Date: Tue, 6 Mar 2001 05:49:31 -0600 From: Mike Meyer <mwm@mired.org> To: Murray Taylor <mtaylor@bytecraft.com.au> Cc: questions@freebsd.org Subject: Re: Firewalls and Samba Message-ID: <15012.52939.590961.792379@guru.mired.org> In-Reply-To: <125554327@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Murray Taylor <mtaylor@bytecraft.com.au> types: > Why is the firewall stopping Samba ??? I don't see anything obviously wrong in the firewall. On the other hand, the behavior seems to indicate the problem is the firewall. So - what's /var/log/security say? How about ipfw show both before and after samba has failed? <mike > OS - FreeBSD 4.2 > Samba - 2.0.7 > > The general network is based on NT 4 servers with a PDC and BDC server, > WINS servers, and DHCP addressing for all but the main servers. > This is the first machine on the network that is FreeBSD. > (There WILL be more if I have my way ;-) > > As such the Samba settings have been set to prevent > browser elections etc. > > Until the Firewall was setup, all has been OK. > > Given the following Samba config file and the attached > firewall rules, can it please be determined what is > stoppping W95 explorer from finding the Samba shares? > > >> This also all applies to W98 << > > Upon Windoze boot, if net.inet.ip.fw.enable = 1, the shares are > not visible, and indeed W95 thinks that Spyder is not on the network. > > If I set sysctl net.inet.ip.fw.enable = 0, W95 can immediately > see the shares, both home and the webadmin share. > > Then I can reset net.inet.ip.fw.enable = 1, and Spyder and its > shares remain visible to those who have already accessed them. > > Note that Spyder is pingable, telnetable, web browsable at all times > from machines on our intranet > > EXAMPLE 1 > If I select a Samba share with the firewall enabled, wait till W95 > shows its hourglass, then quickly open the firewall via a telnet > session, W95 then drops the hourglass and opens the share... so > it appears that W95 is getting caught on something in a retry loop > > EXAMPLE 2 > If I boot with the firewall enabled, W95 gets hung trying to reattach > the shares. > Cancelling the attachment allows the boot to continue. > Explorer cannot open the shares and thinks that > Spyder is not on the net. > After disabling the firewall, the shares are still not visible > from other programs (ie Notepad), unless and until > I have selected the shares once in Explorer. > Then all is AOK. > I can then enable the firewall and continue. > > I have a NAI Sniffer capture file available of the attempt to connect > Explorer > with the firewall active... which seems to me to show a successful > connection?? > > Most of the ipfw rules are taken from the 'simple' setting in rc.firewall. > Rule 150 is my last attempt to open the door.... > > The firewall is defaulted to accept at present > > ************* > The 128.1.2.x numbers are a historical 'hangover' from early company > intranet days and are being changed to 10.1.2.x this Friday evening > (the ancient chinese curse 'May you live in interesting times' > will probably apply on this day/night...) > > The firewall rules are established at present, but the modem will not be > physically connected to tun0's serial port until after Friday > ************* > > I am currently considering this a firewall problem, not a Samba problem > so am only posting it to -net and -questions at present. > > Murray Taylor > Project Engineer > > Bytecraft P/L +61 3 9587 2555 > +61 3 9587 1614 fax > mtaylor@bytecraft.com.au > > > ----------8<-------smb.conf > # Samba config file created using SWAT > # from 128.1.2.48 (128.1.2.48) > # Date: 2001/02/28 10:03:54 > > # Global parameters > [global] > workgroup = BYTEMELB > netbios name = SPYDER > interfaces = fxp0 > security = DOMAIN > encrypt passwords = Yes > password server = * > os level = 0 > local master = No > wins server = 128.1.2.3 > guest account = pcguest > > [homes] > comment = Home Directories > writeable = Yes > browseable = No > > [webadmin] > comment = Web Administrators > path = /usr/web > valid users = @webadmin > writeable = Yes > browseable = No > > ----------8<-------ipfw list output > 00100 allow ip from any to any via lo0 > 00150 allow ip from any to any via fxp0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from any to 10.0.0.0/8 via tun0 > 00400 deny ip from any to 172.16.0.0/12 via tun0 > 00500 deny ip from any to 192.168.0.0/16 via tun0 > 00600 deny ip from any to 0.0.0.0/8 via tun0 > 00700 deny ip from any to 169.254.0.0/16 via tun0 > 00800 deny ip from any to 192.0.2.0/24 via tun0 > 00900 deny ip from any to 224.0.0.0/4 via tun0 > 01000 deny ip from any to 240.0.0.0/4 via tun0 > 01100 deny ip from 10.0.0.0/8 to any via tun0 > 01200 deny ip from 172.16.0.0/12 to any via tun0 > 01300 deny ip from 192.168.0.0/16 to any via tun0 > 01400 deny ip from 0.0.0.0/8 to any via tun0 > 01500 deny ip from 169.254.0.0/16 to any via tun0 > 01600 deny ip from 192.0.2.0/24 to any via tun0 > 01700 deny ip from 224.0.0.0/4 to any via tun0 > 01800 deny ip from 240.0.0.0/4 to any via tun0 > 01900 allow tcp from any to any established > 02000 allow ip from any to any frag > 02100 deny log logamount 100 tcp from any to any in > recv tun0 setup > 02200 allow tcp from any to any setup > 65535 allow ip from any to any > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15012.52939.590961.792379>