Date: Tue, 6 Mar 2001 14:42:34 +1100 From: Murray Taylor <mtaylor@bytecraft.com.au> To: "'freebsd-net@freebsd.org'" <freebsd-net@freebsd.org>, "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org> Subject: Firewalls and Samba Message-ID: <710709BB8B02D311942E006067441810544276@MELEXC01>
next in thread | raw e-mail | index | archive | help
Why is the firewall stopping Samba ??? OS - FreeBSD 4.2 Samba - 2.0.7 The general network is based on NT 4 servers with a PDC and BDC server, WINS servers, and DHCP addressing for all but the main servers. This is the first machine on the network that is FreeBSD. (There WILL be more if I have my way ;-) As such the Samba settings have been set to prevent browser elections etc. Until the Firewall was setup, all has been OK. Given the following Samba config file and the attached firewall rules, can it please be determined what is stoppping W95 explorer from finding the Samba shares? >> This also all applies to W98 << Upon Windoze boot, if net.inet.ip.fw.enable = 1, the shares are not visible, and indeed W95 thinks that Spyder is not on the network. If I set sysctl net.inet.ip.fw.enable = 0, W95 can immediately see the shares, both home and the webadmin share. Then I can reset net.inet.ip.fw.enable = 1, and Spyder and its shares remain visible to those who have already accessed them. Note that Spyder is pingable, telnetable, web browsable at all times from machines on our intranet EXAMPLE 1 If I select a Samba share with the firewall enabled, wait till W95 shows its hourglass, then quickly open the firewall via a telnet session, W95 then drops the hourglass and opens the share... so it appears that W95 is getting caught on something in a retry loop EXAMPLE 2 If I boot with the firewall enabled, W95 gets hung trying to reattach the shares. Cancelling the attachment allows the boot to continue. Explorer cannot open the shares and thinks that Spyder is not on the net. After disabling the firewall, the shares are still not visible from other programs (ie Notepad), unless and until I have selected the shares once in Explorer. Then all is AOK. I can then enable the firewall and continue. I have a NAI Sniffer capture file available of the attempt to connect Explorer with the firewall active... which seems to me to show a successful connection?? Most of the ipfw rules are taken from the 'simple' setting in rc.firewall. Rule 150 is my last attempt to open the door.... The firewall is defaulted to accept at present ************* The 128.1.2.x numbers are a historical 'hangover' from early company intranet days and are being changed to 10.1.2.x this Friday evening (the ancient chinese curse 'May you live in interesting times' will probably apply on this day/night...) The firewall rules are established at present, but the modem will not be physically connected to tun0's serial port until after Friday ************* I am currently considering this a firewall problem, not a Samba problem so am only posting it to -net and -questions at present. Murray Taylor Project Engineer Bytecraft P/L +61 3 9587 2555 +61 3 9587 1614 fax mtaylor@bytecraft.com.au ----------8<-------smb.conf # Samba config file created using SWAT # from 128.1.2.48 (128.1.2.48) # Date: 2001/02/28 10:03:54 # Global parameters [global] workgroup = BYTEMELB netbios name = SPYDER interfaces = fxp0 security = DOMAIN encrypt passwords = Yes password server = * os level = 0 local master = No wins server = 128.1.2.3 guest account = pcguest [homes] comment = Home Directories writeable = Yes browseable = No [webadmin] comment = Web Administrators path = /usr/web valid users = @webadmin writeable = Yes browseable = No ----------8<-------ipfw list output 00100 allow ip from any to any via lo0 00150 allow ip from any to any via fxp0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from any to 10.0.0.0/8 via tun0 00400 deny ip from any to 172.16.0.0/12 via tun0 00500 deny ip from any to 192.168.0.0/16 via tun0 00600 deny ip from any to 0.0.0.0/8 via tun0 00700 deny ip from any to 169.254.0.0/16 via tun0 00800 deny ip from any to 192.0.2.0/24 via tun0 00900 deny ip from any to 224.0.0.0/4 via tun0 01000 deny ip from any to 240.0.0.0/4 via tun0 01100 deny ip from 10.0.0.0/8 to any via tun0 01200 deny ip from 172.16.0.0/12 to any via tun0 01300 deny ip from 192.168.0.0/16 to any via tun0 01400 deny ip from 0.0.0.0/8 to any via tun0 01500 deny ip from 169.254.0.0/16 to any via tun0 01600 deny ip from 192.0.2.0/24 to any via tun0 01700 deny ip from 224.0.0.0/4 to any via tun0 01800 deny ip from 240.0.0.0/4 to any via tun0 01900 allow tcp from any to any established 02000 allow ip from any to any frag 02100 deny log logamount 100 tcp from any to any in recv tun0 setup 02200 allow tcp from any to any setup 65535 allow ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?710709BB8B02D311942E006067441810544276>