[Firehol-support] Samba service (Hack)

Carlos Navarro cnavarro at ssi.co.cr
Wed Jan 26 19:02:13 GMT 2005

Hello, my name is Carlos Navarro. I'm using fireholl in our proxy server
and I can't set up correctly the samba service. This is not really
important in this case, cause I only need samba to share files
(software, updates, logs, configs, etc) between my computer and the
server. Since the server is not a file server, I start the service
manually and stop it manually using ssh. But I want to know the solution
for future reference.

Ok my problem, simple. My linux box can connect to windows shares and
even mount them, but my windows hosts cannot connect to my linux host,
and I know the samba has been set up correctly. 

Ok, in the manual it says that there are two solutions, a hack and a
trust relationship. I cannot set up any kind of trust relationship
between the proxy and any other system. So I need to know the hack. I
don't care if I open those high ports because they are going to listen
to my network and not to internet. And, as I said before, most of the
time the samba service is not running. And I want to know this for
future reference.

By the way, this is the second time that I write to you. The first time
I was able to solve the problem and the server is perfectly setup.
Fireholl just help me A LOT!! I don't know too much about iptables and
without fireholl, well we would still be using the well so known
insecure Micro$oft server to connect to internet. Thanks a lot!! Because
of you, we are running linux! =)

"NETBIOS initiates based on the broadcast address of an interface
(request goes to broadcast address) but the server responds from its own
IP address. This makes the server samba accept statement drop the server
reply, because of the way the iptables connection tracker works. 

This service definition includes a hack, that allows a linux samba
server to respond correctly in such situations, by allowing new outgoing
connections from the well known netbios_ns
<http://firehol.sourceforge.net/services.html?#netbios_ns>  port to the
clients high ports. 

However, for clients and routers this hack is not applied because it
would open all unpriviliged ports to the samba server. The only solution
to overcome the problem in such cases (routers or clients) is to build a
trust relationship between the samba servers and clients."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050126/faec9f83/attachment-0002.html>

More information about the Firehol-support mailing list