I'm setting up a Samba 3 server on Ubuntu 10. The server will have five local shares, which it will provide to the local network (let's call that network 1.2.3.0/24). The samba server is a slave to the local Windows AD domain -- that is, the samba server does not do its own authentication but just passes along such requests to one of several local domain controllers that actually deal with them.
I'm not the admin of those domain controllers; I know almost nothing about running Windows systems. The samba server is located on a firewalled and NAT'd network inside the local environment. That is, it has a public address (let's call it 1.2.3.55) that's visible outside, while inside, it really lives at something like 192.168.0.8. NAT is confirmed working at this point via tcpdump on both sides. I'm trying to ascertain the necessary-and-sufficient set of firewall rules for this samba server. So far I've come up with this: Bidirectional: netbios-ns (port 137, UDP) to/from the local network netbios-dgm (port 138, UDP) to/from the local network netbios-ssn (port 139, TCP) to/from the local network microsoft-ds (port 445, TCP) to/from the local network Outbound only: DNS (port 53, TCP and UDP) to DNS servers on local network NTP (port 123, TCP and UDP) to NTP servers on the local network LDAP (port 389, TCP and UDP) to hosts on the local network Kerberos (port 88, TCP and UDP) to hosts on the local network Inbound-only: SSH from the local network, of course. ;-) First, I suppose I should ask if there are any glaring omissions or inclusions. Second, I suspect that these rules are overly permissive in that, for example, I need only permit outbound LDAP to the domain controllers on the local network, and not to other hosts such as samba client systems. I also suspect that my major lack of clue with all things Windows means that some of the things I've listed as "bidirectional" don't need to be. I'd like to make these rules are tight as possible without breaking anything, so I'd be grateful for any guidance, especially if it involves pointing out my mistakes. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
