From owner-freebsd-security Thu Jun 6 1:32:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from nippur.irb.hr (nippur.irb.hr [161.53.128.127]) by hub.freebsd.org (Postfix) with ESMTP id 4F60137B401 for ; Thu, 6 Jun 2002 01:32:38 -0700 (PDT) Received: from localhost (keeper@localhost) by nippur.irb.hr (8.9.3/8.9.3) with ESMTP id KAA06241; Thu, 6 Jun 2002 10:32:32 +0200 (MET DST) Date: Thu, 6 Jun 2002 10:32:32 +0200 (MET DST) From: Mario Pranjic To: Cc: Subject: Re: samba and ipfw In-Reply-To: <20020605122357.D10653@cowbert.2y.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 5 Jun 2002, Peter C. Lai wrote: > Date: Wed, 5 Jun 2002 12:23:57 -0400 > From: Peter C. Lai > Reply-To: peter.lai@uconn.edu > To: Mario Pranjic > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: samba and ipfw > > you forgot UDP 137 > /etc/services shows: > netbios-ns 137/tcp #NETBIOS Name Service > netbios-ns 137/udp #NETBIOS Name Service > netbios-dgm 138/tcp #NETBIOS Datagram Service > netbios-dgm 138/udp #NETBIOS Datagram Service > netbios-ssn 139/tcp #NETBIOS Session Service > netbios-ssn 139/udp #NETBIOS Session Service > > You really don't need 445 either, unless you are > routing Active Directory associated traffic. > > The network neighborhood functionality is a function > of nmbd, or NETBIOS Name Service, hence you can't access > machines by name if you block 137. I've modified my rules: 00660 allow tcp from any to me 137,138,139,445 keep-state setup 00661 allow udp from any 139 to me 139 keep-state 00662 allow udp from any to me 137 I added port 137 (tcp and udp) Still, I can't access machine from windows box. On FreeBSD there is no problem: mount_smbfs -I servername //user@smbserver/share /mntpoint Master browser is one linux box and it cannot see my samba server under firewall. Maybe I've made some othe mistake? Of course, I can access machine by name via http, ssh, ftp... Anybody knowns what I did wrong? Thanks! Mario Pranjic, dipl.ing. sistem administrator Knjiznica, Institut Rudjer Boskovic ------------------------------------- e-mail: mario.pranjic@irb.hr ICQ: 72059629 tel: +385 1 45 60 954 (interni: 1293) ------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message