My problem is very simple. All machines are in one network. Firewall is only for Internet connection (ISDN modem). All authentification works fine. But one special program can't get write-access to the specified file. It is nonsense for me! Two slightly different iptables setups work in a completely different manner - the first is not secure, but it works. The second is more secure (at least I hope so :)), but the program says "can't write to file!". How can it influence file operations???
I am rather new to all this stuff. > -----Original Message----- > From: J. Currey [mailto:[EMAIL PROTECTED] > Subject: Re: NetBIOS? problem > > I use NAT with a number of SMB machines successfully. > I was not able to get all services behind the firewall. > There must be a WINS service that provides the munged addresses. > If you want it to respond to broadcasts (proxy) then it should be > on the same network. > You will probably want a WINS server inside too to provide real > addresses to > the NAT'd network. > On one network (where I control the DHCP) I set the windows boxes to > only use WINS, and assigned a WINS service, otherwise you'll need to > manually set a WINS server on the box. > The domain authentication ended up being separate from the WINS > service (this was because of some domains authentication being NT and > some being Linux), even the NT domains use SAMBA WINS service. > I found I could not use Microsoft's WINS services because > of its promiscuous nature, use the SAMBA NG 2.2+ stuff instead, > it is stable > and doesn't overwrite static settings on whim of the owner of the name. > Announces from inside the NAT'd net to the outside WINS service can still > screw it up, so don't do that. > One of the problems with authentication is it always uses a broadcast, > which I never successfully NAT'd to the inside, and even then the > perspective > inside was wrong, so the embedded addresses didn't make sense to the asker > (as Joerg Wendland noted). > > A piece of /var/state/samba/wins.dat outside the NAT. > (a bare bones samba only box) > > "^A^B__MSBROWSE__^B#01" 1005304692 255.255.255.255 84R > "SMBDOMAIN#00" 0 255.255.255.255 c4R > "SMBDOMAIN#1b" 0 10.3.0.88 44R > "SMBDOMAIN#1c" 0 10.3.0.89 e4R > "SMBDOMAIN#1e" 0 255.255.255.255 c4R > > You can also do > "SMBDOMAIN#00" 0 10.3.0.88 255.255.255.255 c4R > > 10.3.0.88 is the public wins server giving NAT'd addresses. > > 1c is the domain authentication > 10.3.0.89 is a sacrificial (bare bones) backup domain server (NT) > to the domain > server on the NAT'd network, they keep synchronized fine, as long as they > use their local wins servers to locate each other. > > If you have a choice, I'd use the samba domain authentication instead. > > I really need to write more of this down. I'd be glad to help with > with writing the code for IP-tables modules to fix some of these kludges, > although I don't think it can overcome all the issues. > > J. Currey
