Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
Yes Option A: I have solved the issue. I was using samba in version 10.1 of Linux and is requires many destination Ports to be manually opened in a Suse 10.2 Workstation ( I should update 10.1 Workstation and hence version of Samba to offset this issue. ALL working Fine. The Samba Server running on 10.1 allows me to see all workgroups from the 10.2 Regards Scott James Watkins wrote: > On Saturday 14 April 2007 02:20, Registration Account wrote: > >> I have set up a samba server all o.k. I cannot even view any workgroup. >> This is a result of internal security which I control. I was of the >> belief that Samba uses Netbios for transmitting and advertising on the >> LAN and have enabled TCP/UDP 137-139 on the required route >> 192.168.100.0/24 that the workstations are on that I want Samba services >> to be available. >> > > Are you saying that: > > a) You have a linux machine that you are using to browse the network for > Windows shares and you cannot 'see' any workgroups or domains. > > or > > b) You have a linux machine that you are using to serve files to Windows > clients using Samba and the Windows machines cannot 'see' your linux box. > > If the answer is a), you may find that inserting the ip_conntrack_netbios_ns > module helps. After looking at the output of tcpdump it looks like the > following is happening, your browsing software broadcasts UDP packets on > destination port 137 using a randomly chosen source port above 1024 and the > Windows machines in the network reply using this same port as the destination > port. Therefore, allowing these returned packets through your firewall is > not a simple matter of opening any one specific port, hence the need for the > connection tracking module. > > If the answer is b), not having nmbd running could be the problem. > > BTW, I recommend using tcpdump to look at the network traffic when attempting > to diagnose network problems, it's very useful. > > HTH, > James. > smime.p7s Description: S/MIME Cryptographic Signature
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On Saturday 14 April 2007 02:20, Registration Account wrote: > I have set up a samba server all o.k. I cannot even view any workgroup. > This is a result of internal security which I control. I was of the > belief that Samba uses Netbios for transmitting and advertising on the > LAN and have enabled TCP/UDP 137-139 on the required route > 192.168.100.0/24 that the workstations are on that I want Samba services > to be available. Are you saying that: a) You have a linux machine that you are using to browse the network for Windows shares and you cannot 'see' any workgroups or domains. or b) You have a linux machine that you are using to serve files to Windows clients using Samba and the Windows machines cannot 'see' your linux box. If the answer is a), you may find that inserting the ip_conntrack_netbios_ns module helps. After looking at the output of tcpdump it looks like the following is happening, your browsing software broadcasts UDP packets on destination port 137 using a randomly chosen source port above 1024 and the Windows machines in the network reply using this same port as the destination port. Therefore, allowing these returned packets through your firewall is not a simple matter of opening any one specific port, hence the need for the connection tracking module. If the answer is b), not having nmbd running could be the problem. BTW, I recommend using tcpdump to look at the network traffic when attempting to diagnose network problems, it's very useful. HTH, James. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On Saturday 14 April 2007 01:28:02 pm John Andersen wrote: > On Saturday 14 April 2007, Registration Account wrote: > > I have been running a test LAN, small group with such access limits. > > There is nothing on the internet I cannot do with Ports above 1024 > > closed. > > > > If your need IRC, Messenger services like yahoo in MS do not open ports > > 1024-65563. There is no requirement in a MS for them to be open. > > Your concept of ports being "open" or "closed" suggests a very cursory > understanding of tcp networking. Heh - I've been doing networking since '89 and I still don't quite "get" ports. All I know is that when I see ports 135, 139, 445 or 1214 open through nmap I start getting all tingly inside. :P (Not that I would EVER do such a thing...) -- kai Free Compean and Ramos http://www.grassfire.org/142/petition.asp http://www.perfectreign.com/?q=node/46 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On Saturday 14 April 2007, Registration Account wrote: > I have been running a test LAN, small group with such access limits. > There is nothing on the internet I cannot do with Ports above 1024 closed. > > If your need IRC, Messenger services like yahoo in MS do not open ports > 1024-65563. There is no requirement in a MS for them to be open. Your concept of ports being "open" or "closed" suggests a very cursory understanding of tcp networking. Further, the discussion had nothing to do with the internet, it had only to do with samba on the local network. I suggest you aquaint yourself with the "netstat -an" command on windows some time -- _ John Andersen -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On Saturday 14 April 2007, Registration Account wrote: > Trust me..It my job occupation. Which, in your opinion, seems to trump Microsoft's documentation to the contrary. -- _ John Andersen -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
For a MS LAN - There is NO justification for allowing ANY port above 1024 to be open. I know what Microsoft attitude to Port security is and it basically follows allow everything so we don't have to explain opening specific ports for games, voip, irc etc. In a totally MS environment where all you want from your PC is business like applications to use there is NO reason on earth to permit anything above 1024. I have been running a test LAN, small group with such access limits. There is nothing on the internet I cannot do with Ports above 1024 closed. If your need IRC, Messenger services like yahoo in MS do not open ports 1024-65563. There is no requirement in a MS for them to be open. Trust me..It my job occupation. Scott :-X John Andersen wrote: > On Friday 13 April 2007, Darryl Gregorash wrote: > >> If you have any XP systems in the network you must also enable port 445 >> on TCP. >> >> The port 1024 reference someone mentioned is in error. >> > > No, it wasn't. > > The actual reference was to udp port 1024: which is shorewall shorthand > for 1024 and up. > > If you are not aware of the use of this in the windows environment > you can read up on RPC, DFSR, TrkSvr, and MSDTC services here > http://support.microsoft.com/kb/832017 > > The larger your domain (most especially if you USE a domain at all) > you need to allow egress on udp and tcp to the from the server to the > local network. > > In a simple home network without a domain you can get by without these. > > > > smime.p7s Description: S/MIME Cryptographic Signature
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On Friday 13 April 2007, