[Firehol-support] Using "client all accept" isn't enough to access samba shares

Vincent Danjean vdanjean.ml at free.fr
Tue Dec 23 17:48:07 GMT 2008

Laurento Frittella wrote:
> Hi all,
> if I use "client all accept" (but I've tried with "client samba accept"
> too) firehol still filter some useful traffic:
> Dec 23 17:49:52 thot IN-lan:IN=eth0 OUT=
> MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC= DST=
> LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=27951 PROTO=UDP SPT=137 DPT=48003
> LEN=76 
> (where is the samba server and my notebook running
> firehol)
> If I stop firehol (disabling all filtering) all works well. How can I
> solve this issue?

I've had a similar issue: I've a bridge between openvpn and my local network.
I do not want any filtering between these too part.
I put:
  router bridge inface br0 outface br0
     client all accept

It did not work: NEW, ESTABLISHED and RELATED packets go through, but some
INVALID packets were here (I do not search why) and were filtered.
I solve this by putting:
  router bridge inface br0 outface br0
    policy accept

It has been difficult for me to find the problem because nothing in the log
shows the state of packets. Inspecting with "iptables -L", adding some logs
and trying some new iptables rules allow me to find the problem with
INVALID dropped packets. Then google with firehol and INVALID finds the
solution with the "policy accept" statement.


> Regards,
> Laurento
> ------------------------------------------------------------------------------
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

Vincent Danjean                 Adresse: Laboratoire d'Informatique de Grenoble
Téléphone:  +33 4 76 61 20 11            ENSIMAG - antenne de Montbonnot
Fax:        +33 4 76 61 20 99            ZIRST 51, avenue Jean Kuntzmann
Email: Vincent.Danjean at imag.fr           38330 Montbonnot Saint Martin

More information about the Firehol-support mailing list