PDA

Click to See Complete Forum and Search --> : SMB & Shorewall Confusion... <RH9>

rbrimhall
06-24-2003, 09:08 PM
I'm having a hard time trying to solve this. I've been to the samba site and the shorewall site to try and uncover answers but most of the solutions don't seem to fix my problem (probably b/c I'm not doing it right I'm sure). Anyways, for those in the know: I have a DSL Modem connected to the Net, a 5-port hub that connects two computers and the modem. I've got samba configured correctly that I can access files from linux and win xp when no firewall but with shorewall on I get the "no master browser running..." comment. I know this is a firewall issue. I've followed the procedures recommended on the shorewall faq as well as some that I have found here in th forums. essentially I have added the following to my shorewall


ACCEPT net fw ICMP Any 8
ACCEPT fw loc UDP Any 137:139
ACCEPT fw loc TCP Any 137,139
ACCEPT fw loc UDP 1024: 137
ACCEPT loc fw UDP Any 137:139
ACCEPT loc fw TCP Any 137,139
ACCEPT loc fw UDP 137 1024:
ACCEPT fw loc TCP Any 138
ACCEPT fw loc UDP Any 138
ACCEPT loc fw TCP Any 138
ACCEPT loc fw UDP Any 138

This should open up the samba ports within my LAN, right? But samba does not work... I've also added this to my samba file:

bind interfaces only = yes
interfaces = 127.0.0.1 192.168.1.96
hosts allow = 127.0.0.1
hosts deny = 0.0.0.0 192.168.1 EXCEPT <192.168.1.96>

I'm actually not sure what my windows box ip is but this is what it gives me when I double click on the network connection... assisgned by DHCP though...

should I uncomment this in sb.conf:
Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no

Sorry for the long post and for posing a question that has been beaten to death so to speak but my resources seem to be running thin at this point. Any help welcomed...
jumpedintothefire
06-26-2003, 05:26 PM
Sorry, I don't run samba on my firewalls but I'll try to help.

I start with changing the TCP / UDP to tcp / udp.... can't recall if that is case sensitive.... but I use lower case....

I'd retest before making any of the changes below.....

I can't recall off the top of my head if the rules file or the common.def file is processed first, but from the docs at shorewall.net:
---------quote---------

Shorewall allows definition of rules that apply between all zones. By default, these rules are defined in the file /etc/shorewall/common.def but may be modified to suit individual requirements. Rather than modify /etc/shorewall/common.def, you should copy that file to /etc/shorewall/common and modify that file.

The /etc/shorewall/common file is expected to contain iptables commands; rather than running iptables directly, you should run it indirectly using the Shorewall function 'run_iptables'. That way, if iptables encounters an error, the firewall will be safely stopped.
---------------------------

Have a look in the /etc/shorewall/common.def file, you should see:

################################################## ##########################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 135 -j reject
run_iptables -A common -p udp --dport 137:139 -j reject
run_iptables -A common -p udp --dport 445 -j reject
run_iptables -A common -p tcp --dport 139 -j reject
run_iptables -A common -p tcp --dport 445 -j reject
run_iptables -A common -p tcp --dport 135 -j reject
################################################## ##########################

# out these lines and stop and start shorewall, retest..... working?? Hope this helps...