[Firehol-support] samba problems
Goetz Bock
bock at blacknet.de
Tue Nov 4 00:35:43 GMT 2003
Hi Costa,
> As you can see above, FireHOL explicitly allows this connection
> (netbios-ns is port 137):
I figured out that the firwall should allow the traffic. Still it did
not.
> The problem with your setup is that the iptables connection tracker does
> not see the reply packet as part of an ESTABLISHED connection. There are
> two possible causes for this:
On first I've suspected my UML kernel to be at fault. It has iptables
and an experimental veryfast firewall module. So I've compiled a kernel
without the experimental module ... it did not help.
> this sounds like the connection is not symmetrically. The conntrack
> core assumes that connections are always symmetrically:
>
> [ ... ]
>
> Do you believe that either of the two apply to you?
I've done some traces, the first is from a working connection, the
seccond from a not working one, and the related dmesg output
01:10:18.364212 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
01:10:18.364637 a.b.c.24.netbios-ns > a.b.c.17.32769: ...
01:10:18.673435 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:18.673577 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:18.673931 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:18.953552 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:18.953682 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:18.956113 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:18.956409 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:18.956665 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:18.958985 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:19.032882 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:20.813649 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:20.825115 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:20.825441 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:20.825800 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:20.829896 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:20.835154 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:20.836029 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:20.912860 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:22.333459 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:10:22.352927 a.b.c.24.netbios-ssn > a.b.c.17.32781: ...
01:10:22.353375 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
01:18:44.850282 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
01:18:45.159103 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
01:18:45.459074 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
It looks like if the problem is:
- quiery comes via broadcast
- reply from host
so the traffic can not be related :-(
Am I realy the first/only to have trouble with samba?
I'll do some more investigation tomorow.
--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2003 as GNU FDL 1.1
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]
More information about the Firehol-support
mailing list