Re: [Fwbuilder-discussion] configuring FWB for Samba
Brought to you by:
mikehorn
From: Claude J. <cla...@le...> - 2005-08-03 05:31:54
|
I took this quest over to the Fedora-list because I wasn't sure if it could= be=20 other issues besides ports on the firewall - that led to a many hours=20 discussion, and lots of posts. The upshot was, after I got all else working= ,=20 I still had a firewall issue. I post the results of my last post over there= ,=20 with hopes one of you guys can get me over the last hurdle. My issue still= =20 turns out, in part, a firewall issue, so my question on this comes about tw= o=20 thirds of the way down this long post. To those also subscribed to the Fedo= ra=20 list, I apologize for wasting your time. I'm bringing the final detail back= =20 here, because it turns out in the end, that at least in part, my problem wa= s=20 a Firewall Builder misconfiguration. Something else has to be opened up -= =20 I'm hoping I can find it so I can exlude the problem with leaving the machi= ne=20 inside-nic to lan wide open. Perhaps there's no problem with that - if=20 someone thinks that. let me know that, too. Thanks... On Tue August 2 2005 7:39 pm, Alexander Dalloz wrote: > > yes, but what did I win? ;-) > > It explains why "smbclient -L StudyPC" did lead you to the foreign host. > Why did you set "search com"? Anyway, has nothing to do with Samba or > your setup problems at all. > I didn't set that - it's either a default setting, or it got set by my doin= g=20 something without the slightest idea that the effect was that I was changin= g=20 that setting.... > > correcting something here, help my FC4 box see my Windoz boxes? It seems > > like the big problem derives from the following example error in the smb > > logfile: > > > > [2005/08/02 16:16:31, 0] smbd/negprot.c:reply_nt1(293) > > =A0 reply_nt1: smb signing is incompatible with share level security ! > > That is at least no correct setting. I do not understand why you did set > it. Again, if I set this (it was set to 'auto' when I found it and I turned it = to=20 'disable') I had no idea I was doing so - lest I sound completely clueless= =20 here, I do Windows network administration all day long for my work, so I'm= =20 actually pretty careful when I mess with settings... According to your quot= e=20 below, 'auto' should not have resulted in the above message, anyway.=20 > > > I've been trying to figure out what smb signing is about, but the > > documentation isn't too helpful - I found one suggestion to delete the > > security line, and one to change it to user! > > http://www.samba.org/samba/docs/man/smb.conf.5.html > > server signing (G) > > =A0 =A0 =A0 =A0 This controls whether the server offers or requires the c= lient > =A0 =A0 =A0 =A0 it talks to to use SMB signing. Possible values are auto, > =A0 =A0 =A0 =A0 mandatory and disabled. > > =A0 =A0 =A0 =A0 When set to auto, SMB signing is offered, but not enforce= d. When > =A0 =A0 =A0 =A0 set to mandatory, SMB signing is required and if set to > =A0 =A0 =A0 =A0 disabled, SMB signing is not offered either. >On Tue July 26 2005 8:19 pm, ryan wrote: > Claude Jones wrote: > > On Tuesday 26 July 2005 10:57 am, ted creedon wrote: > >>Worse than that you ARE sharing your harddrive with the world. > >> > >>Look at the logged packets on the Samba ports - they're being attacked > >>constantly. > >> > >>I went to OpenAFS with Kerberos keying and encrypted data to get around > >>that. > >> > >>tedc > > > > Well, when I tried this, I ONLY applied these rules to the inside NIC. > > All such traffic on the outside NIC continued to be blocked/dropped. Am= I > > missing something?On Tue July 26 2005 8:19 pm, ryan wrote: > Claude Jones wrote: > > On Tuesday 26 July 2005 10:57 am, ted creedon wrote: > >>Worse than that you ARE sharing your harddrive with the world. > >> > >>Look at the logged packets on the Samba ports - they're being attacked > >>constantly. > >> > >>I went to OpenAFS with Kerberos keying and encrypted data to get around > >>that. > >> > >>tedc > > > > Well, when I tried this, I ONLY applied these rules to the inside NIC. > > All such traffic on the outside NIC continued to be blocked/dropped. Am= I > > missing something? > > No, its just easy to make a mistake and open up the ports entirely. > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > No, its just easy to make a mistake and open up the ports entirely. > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > =A0 =A0 =A0 =A0 Default: server signing =3D Disabled > > > I just want to share one folder on my FC4 machine to my Windows