On 10/10/07, Joe Morris (NTM) <[EMAIL PROTECTED]> wrote: > TCP needs 139 and 445
looks like 445 is not needed, but anyway, I opened it > > > > So, I edited the firewall rules, and added also: > > TCP 135, 138 > > UDP 137:138 445 > > > UDP needs 137 and 138 at least. yes, I have them open > There seems to be some inconsistency with what you have said, so I am > not sure what the problem is. With the ports you said, it should not > have worked before. If it did work before, the kernel update should not > have affected it. Perhaps it was the reboot that caused the problem, > which would have reloaded the firewall, that caused the problem. Dunno. But it worked, and I have rebooted the machine before. > Does that allow it to work? If it does, make sure tcp 139 and 445 is > open, and udp 137 and 138, and I believe 135 may help, IIRC. > Yes, they are open, and I checked with nmap from another machine on the network, they appear open. Now, I have read this article: <http://wiki.suselinuxsupport.de/wikka.php?wakka=HowToFirewallLinuxHostSamba> And tried what they have there, no joy. Also, the standard configuration (not using sysconfig editor, as in the article, but using the YaST firewall module) I did eth0 - external interface Allowed services: SSH, Samba server No advanced conf. Selecting the Samba server changed what's in Broadcast: netbios-ns netbios-dgm This resulted in the following lines in /etc/sysconfig/SuSEfirewall2: FW_SERVICES_EXT_TCP="22 microsoft-ds netbios-ssn" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns" FW_ALLOW_FW_BROADCAST_EXT="netbios-ns netbios-dgm" This does not allow me to browse the network, I do not see any domain or workgroup, as well as I can not log in as domain user, as it can not find the domain controller. When I try to browse the network, in the firewall log I see: Oct 10 23:16:00 sunsuse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:11:4c:87:8a:00:90:27:99:8c:07:08:00 SRC=192.168.2.10 DST=192.168.2.222 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=36328 PROTO=UDP SPT=137 DPT=1090 LEN=70 Oct 10 23:16:00 sunsuse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:11:4c:87:8a:00:0c:29:e6:88:02:08:00 SRC=192.168.2.232 DST=192.168.2.222 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=20868 PROTO=UDP SPT=137 DPT=1090 LEN=70 Oct 10 23:16:00 sunsuse kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:11:4c:87:8a:00:0c:29:69:00:dc:08:00 SRC=192.168.2.245 DST=192.168.2.222 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=29965 PROTO=UDP SPT=137 DPT=1090 LEN=70 Where 192.168.2.10 is the PDC, and 192.168.2.232 and 192.168.2.245 are 2 windows machines, which have one and the same workgroup, and are not part of the domain. Till today's update, I was able to see both the domain and the workgroup. Now, here is what's in the /etc/sysconfig/SuSEfirewall2, when I follow the advice from the article above, and put everything trough Yast/sysconfig editor: FW_DEV_EXT - eth0 (not changed) FW_SERVICES_EXT_TCP - changed from "22 microsoft-ds netbios-ssn" to "22 135 139" FW_SERVICES_EXT_UDP - changed from "netbios-dgm netbios-ns" to "137 138" FW_ALLOW_FW_BROADCAST_EXT - changed from "netbios-ns netbios-dgm" to "yes" I did not edit anything about trusted networks. After applying these settings, /etc/sysconfig/SuSEfirewall2 has these entries (the relevant ones): FW_SERVICES_EXT_TCP="22 135 139" FW_SERVICES_EXT_UDP="137 138" FW_ALLOW_FW_BROADCAST_EXT="yes" And this does not work as well. Same problem - no network browsing, and same entries in the firewall log. And it should be expected, as I would guess that the UI just uses all the microsoft-xx and netbios-xxx stuff as abbreviations for the corresponding ports. iptables -L shows these relevant entries(I removed the LOG rules): ACCEPT tcp -- anywhere anywhere tcp dpt:22 ACCEPT tcp -- anywhere anywhere tcp dpt:135 ACCEPT tcp -- anywhere anywhere tcp dpt:139 ACCEPT udp -- anywhere anywhere udp dpt:137 ACCEPT udp -- anywhere anywhere udp dpt:138 So, looks like everything is enabled, but it does not work at all. And last 3 days it was working, and I did not change the firewall rules today (before I started these testings for this post). These are the packages I installed/updated the last 2 days: OpenOffice_org-icon-themes-2.3.0.1.2-5.1 Wed 10 Oct 2007 03:40:50 PM CDT kernel-syms-2.6.22.9-0.4 Wed 10 Oct 2007 03:38:52 PM CDT emacs-22.1-40.2 Wed 10 Oct 2007 03:38:35 PM CDT kernel-default-2.6.22.9-0.4 Wed 10 Oct 2007 03:37:28 PM CDT kernel-source-2.6.22.9-0.4 Wed 10 Oct 2007 03:35:18 PM CDT emacs-nox-22.1-40.2 Wed 10 Oct 2007 03:30:54 PM CDT emacs-info-22.1-40.2 Wed 10 Oct 2007 03:30:45 PM CDT koffice-illustration-1.6.3-60.1 Wed 10 Oct 2007 03:30:05 PM CDT koffice-1.6.3-60.1 Wed 10 Oct 2007 03:25:16 PM CDT libqt4-x11-4.3.2-3.1 Tue 09 Oct 2007 03:34:11 PM CDT libqt4-qt3support-4.3.2-3.1 Tue 09 Oct 2007 03:33:16 PM CDT libqt4-sql-4.3.2-3.1 Tue 09 Oct 2007 03:33:06 PM CDT libqt4-dbus-1-4.3.2-3.1 Tue 09 Oct 2007 03:33:04 PM CDT libqt4-4.3.2-3.1 Tue 09 Oct 2007 03:33:01 PM CDT kssh-0.7-781.3 Tue 09 Oct 2007 03:32:47 PM CDT MPlayer-1.0rc2-1.pm.1 Tue 09 Oct 2007 03:32:33 PM CDT dejavu-2.20-0.pm.1 Tue 09 Oct 2007 03:30:17 PM CDT wine-0.9.46-12.3 Tue 09 Oct 2007 03:29:43 PM CDT openssl-0.9.8e-45.2 Tue 09 Oct 2007 03:28:17 PM CDT libopenssl-devel-0.9.8e-45.2 Tue 09 Oct 2007 03:28:11 PM CDT libopenssl0_9_8-0.9.8e-45.2 Tue 09 Oct 2007 03:28:05 PM CDT OpenOffice_org-calc-2.3.0.1.2-10.2 Tue 09 Oct 2007 03:27:54 PM CDT openssl-certs-0.9.8e-45.2 Tue 09 Oct 2007 03:27:39 PM CDT So, the only change is the kernel. Yes, I understand that it shouldn't change anything, but that's what happen, and I need to fix it somehow. Btw, if net browsing works for you, would you be so kind to email me your /etc/sysconfig/SuSEfirewall2 file, so I can compare? Thanks. -- Svetoslav Milenov (Sunny) Even the most advanced equipment in the hands of the ignorant is just a pile of scrap. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
