Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Mar 2001 05:49:31 -0600
From:      Mike Meyer <mwm@mired.org>
To:        Murray Taylor <mtaylor@bytecraft.com.au>
Cc:        questions@freebsd.org
Subject:   Re: Firewalls and Samba
Message-ID:  <15012.52939.590961.792379@guru.mired.org>
In-Reply-To: <125554327@toto.iv>

next in thread | previous in thread | raw e-mail | index | archive | help
Murray Taylor <mtaylor@bytecraft.com.au> types:
> Why is the firewall stopping Samba ???

I don't see anything obviously wrong in the firewall. On the other
hand, the behavior seems to indicate the problem is the firewall.

So - what's /var/log/security say? How about ipfw show both before and
after samba has failed?

	<mike

> OS - FreeBSD 4.2
> Samba - 2.0.7
> 
> The general network is based on NT 4 servers with a PDC and BDC server,
> WINS servers, and DHCP addressing for all but the main servers.
> This is the first machine on the network that is FreeBSD.
> (There WILL be more if I have my way ;-)
> 
> As such the Samba settings have been set to prevent 
> browser elections etc. 
> 
> Until the Firewall was setup, all has been OK.
> 
> Given the following Samba config file and the attached
> firewall rules, can it please be determined what is
> stoppping W95 explorer from finding the Samba shares?
> 
> >> This also all applies to W98 <<
> 
> Upon Windoze boot, if net.inet.ip.fw.enable = 1, the shares are
> not visible, and indeed W95 thinks that Spyder is not on the network.
> 
> If I set sysctl net.inet.ip.fw.enable = 0, W95 can immediately
> see the shares, both home and the webadmin share.
> 
> Then I can reset net.inet.ip.fw.enable = 1, and Spyder and its
> shares remain visible to those who have already accessed them.
> 
> Note that Spyder is pingable, telnetable, web browsable at all times
> from machines on our intranet
> 
> EXAMPLE 1
> If I select a Samba share with the firewall enabled, wait till W95
> shows its hourglass, then quickly open the firewall via a telnet 
> session, W95 then drops the hourglass and opens the share... so
> it appears that W95 is getting caught on something in a retry loop
> 
> EXAMPLE 2
> If I boot with the firewall enabled, W95 gets hung trying to reattach 
> the shares.
> Cancelling the attachment allows the boot to continue.
> Explorer cannot open the shares and thinks that 
> Spyder is not on the net.
> After disabling the firewall, the shares are still not visible
> from other programs (ie Notepad), unless and until 
> I have selected the shares once in Explorer.
> Then all is AOK.
> I can then enable the firewall and continue.
> 
> I have a NAI Sniffer capture file available of the attempt to connect
> Explorer 
> with the firewall active... which seems to me to show a successful
> connection??
> 
> Most of the ipfw rules are taken from the 'simple' setting in rc.firewall.
> Rule 150 is my last attempt to open the door....
> 
> The firewall is defaulted to accept at present
> 
> *************
> The 128.1.2.x numbers are a historical 'hangover' from early company
> intranet days and are being changed to 10.1.2.x this Friday evening
> (the ancient chinese curse 'May you live in interesting times'
> will probably apply on this day/night...)
> 
> The firewall rules are established at present, but the modem will not be
> physically connected to tun0's serial port until after Friday
> *************
> 
> I am currently considering this a firewall problem, not a Samba problem
> so am only posting it to -net and -questions at present.
> 
> Murray Taylor
> Project Engineer
> 
> Bytecraft P/L	+61 3 9587 2555
> 		+61 3 9587 1614 fax
> 		mtaylor@bytecraft.com.au
> 
> 
> ----------8<-------smb.conf
> # Samba config file created using SWAT
> # from 128.1.2.48 (128.1.2.48)
> # Date: 2001/02/28 10:03:54
> 
> # Global parameters
> [global]
> 	workgroup = BYTEMELB
> 	netbios name = SPYDER
> 	interfaces = fxp0
> 	security = DOMAIN
> 	encrypt passwords = Yes
> 	password server = *
> 	os level = 0
> 	local master = No
> 	wins server = 128.1.2.3
> 	guest account = pcguest
> 
> [homes]
> 	comment = Home Directories
> 	writeable = Yes
> 	browseable = No
> 
> [webadmin]
> 	comment = Web Administrators
> 	path = /usr/web
> 	valid users = @webadmin
> 	writeable = Yes
> 	browseable = No
> 
> ----------8<-------ipfw list output
> 00100 allow ip from any to any via lo0
> 00150 allow ip from any to any via fxp0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from any to 10.0.0.0/8 via tun0
> 00400 deny ip from any to 172.16.0.0/12 via tun0
> 00500 deny ip from any to 192.168.0.0/16 via tun0
> 00600 deny ip from any to 0.0.0.0/8 via tun0
> 00700 deny ip from any to 169.254.0.0/16 via tun0
> 00800 deny ip from any to 192.0.2.0/24 via tun0
> 00900 deny ip from any to 224.0.0.0/4 via tun0
> 01000 deny ip from any to 240.0.0.0/4 via tun0
> 01100 deny ip from 10.0.0.0/8 to any via tun0
> 01200 deny ip from 172.16.0.0/12 to any via tun0
> 01300 deny ip from 192.168.0.0/16 to any via tun0
> 01400 deny ip from 0.0.0.0/8 to any via tun0
> 01500 deny ip from 169.254.0.0/16 to any via tun0
> 01600 deny ip from 192.0.2.0/24 to any via tun0
> 01700 deny ip from 224.0.0.0/4 to any via tun0
> 01800 deny ip from 240.0.0.0/4 to any via tun0
> 01900 allow tcp from any to any established
> 02000 allow ip from any to any frag
> 02100 deny log logamount 100 tcp from any to any in 
> recv tun0 setup
> 02200 allow tcp from any to any setup
> 65535 allow ip from any to any
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15012.52939.590961.792379>