Firewalling or SMB error?

Firewalling or SMB error?

Post by Christopher W. Curti » Wed, 19 Mar 1997 04:00:00



I have found what appears to be a bug in the firewalling (smb?) code:

System: Linux 2.0.29; ipfwadm 2.3.0

Network: A localnet on eth0
         Another net + Internet gateway on eth1

eth0 IP: *.*.70.71
eth1 IP: *.*.70.71

I am told that this IP sharing should not be a problem (Alan Cox).

Now, this is the error.  As a simple test, I've configured the firewall
with the default policy to accept on all interfaces, and the default
policy of the forwarding firewall to masquerade.

These are from my rc.local file:

/sbin/ipfwadm -I -W eth1 -P tcp -a deny -S 0/0 -D 0/0 netbios-ssn
netbios-ns netbios-dgm
/sbin/ipfwadm -I -W eth1 -P udp -a deny -S 0/0 -D 0/0 netbios-ssn
netbios-ns netbios-dgm
/sbin/ipfwadm -F -a masquerade

Now, the problem is that name browsing does not work on the local
network.  The machine simply does not appear.  According to ipfwadm,
the packet is accepted, which is what I'd expect, but it is not.
I tested with the above rules; with no rules; and with the interfaces
reversed.  It does not matter which interface the rule applies to,
browsing simply refuses to work.  However, with no rules, browsing
works fine.  The peculiar thing is that users on the localnet *can*
connect to the server's resources.  I don't know if remote users
are able to connect or not, as I have the shares limited in the
smb.conf file by IP address.

Here are the relevant lines from /etc/services:

netbios-ns      137/tcp                 # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm     138/tcp                 # NETBIOS Datagram Service
netbios-dgm     138/udp
netbios-ssn     139/tcp                 # NETBIOS session service
netbios-ssn     139/udp

Any help would be greatly appreciated.
Christopher

 
 
 

Firewalling or SMB error?

Post by Rodney van den Oev » Thu, 20 Mar 1997 04:00:00



Quote:>I have found what appears to be a bug in the firewalling (smb?) code:
>System: Linux 2.0.29; ipfwadm 2.3.0

>Network: A localnet on eth0
>         Another net + Internet gateway on eth1

>eth0 IP: *.*.70.71
>eth1 IP: *.*.70.71

>I am told that this IP sharing should not be a problem (Alan Cox).

>Now, this is the error.  As a simple test, I've configured the firewall
>with the default policy to accept on all interfaces, and the default
>policy of the forwarding firewall to masquerade.

>These are from my rc.local file:

>/sbin/ipfwadm -I -W eth1 -P tcp -a deny -S 0/0 -D 0/0 netbios-ssn
>netbios-ns netbios-dgm
>/sbin/ipfwadm -I -W eth1 -P udp -a deny -S 0/0 -D 0/0 netbios-ssn
>netbios-ns netbios-dgm
>/sbin/ipfwadm -F -a masquerade

>Now, the problem is that name browsing does not work on the local
>network.  The machine simply does not appear.  According to ipfwadm,
>the packet is accepted, which is what I'd expect, but it is not.
>I tested with the above rules; with no rules; and with the interfaces
>reversed.  It does not matter which interface the rule applies to,
>browsing simply refuses to work.  However, with no rules, browsing

Browsing won't work this way you need WINS (or Samba configured as
WINS server) or lmhosts lookup. Browsing uses broadcasts.

- Show quoted text -

Quote:>works fine.  The peculiar thing is that users on the localnet *can*
>connect to the server's resources.  I don't know if remote users
>are able to connect or not, as I have the shares limited in the
>smb.conf file by IP address.

>Here are the relevant lines from /etc/services:

>netbios-ns      137/tcp                 # NETBIOS Name Service
>netbios-ns      137/udp
>netbios-dgm     138/tcp                 # NETBIOS Datagram Service
>netbios-dgm     138/udp
>netbios-ssn     139/tcp                 # NETBIOS session service
>netbios-ssn     139/udp

>Any help would be greatly appreciated.
>Christopher



 
 
 

Firewalling or SMB error?

Post by Erik Corr » Fri, 21 Mar 1997 04:00:00



: I have found what appears to be a bug in the firewalling (smb?) code:

: System: Linux 2.0.29; ipfwadm 2.3.0

: Network: A localnet on eth0
:          Another net + Internet gateway on eth1

: eth0 IP: *.*.70.71
: eth1 IP: *.*.70.71

: I am told that this IP sharing should not be a problem (Alan Cox).

The point of masquerading is that you can have a private net on
one side, and the internet on the other side. This means you can
use private addresses on the inside like the 10.x.x.x net. You
don't need to have the same IP address on the internal and the
external connection.

I think having the same address on both interfaces is confusing
Samba. The 'interfaces' directive in Samba allows you to specify
interfaces by IP address and mask, but if that is identical on
both interfaces then Samba is likely to use both(?).

: Now, this is the error.  As a simple test, I've configured the firewall
: with the default policy to accept on all interfaces, and the default
: policy of the forwarding firewall to masquerade.

: These are from my rc.local file:

: /sbin/ipfwadm -I -W eth1 -P tcp -a deny -S 0/0 -D 0/0 netbios-ssn
: netbios-ns netbios-dgm
: /sbin/ipfwadm -I -W eth1 -P udp -a deny -S 0/0 -D 0/0 netbios-ssn
: netbios-ns netbios-dgm
: /sbin/ipfwadm -F -a masquerade

By using 'deny' and not 'reject' you cause the kernel to report
an error when a packet is sent to the interface. Perhaps Samba is
reacting to this error message.

