then quickly open the firewall via a telnet 
> > > > session, W95 then drops the hourglass and opens the share... so
> > > > it appears that W95 is getting caught on something in a retry loop
> > > > 
> > > > EXAMPLE 2
> > > > If I boot with the firewall enabled, W95 gets hung trying to
> reattach 
> > > > the shares.
> > > > Cancelling the attachment allows the boot to continue.
> > > > Explorer cannot open the shares and thinks that 
> > > > Spyder is not on the net.
> > > > After disabling the firewall, the shares are still not visible
> > > > from other programs (ie Notepad), unless and until 
> > > > I have selected the shares once in Explorer.
> > > > Then all is AOK.
> > > > I can then enable the firewall and continue.
> > > > 
> > > > I have a NAI Sniffer capture file available of the attempt to
> connect
> > > > Explorer 
> > > > with the firewall active... which seems to me to show a successful
> > > > connection??
> > > > 
> > > > Most of the ipfw rules are taken from the 'simple' setting in
> > > rc.firewall.
> > > > Rule 150 is my last attempt to open the door....
> > > > 
> > > > The firewall is defaulted to accept at present
> > > > 
> > > > *************
> > > > The 128.1.2.x numbers are a historical 'hangover' from early company
> > > > intranet days and are being changed to 10.1.2.x this Friday evening
> > > > (the ancient chinese curse 'May you live in interesting times'
> > > > will probably apply on this day/night...)
> > > > 
> > > > The firewall rules are established at present, but the modem will
> not be
> > > > physically connected to tun0's serial port until after Friday
> > > > *************
> > > > 
> > > > I am currently considering this a firewall problem, not a Samba
> problem
> > > > so am only posting it to -net and -questions at present.
> > > > 
> > > > Murray Taylor
> > > > Project Engineer
> > > > 
> > > > Bytecraft P/L	+61 3 9587 2555
> > > > 		+61 3 9587 1614 fax
> > > > 		mtaylor@bytecraft.com.au
> > > > 
> > > > 
> > > > ----------8<-------smb.conf
> > > > # Samba config file created using SWAT
> > > > # from 128.1.2.48 (128.1.2.48)
> > > > # Date: 2001/02/28 10:03:54
> > > > 
> > > > # Global parameters
> > > > [global]
> > > > 	workgroup = BYTEMELB
> > > > 	netbios name = SPYDER
> > > > 	interfaces = fxp0
> > > > 	security = DOMAIN
> > > > 	encrypt passwords = Yes
> > > > 	password server = *
> > > > 	os level = 0
> > > > 	local master = No
> > > > 	wins server = 128.1.2.3
> > > > 	guest account = pcguest
> > > > 
> > > > [homes]
> > > > 	comment = Home Directories
> > > > 	writeable = Yes
> > > > 	browseable = No
> > > > 
> > > > [webadmin]
> > > > 	comment = Web Administrators
> > > > 	path = /usr/web
> > > > 	valid users = @webadmin
> > > > 	writeable = Yes
> > > > 	browseable = No
> > > > 
> > > > ----------8<-------ipfw list output
> > > > 00100 allow ip from any to any via lo0
> > > > 00150 allow ip from any to any via fxp0
> > > > 00200 deny ip from any to 127.0.0.0/8
> > > > 00300 deny ip from any to 10.0.0.0/8 via tun0
> > > > 00400 deny ip from any to 172.16.0.0/12 via tun0
> > > > 00500 deny ip from any to 192.168.0.0/16 via tun0
> > > > 00600 deny ip from any to 0.0.0.0/8 via tun0
> > > > 00700 deny ip from any to 169.254.0.0/16 via tun0
> > > > 00800 deny ip from any to 192.0.2.0/24 via tun0
> > > > 00900 deny ip from any to 224.0.0.0/4 via tun0
> > > > 01000 deny ip from any to 240.0.0.0/4 via tun0
> > > > 01100 deny ip from 10.0.0.0/8 to any via tun0
> > > > 01200 deny ip from 172.16.0.0/12 to any via tun0
> > > > 01300 deny ip from 192.168.0.0/16 to any via tun0
> > > > 01400 deny ip from 0.0.0.0/8 to any via tun0
> > > > 01500 deny ip from 169.254.0.0/16 to any via tun0
> > > > 01600 deny ip from 192.0.2.0/24 to any via tun0
> > > > 01700 deny ip from 224.0.0.0/4 to any via tun0
> > > > 01800 deny ip from 240.0.0.0/4 to any via tun0
> > > > 01900 allow tcp from any to any established
> > > > 02000 allow ip from any to any frag
> > > > 02100 deny log logamount 100 tcp from any to any in 
> > > > recv tun0 setup
> > > > 02200 allow tcp from any to any setup
> > > > 65535 allow ip from any to any
> > > > 
> > > > 
> > > > 
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-questions" in the body of the message
> > > > 
> > > --
> > > Mike Meyer <mwm@mired.org>
> > > http://www.mired.org/home/mwm/
> > > Independent WWW/Perforce/FreeBSD/Unix consultant, email for more
> > > information.
> > 
> --
> Mike Meyer <mwm@mired.org>
> http://www.mired.org/home/mwm/
> Independent WWW/Perforce/FreeBSD/Unix consultant, email for more
> information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?710709BB8B02D311942E006067441810544283>