boxes, > > which I can now do, and I want my FC4 box to have access to my Windows > > machines - pretty much everything there. > > Why don't you just use the smb.conf as how it ships with Fedora's rpm > and adjust it slightly? And being sure which each command stands for. > > Make sure your network setup is properly (IPs / netmask). You can test > netbios host resolving by running > > nmblookup <name of your samba host> > > Again, to exclude problems like iptables blocking make sure "smbclient" > and "smbstatus" on localhost gives proper results.On Tue July 26 2005 8:1= 9=20 pm, ryan wrote: > Claude Jones wrote: > > On Tuesday 26 July 2005 10:57 am, ted creedon wrote: > >>Worse than that you ARE sharing your harddrive with the world. > >> > >>Look at the logged packets on the Samba ports - they're being attacked > >>constantly. > >> > >>I went to OpenAFS with Kerberos keying and encrypted data to get around > >>that. > >> > >>tedc > > > > Well, when I tried this, I ONLY applied these rules to the inside NIC. > > All such traffic on the outside NIC continued to be blocked/dropped. Am= I > > missing something? > > No, its just easy to make a mistake and open up the ports entirely. > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion I tried this, but the clues left me clueless - however, you gave me an idea= =2E.. I created a new rule on my firewall, permitting ALL traffic between the ins= ide=20 NIC and the Lan in BOTH directions. PRESTO - everything works now. So, the= =20 question is, which additional port do I have to open up to make this all=20 work? Before opening all, I had 137=A0=A0=A0tcp/udp, 138=A0=A0=A0tcp/udp, 1= 39=A0=A0=A0tcp,=20 445 =A0=A0tcp/udp open. Can someone tell what I'm missing?=20 The problem with your advice, Alexander, is that it's good; but you make=20 people work for the knowledge for themselves - I appreciate that ;-) On Tue July 26 2005 8:19 pm, ryan wrote: > Claude Jones wrote: > > On Tuesday 26 July 2005 10:57 am, ted creedon wrote: > >>Worse than that you ARE sharing your harddrive with the world. > >> > >>Look at the logged packets on the Samba ports - they're being attacked > >>constantly. > >> > >>I went to OpenAFS with Kerberos keying and encryOn Tue July 26 2005 8:1= 9=20 pm, ryan wrote: > Claude Jones wrote: > > On Tuesday 26 July 2005 10:57 am, ted creedon wrote: > >>Worse than that you ARE sharing your harddrive with the world. > >> > >>Look at the logged packets on the Samba ports - they're being attacked > >>constantly. > >> > >>I went to OpenAFS with Kerberos keying and encrypted data to get around > >>that. > >> > >>tedc > > > > Well, when I tried this, I ONLY applied these rules to the inside NIC. > > All such traffic on the outside NIC continued to be blocked/dropped. Am= I > > missing something? > > No, its just easy to make a mistake and open up the ports entirely. > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussionpted dat= a=20 to get around > >>that. > >> > >>tedc > > > > Well, when I tried this, I ONLY applied these rules to the inside NIC. > > All such traffic on the outside NIC continued to be blocked/dropped. Am= I > > missing something? > > No, its just easy to make a mistake and open up the ports entirely. > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ > I already have these, plus the entire manual, printed out in two huge=20 loose-leaf binders. So, this is the smb.conf now, for those who read this in the future: [global] ldap ssl =3D No restrict anonymous =3D no server string =3D Samba max protocol =3D NT server signing =3D Disabled interfaces =3D 192.168.2.1 127.0.0.1 domain master =3D no security =3D share preferred master =3D no bind interfaces only =3D yesOn Tue July 26 2005 8:19 pm, ryan wrote: > Claude Jones wrote: > > On Tuesday 26 July 2005 10:57 am, ted creedon wrote: > >>Worse than that you ARE sharing your harddrive with the world. > >> > >>Look at the logged packets on the Samba ports - they're being attacked > >>constantly. > >> > >>I went to OpenAFS with Kerberos keying and encrypted data to get around > >>that. > >> > >>tedc > > > > Well, when I tried this, I ONLY applied these rules to the inside NIC. > > All such traffic on the outside NIC continued to be blocked/dropped. Am= I > > missing something? > > No, its just easy to make a mistake and open up the ports entirely. > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion netbios name =3D VRPRODUCTIONS2 [CJ home] case sensitive =3D no guest ok =3D yes msdfs proxy =3D no read only =3D no path =3D /home/cj hosts allow =3D 192.168.2., 127. =2D-=20 Claude Jones Bluemont, VA, USA |