[Firehol-support] Using "client all accept" isn't enough to access samba shares

Costa Tsaousis costa at tsaousis.gr
Wed Feb 25 22:49:39 GMT 2009


Laurento Frittella wrote:
>>> Hi all,
>>> if I use "client all accept" (but I've tried with "client samba accept"
>>> too) firehol still filter some useful traffic:
>>>
>>> Dec 23 17:49:52 thot IN-lan:IN=eth0 OUT=
>>> MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.0.0.1 DST=10.0.0.20
>>> LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=27951 PROTO=UDP SPT=137 DPT=48003
>>> LEN=76 
>>>
>>> (where 10.0.0.1 is the samba server and 10.0.0.20 my notebook running
>>> firehol)
>>>
>>> If I stop firehol (disabling all filtering) all works well. How can I
>>> solve this issue?
I am very sorry, but you cannot. Check this: 
http://firehol.sourceforge.net/services.html?#samba

What you can do is:

at the top of firehol.conf define this:

# Remote CIFS, to make samba work for clients
server_rcifs_ports="udp/1024:65535"
client_rcifs_ports="137"

then, in your interface add:

client samba accept
server rcifs accept src 10.0.0.1

Remember that this server statement opens all your high UDP ports from 
the samba server's port udp/137.

Costa





More information about the Firehol-support mailing list