From owner-freebsd-questions Tue Mar 6 3:49:38 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 3AE9437B719 for ; Tue, 6 Mar 2001 03:49:32 -0800 (PST) (envelope-from mwm@mired.org) Received: (qmail 28399 invoked by uid 100); 6 Mar 2001 11:49:31 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15012.52939.590961.792379@guru.mired.org> Date: Tue, 6 Mar 2001 05:49:31 -0600 To: Murray Taylor Cc: questions@freebsd.org Subject: Re: Firewalls and Samba In-Reply-To: <125554327@toto.iv> X-Mailer: VM 6.89 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Murray Taylor types: > Why is the firewall stopping Samba ??? I don't see anything obviously wrong in the firewall. On the other hand, the behavior seems to indicate the problem is the firewall. So - what's /var/log/security say? How about ipfw show both before and after samba has failed? OS - FreeBSD 4.2 > Samba - 2.0.7 > > The general network is based on NT 4 servers with a PDC and BDC server, > WINS servers, and DHCP addressing for all but the main servers. > This is the first machine on the network that is FreeBSD. > (There WILL be more if I have my way ;-) > > As such the Samba settings have been set to prevent > browser elections etc. > > Until the Firewall was setup, all has been OK. > > Given the following Samba config file and the attached > firewall rules, can it please be determined what is > stoppping W95 explorer from finding the Samba shares? > > >> This also all applies to W98 << > > Upon Windoze boot, if net.inet.ip.fw.enable = 1, the shares are > not visible, and indeed W95 thinks that Spyder is not on the network. > > If I set sysctl net.inet.ip.fw.enable = 0, W95 can immediately > see the shares, both home and the webadmin share. > > Then I can reset net.inet.ip.fw.enable = 1, and Spyder and its > shares remain visible to those who have already accessed them. > > Note that Spyder is pingable, telnetable, web browsable at all times > from machines on our intranet > > EXAMPLE 1 > If I select a Samba share with the firewall enabled, wait till W95 > shows its hourglass, then quickly open the firewall via a telnet > session, W95 then drops the hourglass and opens the share... so > it appears that W95 is getting caught on something in a retry loop > > EXAMPLE 2 > If I boot with the firewall enabled, W95 gets hung trying to reattach > the shares. > Cancelling the attachment allows the boot to continue. > Explorer cannot open the shares and thinks that > Spyder is not on the net. > After disabling the firewall, the shares are still not visible > from other programs (ie Notepad), unless and until > I have selected the shares once in Explorer. > Then all is AOK. > I can then enable the firewall and continue. > > I have a NAI Sniffer capture file available of the attempt to connect > Explorer > with the firewall active... which seems to me to show a successful > connection?? > > Most of the ipfw rules are taken from the 'simple' setting in rc.firewall. > Rule 150 is my last attempt to open the door.... > > The firewall is defaulted to accept at present > > ************* > The 128.1.2.x numbers are a historical 'hangover' from early company > intranet days and are being changed to 10.1.2.x this Friday evening > (the ancient chinese curse 'May you live in interesting times' > will probably apply on this day/night...) > > The firewall rules are established at present, but the modem will not be > physically connected to tun0's serial port until after Friday > ************* > > I am currently considering this a firewall problem, not a Samba problem > so am only posting it to -net and -questions at present. > > Murray Taylor > Project Engineer > > Bytecraft P/L +61 3 9587 2555 > +61 3 9587 1614 fax > mtaylor@bytecraft.com.au > > > ----------8<-------smb.conf > # Samba config file created using SWAT > # from 128.1.2.48 (128.1.2.48) > # Date: 2001/02/28 10:03:54 > > # Global parameters > [global] > workgroup = BYTEMELB > netbios name = SPYDER > interfaces = fxp0 > security = DOMAIN > encrypt passwords = Yes > password server = * > os level = 0 > local master = No > wins server = 128.1.2.3 > guest account = pcguest > > [homes] > comment = Home Directories > writeable = Yes > browseable = No > > [webadmin] > comment = Web Administrators > path = /usr/web > valid users = @webadmin > writeable = Yes > browseable = No > > ----------8<-------ipfw list output > 00100 allow ip from any to any via lo0 > 00150 allow ip from any to any via fxp0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from any to 10.0.0.0/8 via tun0 > 00400 deny ip from any to 172.16.0.0/12 via tun0 > 00500 deny ip from any to 192.168.0.0/16 via tun0 > 00600 deny ip from any to 0.0.0.0/8 via tun0 > 00700 deny ip from any to 169.254.0.0/16 via tun0 > 00800 deny ip from any to 192.0.2.0/24 via tun0 > 00900 deny ip from any to 224.0.0.0/4 via tun0 > 01000 deny ip from any to 240.0.0.0/4 via tun0 > 01100 deny ip from 10.0.0.0/8 to any via tun0 > 01200 deny ip from 172.16.0.0/12 to any via tun0 > 01300 deny ip from 192.168.0.0/16 to any via tun0 > 01400 deny ip from 0.0.0.0/8 to any via tun0 > 01500 deny ip from 169.254.0.0/16 to any via tun0 > 01600 deny ip from 192.0.2.0/24 to any via tun0 > 01700 deny ip from 224.0.0.0/4 to any via tun0 > 01800 deny ip from 240.0.0.0/4 to any via tun0 > 01900 allow tcp from any to any established > 02000 allow ip from any to any frag > 02100 deny log logamount 100 tcp from any to any in > recv tun0 setup > 02200 allow tcp from any to any setup > 65535 allow ip from any to any > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Mike Meyer http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message