Re: [leaf-user] Is shorewall configured by default to drop/reject udp broadcasts?

Mon, 02 Dec 2002 10:46:13 -0800 

On Tue, 03 Dec 2002 02:56:52 +0900 youngdo wrote:

> PiA+IFsyMDAyLzEyLzAyIDE2OjU4OjAyLCAwXQ0KPiA+IG5tYmQvbm1iZF9iZWNvbWVfZG1iLmM6
> YmVjb21lX2RvbWFpbl9tYXN0ZXJfYnJvd3Nlcl9iY2FzdCgyOTEpDQo+ID4gYmVjb21lX2RvbWFp

[Ick, another base64-encoded message.  Grrr...]


> > > [2002/12/02 16:58:02, 0]
> > > nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(291)
> > > become_domain_master_browser_bcast:
> > >   Attempting to become domain master browser on workgroup WORK on subnet
> > > 192.168.1.254 [2002/12/02 16:58:02, 0]
> > > nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(305)
> > > become_domain_master_browser_bcast: querying subnet 192.168.1.254 for
> > > domain master browser on workgroup WORK [2002/12/02 16:58:04, 0]
> > > libsmb/nmblib.c:send_udp(756)
> > >   Packet send failed to 192.168.1.255(137) ERRNO=Operation not permitted
> > > ACCEPT          fw        loc           udp    137:139
> > 
> > The above rule allows UDP port 137 packets from your firewall to the local 
> > network. Is your local network 192.168.1.0/24? Are you seeing any Shorewall 
> > log messages about 192.168.1.255:137 ("shorewall show log")?
> > 
> 
> There are not that kind of contents.

While debugging this, it might be helpful to copy
/etc/shorewall/common.def to /etc/shorewall/common and comment
out the lines:

  run_iptables -A common -p udp --dport 137:139     -j REJECT
  run_iptables -A common -p udp --dport 445         -j REJECT
  run_iptables -A common -p tcp --dport 135         -j reject


Please correct me if I'm wrong, Tom, but I believe those lines will
prevent logging of NetBIOS traffic to the firewall.  On my notebook
($FW) I allow samba access from the vmware zone using:

  grep -i -e netbios -e microsoft /etc/shorewall/rules
  ACCEPT   vmware    $FW       udp netbios-ns,netbios-ssn,microsoft-ds
  ACCEPT   $FW       vmware    udp netbios-ns,netbios-ssn,microsoft-ds
  ACCEPT   vmware    $FW       tcp netbios-ns,netbios-ssn,microsoft-ds
  ACCEPT   $FW       vmware    tcp netbios-ns,netbios-ssn,microsoft-ds

where:

  netbios-ns   == port 137
  netbios-ssn  == port 139
  microsoft-ds == port 445

I suspect those rules are broader than necessary but they work for
me.  YMMV.

--Brad



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to