Re: Q: ipfwadm and Samba......Can anyone help?

Glynn Clements (glynn@sensei.co.uk)
Thu, 8 Oct 1998 21:33:27 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark Conway Wirt: "Re: xterm"
Previous message: Glynn Clements: "Re: Some mail system problem."

Thomas Heide Clausen wrote:

> My wish is to have the router route "nothing but what is
> explicitly permitted" - and apparently everything works just fine
> thus far: I have set up pasic policies usinf ipfwadm like this:
>
> ipfwadm -F -p deny
> ipfwadm -I -p deny
> ipfwadm -O -p deny

There is seldom any reason to restrict outbound traffic.

> One problem remains however: I would like to (well...I want to)
> let some machines on the one net (let's call it
> 130.225.194.0/255.255.255.0) access samba-shares on one
> machine on the other net (which we can call
> 130.225.195.100/255.255.255.0). I know, that three ports are in
> use: 137, 138 (UDP) and 139 (TCP). I try to set up:
>
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 137 138
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 137 138
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 137 138
>
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 139
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 139
> ipfwadm -F -a accept -P udp -S 130.225.194.0/255.255.255.0 \
> -D 130.225.195.100 139

The last block (port 139) should be `-P tcp'.

> I also have rules to allow data "the other way", i.e. from
> 130.225.195.100 port 137, 138 and 139 to any port, any machine
> on the net 130.225.194.0/255.255.255.0.

You don't need symmetric rules for TCP. You can use ipfwadm's -k
switch to allow replies but not inbound connections.

> I have DNS through the router as do I have other services which
> work propperly. I can even telnet to port 139 on the machine
> 130.225.195.100.
>
> However when I try to access a samba-share from that machine it
> does not work. If I do \\machinename.domain\share (where
> machinename.domain is a valid fqhn and share is an existing
> share) I get an error that the machine and or share does not
> exist. When I use \\130.225.195.0\sharename it takes a while
> before I get the error.

NetBIOS names default to being resolved using the netbios-ns service
(UDP 137). This broadcasts the request, and the host having that name
replies with it's address.

This won't work between different networks. You need to use a WINS
server or an lmhosts file instead.

-- 
Glynn Clements <glynn@sensei.co.uk>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu

Next message: Mark Conway Wirt: "Re: xterm"
Previous message: Glynn Clements: "Re: Some mail system problem."