I will just correct myself here. I did a mistake when
pretty-printing the ipfwadm-lines for port 139 - it should be
TCP rather than UDP - however the problem remains.
- --thomas
On 08-Oct-98 Thomas Heide Clausen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Greetings all!
>
> Apologies if this question is either off-topic or very basic,
> but a few hours of browsing and experimenting has not helped
> much.
>
> I am configuring a linux-box to use as a router between a
> two nets. No masquerading or otherwise fancy stuff is
> involved.
>
> My wish is to have the router route "nothing but what is
> explicitly permitted" - and apparently everything works just
> fine
> thus far: I have set up pasic policies usinf ipfwadm like
> this:
>
> ipfwadm -F -p deny
> ipfwadm -I -p deny
> ipfwadm -O -p deny
>
> and am able to allow e.g. telnet, ftp and other such services
> by
> appropriate ipfwadm-lines.
>
> One problem remains however: I would like to (well...I want
> to)
> let some machines on the one net (let's call it
> 130.225.194.0/255.255.255.0) access samba-shares on one
> machine on the other net (which we can call
> 130.225.195.100/255.255.255.0). I know, that three ports are
> in
> use: 137, 138 (UDP) and 139 (TCP). I try to set up:
>
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 137 138
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 137 138
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 137 138
>
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 139
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 139
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 139
>
> I also have rules to allow data "the other way", i.e. from
> 130.225.195.100 port 137, 138 and 139 to any port, any machine
> on the net 130.225.194.0/255.255.255.0.
>
> I have DNS through the router as do I have other services
> which
> work propperly. I can even telnet to port 139 on the machine
> 130.225.195.100.
>
> However when I try to access a samba-share from that machine
> it
> does not work. If I do \\machinename.domain\share (where
> machinename.domain is a valid fqhn and share is an existing
> share) I get an error that the machine and or share does not
> exist. When I use \\130.225.195.0\sharename it takes a while
> before I get the error.
>
> Using tcpdump, I cannot see any activity on either interface
> of
> the router when I am using \\macninename.domain\share, whereas
> I
> can see that the DNS-server is contacted when I use the
> IP-address. Other than that: no activity atall.
>
> I should add, that the IP-adresses and subnets I use (which
> are
> not the above) _are_ assigned to me, and that the samba-server
> in fact does allow the shares in question to be accessed.
>
> If you have a clue from the above description what I might do
> wrong, please let me know. If you may have a clue and just
> need
> further informations, I will be happy to provide you with
> those.
>
> Or even better - if you have a working setup doing what I need
> with ipfwadm, then I would be pleased to see a copy of your
> ipfwadm-lines.
>
> Thanks in advance for your help
>
> - --thomas
>
> ps: I am running a 2.0.* kernel.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQCVAwUBNhzfrMQLb2bL5bWVAQHlEAP+ObuxC+vgBAceU5QGluu7SASZ+RD/ZUr
> s
> LkZqK/KnL4ZNDIoM9UglTtofl7LkKHmTiuHe8thpez+4slI6HVmrWYlqJN3t/P6
> p
> YqbgAnJAcDukZmKBg7vHTKncR+QmoSIMCdKO9Y4rF1cmRXfbNSYThGn5SMI0Qy/
> Z
> sLrxXF91UoU=
> =AL9z
> -----END PGP SIGNATURE-----
> -
> To unsubscribe from this list: send the line "unsubscribe
> linux-net" in
> the body of a message to majordomo@vger.rutgers.edu
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNh0FnMQLb2bL5bWVAQHvVgP9Go9HTZVNrcUL5oaiZVfwU1inYwanPLeH
nhlwj4Q6jXaYDcrS9MG3/47Vkd18ldrintjSpjapOr8RR+LKFETSoLHGn1lzJHjE
d5/F6aPhi+3T9rNmch2wuhkXkSbX1eBw9i5G3E7RKlIkanGhyqKC/16K1nj4DZW4
0EIDWkhpzgg=
=v/ty
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu