Hi. I'm trying to use a Samba client on a debian-unstable box with kernel 2.4.18-rc2-ac2. I have an iptables filter which (with a few unrelated exceptions) allows outbound traffic, but does connection tracking on all packets and only allows inbound traffic in state ESTABLISHED or RELATED.
The problem is that NetBIOS name resolution works by sending a packet to the local network's broadcast address, udp port 137. The machine which has the requested name responds with a packet from udp/137. Obviously this doesn't work in my current setup; when the remote machine responds, there's no conntrack entry for it and the packet gets blocked. The only way around this I can see is to allow every packet from my local network that comes from udp port 137. This isn't acceptable, since it allows anyone on the network to send me arbitrary udp traffic if they choose the right source port. What would be nice is if a broadcast packet put in a conntrack entry for every host that the packet would reach. So if my local network were 1.2.3.0/24, and I sent a packet from udp/100 to 1.2.3.255 port udp/200, then the state table will accept a packet from *any* host on 1.2.3.0/24 with source port 200 and dest port 100. It would be even nicer if it didn't have to insert 256 different state entries to do it, but could have one entry that matches all those hosts. (My real-life network is a little bit bigger than the example.) This seems like something that would be generally useful beyond SMB/NMB, since the present implementation would seem to break any protocol that uses broadcast UDP. Does this exist, or might there be some fairly simple way to implement it? Thanks. -- Nate Eldredge [EMAIL PROTECTED]
