[Firehol-support] Problem with Samba

Costa Tsaousis costa at tsaousis.gr
Sun May 23 23:16:21 CEST 2004


Hi,

NETBIOS initiates based on the broadcast address of an interface (request
goes to broadcast address) but the server responds from its own IP
address. This makes the server samba accept statement drop the server
reply.

Since version 1.168, FireHOL includes a hack that allows local samba
servers to respond correctly. This hack is applied only on "server samba
accept" on interfaces (not routers).

However, the logs you posted seem to be the other way around: your linux
host is a samba client, not a server: traffic coming in from remote
udp/137 to local client port (remote udp/137 is the server, local client
port is the client). This kind of traffic can be dropped even when "client
samba accept" is present, when the local linux box is broadcasting a
request but the response is coming back not from the broadcast address. In
such cases, the iptables connection tracker cannot match the reply with a
request. I have not allowed this to work by default, since it is a
possible security leak (trust from remote udp/137 to all local client
ports). To fix this, assuming that you trust your LAN, you should add this
to your eth0 interface:


server any sambafix accept sport 137 dport ${LOCAL_CLIENT_PORTS}


Of course you can add src/dst as needed to limit the trust your are
creating with this to just a few hosts.

Costa


> Hi all!
>
> I'm new to FireHOL and firewalling on Linux.
>
> Thanks to FireHOL tutorial I was able to create my first Firewall script
> and
> it seems to work very good. My configuration is simple :
> one PC on Linux that is connected on the internet (ppp0) and one PC on
> Windows
> (eth0).
>
> But I have a problem with SAMBA.
>
> Everytime I want to connect to my Windows computer with Samba I get :
>
> May 20 14:20:48 pcfixe IN-home:IN=eth0 OUT=
> MAC=00:50:bf:d7:d1:a0:00:a0:cc:df:0b:ba:08:00 SRC=192.168.0.2
> DST=192.168.0.1
> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=9463 PROTO=UDP SPT=137 DPT=33434
> LEN=70
> May 20 14:20:48 pcfixe IN-home:IN=eth0 OUT=
> MAC=00:50:bf:d7:d1:a0:00:a0:cc:df:0b:ba:08:00 SRC=192.168.0.2
> DST=192.168.0.1
> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=9464 PROTO=UDP SPT=137 DPT=33434
> LEN=70
> May 20 14:20:48 pcfixe IN-home:IN=eth0 OUT=
> MAC=00:50:bf:d7:d1:a0:00:a0:cc:df:0b:ba:08:00 SRC=192.168.0.2
> DST=192.168.0.1
> LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=9469 PROTO=UDP SPT=137 DPT=33434
> LEN=70
>
>
> My configuration script is :
>
> version 5
>
> home_ip="192.168.0.1/24"
>
> server_amule_ports="tcp/14662 udp/14672"
> client_amule_ports="default"
>
> interface eth0 home src "${home_ip}"
> policy reject
> server  "samba icmp"    accept
> client  "samba icmp"    accept
>
> interface ppp0 internet src not "${home_ip} ${UNROUTABLE_IPS}"
> protection strong 10/sec 10
> server ident reject with tcp-reset
> client all accept
> server emule accept
> server amule accept
>
> router internet2home inface ppp0 outface eth0
>                 masquerade reverse
>                 client all      accept
>                 server ident    reject with tcp-reset
>
>
> Thank you very much if you have any idea.
>
> Nicolas.





More information about the Firehol-support mailing list