Greetings all!
Apologies if this question is either off-topic or very basic,
but a few hours of browsing and experimenting has not helped
much.
I am configuring a linux-box to use as a router between a
two nets. No masquerading or otherwise fancy stuff is involved.
My wish is to have the router route "nothing but what is
explicitly permitted" - and apparently everything works just fine
thus far: I have set up pasic policies usinf ipfwadm like this:
ipfwadm -F -p deny
ipfwadm -I -p deny
ipfwadm -O -p deny
and am able to allow e.g. telnet, ftp and other such services by
appropriate ipfwadm-lines.
One problem remains however: I would like to (well...I want to)
let some machines on the one net (let's call it
130.225.194.0/255.255.255.0) access samba-shares on one
machine on the other net (which we can call
130.225.195.100/255.255.255.0). I know, that three ports are in
use: 137, 138 (UDP) and 139 (TCP). I try to set up:
ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
-D 130.225.195.100 137 138
ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
-D 130.225.195.100 137 138
ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
-D 130.225.195.100 137 138
ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
-D 130.225.195.100 139
ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
-D 130.225.195.100 139
ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
-D 130.225.195.100 139
I also have rules to allow data "the other way", i.e. from
130.225.195.100 port 137, 138 and 139 to any port, any machine
on the net 130.225.194.0/255.255.255.0.
I have DNS through the router as do I have other services which
work propperly. I can even telnet to port 139 on the machine
130.225.195.100.
However when I try to access a samba-share from that machine it
does not work. If I do \\machinename.domain\share (where
machinename.domain is a valid fqhn and share is an existing
share) I get an error that the machine and or share does not
exist. When I use \\130.225.195.0\sharename it takes a while
before I get the error.
Using tcpdump, I cannot see any activity on either interface of
the router when I am using \\macninename.domain\share, whereas I
can see that the DNS-server is contacted when I use the
IP-address. Other than that: no activity atall.
I should add, that the IP-adresses and subnets I use (which are
not the above) _are_ assigned to me, and that the samba-server
in fact does allow the shares in question to be accessed.
If you have a clue from the above description what I might do
wrong, please let me know. If you may have a clue and just need
further informations, I will be happy to provide you with those.
Or even better - if you have a working setup doing what I need
with ipfwadm, then I would be pleased to see a copy of your
ipfwadm-lines.
Thanks in advance for your help
- --thomas
ps: I am running a 2.0.* kernel.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNhzfrMQLb2bL5bWVAQHlEAP+ObuxC+vgBAceU5QGluu7SASZ+RD/ZUrs
LkZqK/KnL4ZNDIoM9UglTtofl7LkKHmTiuHe8thpez+4slI6HVmrWYlqJN3t/P6p
YqbgAnJAcDukZmKBg7vHTKncR+QmoSIMCdKO9Y4rF1cmRXfbNSYThGn5SMI0Qy/Z
sLrxXF91UoU=
=AL9z
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu