I have been following the recent firewall thread with interest. I am trying to get nmblookup and findsmb to work too. Samba shares are visible from the Windows client and server, but nmblookup '*' only lists the local machine. I dertermined from the 'firewall' thread that my firewall could be the problem, and turned it off. Sure enough, all the machines in my domain showed up when I ran nmblookup '*' or findsmb. So there is something going on in my firewall chains.
Here is my ipchain setup. Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT all ------ anywhere anywhere n/a ACCEPT tcp -y---- anywhere anywhere any -> smtp ACCEPT tcp -y---- anywhere anywhere any -> http ACCEPT tcp -y---- anywhere anywhere any -> ftp ACCEPT tcp -y---- anywhere anywhere any -> ssh ACCEPT tcp ------ 192.168.0.0/24 anywhere any -> netbios-ssn ACCEPT udp ------ 192.168.0.0/24 anywhere any -> netbios-ns:netbios-ssn ACCEPT udp ------ dns1.net anywhere domain -> any ACCEPT udp ------ ns1.mydns.com anywhere domain -> any ACCEPT udp ------ ns2.mydns.com anywhere domain -> any REJECT tcp -y---- anywhere anywhere any -> any REJECT udp ------ anywhere anywhere any -> any Chain forward (policy ACCEPT): Chain output (policy ACCEPT): Please note that by default all output packets are accepted. If I change input rule 7 (the first udp rule) to allow all udp packets, ACCEPT udp ------ 192.168.0.0/24 anywhere any -> any my findsmb lists all the machines in my domain. If I restrict this rule to allow only packets to ports 137:139, ACCEPT udp ------ 192.168.0.0/24 anywhere any -> netbios-ns:netbios-ssn only the local machine is listed by findsmb (or nmblookup) even though tcpdump shows udp packets coming in from all machines (to 137). So these packets are being rejected. This is very puzzling to me because the rule specifically allows 137:139. If I modify the rule again to allow packets addressed to 1024: (1024 and above) only, findsmb will list all machines EXCEPT the local machine.. and very slowly. Here tcpdump shows heavy traffic. My question to a samba guru: exactly what ports do I need to accept udp packets on for samba to be fully functional? It seems that the respone to a broadcast on 192.168.0.255 137 (netbios-ns) is responded to on ports other than 137:139, and that if 137:139 are the only ports whose packets are accepted, findsmb will not work. Thanks. By looking throught the archives I can see this is a recurring problem, but solutions are elusive. Maybe people get their network up and simply do not post their solution, I don't know. But, please, Mr. guru, help! ----- Original Message ----- From: "Ulrich Kohlhase" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, November 03, 2002 11:25 AM Subject: [Samba] RE: firewall > Justin, > > > -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT > > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT > > -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT > > Did you specify OUTPUT rules also ? You may want to try the following > lines taken from a working server config. "keep_state" is a special > chain for stateful inspection and logging purposes: > > -A INPUT -p tcp -s 192.168.1.0/24 --sport 1024: --dport 137:139 -j > ACCEPT > -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 137:139 --dport 1024: -j > keep_state > -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 1024: --dport 137:139 -j > ACCEPT > -A INPUT -p tcp -s 192.168.1.0/24 --sport 137:139 --dport 1024: -j > keep_state > -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT > -A OUTPUT -p udp -d 192.168.1.0/24 --dport 137:139 -j ACCEPT > > -N keep_state > -A keep_state -m state --state INVALID -j DROP > -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT > # debug, info, notice, warning, err, crit, alert und emerg > -A keep_state -m limit --limit 10/minute --limit-burst 10 -j LOG > --log-level notice --log-prefix "Packets dropped: " > -A keep_state -j DROP > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