You should have different subnet addresses on the private net to
those on the internet side of the masquerading host. If both sides
of the masquerading host are either Internet or both are private
then you don't need masquerading. The IP addresses on the ethernet
interfaces on the masquerading host should be part of the subnet
running on that ethernet segment. How about:

eth0:  10.1.1.71  - all machines on this net have 10.x.x.x addresses.
eth1:  *.*.70.71  - this is the side with Internet official addresses and
                        the gateway.

All this assuming it is impossible for you to get official addresses
for your internal net.

--

 
 
 

Firewalling or SMB error?

Post by Joerg Senekowitsc » Fri, 21 Mar 1997 04:00:00




>: Now, this is the error.  As a simple test, I've configured the firewall
>: with the default policy to accept on all interfaces, and the default
>: policy of the forwarding firewall to masquerade.

>: These are from my rc.local file:

>: /sbin/ipfwadm -I -W eth1 -P tcp -a deny -S 0/0 -D 0/0 netbios-ssn
>: netbios-ns netbios-dgm
>: /sbin/ipfwadm -I -W eth1 -P udp -a deny -S 0/0 -D 0/0 netbios-ssn
>: netbios-ns netbios-dgm
>: /sbin/ipfwadm -F -a masquerade

>By using 'deny' and not 'reject' you cause the kernel to report
>an error when a packet is sent to the interface. Perhaps Samba is
>reacting to this error message.

Maybe this is related: Linux responds to negative ICMP packets
(destination
unreachable and permission denied) even from "other" subnets and passes
them
on to the originating application (which then typically sees error 111,
Connection refused). We just confirmed this with a packet sniffer and
2.0.24/2.0.29 while tracing Samba browse problems. Our RS/6000 running
AIX 3.2.5 (correctly?) discards such packets and Samba never sees an
error.

Joerg
============================================================

SysAdmin                            Phone: (208) 236-2627
College of Pharmacy                 FAX:   (208) 236-4421
Idaho State University              ------------------------
Pocatello, Idaho 83209                  I SPEAK FOR MYSELF !
==================== mens agitat molem =====================

 
 
 

Firewalling or SMB error?

Post by Erik Corr » Thu, 03 Apr 1997 04:00:00





> >: Now, this is the error.  As a simple test, I've configured the firewall
> >: with the default policy to accept on all interfaces, and the default
> >: policy of the forwarding firewall to masquerade.

> >: These are from my rc.local file:

> >: /sbin/ipfwadm -I -W eth1 -P tcp -a deny -S 0/0 -D 0/0 netbios-ssn
> >: netbios-ns netbios-dgm
> >: /sbin/ipfwadm -I -W eth1 -P udp -a deny -S 0/0 -D 0/0 netbios-ssn
> >: netbios-ns netbios-dgm
> >: /sbin/ipfwadm -F -a masquerade

> >By using 'deny' and not 'reject' you cause the kernel to report
> >an error when a packet is sent to the interface. Perhaps Samba is
> >reacting to this error message.

I'd like to apologise for this, I got it the wrong way around :-(.
But my other comments about the curious may the original poster
wants to use a router and a firewall still apply.

Quote:> Maybe this is related: Linux responds to negative ICMP packets (destination
> unreachable and permission denied) even from "other" subnets and passes them
> on to the originating application (which then typically sees error 111,
> Connection refused). We just confirmed this with a packet sniffer and
> 2.0.24/2.0.29 while tracing Samba browse problems. Our RS/6000 running
> AIX 3.2.5 (correctly?) discards such packets and Samba never sees an
> error.

I'm curious as to why it is better to discard such packets. Surely if
the destination is unreachable it is better to tell the program that.

--

 
 
 

1. SMB, printing over smb, kcmshell smb fail on Red Hat 7.3

I have just installed Red Hat 7.3, replacing Mandrake 8.2 (whose KDE3
upgrade wasn't quite working right).  I reformatted / and /boot while
leaving /home intact,.  In many respects 7.3 works very well.  It looks
good and works in most respects. But I can't get it to print.

I don't hook the printer to my machine directly; this is my home system, and
there's a Win98 box in the same room, connected via Ethernet.  I use smb to
print to the Epson via that machine; in Windows, it's a no-brainer, and
Network Neighborhood "just works".  When I installed Mandrake (8.1 and 8.2
both), I was impressed by how well it handled that arrangement.  But when I
installed Red Hat 7.3, anaconda never even asked me about printers.  It
just installed a zillion packages (custom selected) and finished.

I note that during one attempt to install, anaconda hung trying to read
lprng-3.8.9 (or whatever) off of the install CD (which I had burned from an
iso download).  And since anaconda locks the drive (a MAJOR problem), I had
to red-button restart and select all packages again, reformat, etc. And of
course I unselected lprng.  I don't know if that's the problem; is it
needed for smb printing?  Kpackage sees it on the cd and lists its files,
but doesn't seem to offer the "install" button.

Any clues are much appreciated!  Thanks.

2. picking up newly installed files from existing files

3. configuring suse firewall to block outgoing SMB?

4. problems with NIS/NYS ypserv and yppasswd

5. I have trouble routing smb access through a suse-firewall.

6. X-server for a Weitek's chip

7. Advice needed for network planning (Firewall, Proxy, DNS, DHCP, SMB, FTP, HTTP, SSH, VPN)

8. basic Windowmaker question

9. Firewall rules for NFS and SMB

10. SAINT reports SMB behind a firewall

11. Can SMB run across a firewall?

12. ? smb+ssh+firewall

13. Can connect to smb://192.168.0.112/share but not smb://NYS/share