[Firehol-support] Using "client all accept" isn't enough to access samba shares

Laurento Frittella laurento.frittella at gmail.com
Tue Feb 24 09:54:18 CET 2009


I haven't find a solution yet... any idea?

Regards,
Laurento

Il giorno mar, 23/12/2008 alle 18.48 +0100, Vincent Danjean ha scritto:
> Laurento Frittella wrote:
> > Hi all,
> > if I use "client all accept" (but I've tried with "client samba accept"
> > too) firehol still filter some useful traffic:
> > 
> > Dec 23 17:49:52 thot IN-lan:IN=eth0 OUT=
> > MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.0.0.1 DST=10.0.0.20
> > LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=27951 PROTO=UDP SPT=137 DPT=48003
> > LEN=76 
> > 
> > (where 10.0.0.1 is the samba server and 10.0.0.20 my notebook running
> > firehol)
> > 
> > If I stop firehol (disabling all filtering) all works well. How can I
> > solve this issue?
> 
> I've had a similar issue: I've a bridge between openvpn and my local network.
> I do not want any filtering between these too part.
> I put:
>   router bridge inface br0 outface br0
>      client all accept
> 
> It did not work: NEW, ESTABLISHED and RELATED packets go through, but some
> INVALID packets were here (I do not search why) and were filtered.
> I solve this by putting:
>   router bridge inface br0 outface br0
>     policy accept
> 
> It has been difficult for me to find the problem because nothing in the log
> shows the state of packets. Inspecting with "iptables -L", adding some logs
> and trying some new iptables rules allow me to find the problem with
> INVALID dropped packets. Then google with firehol and INVALID finds the
> solution with the "policy accept" statement.
> 
>   Regards,
>     Vincent
> 
> > Regards,
> > Laurento
> > 
> > 
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/firehol-support
> > 
> 





More information about the Firehol-support mailing list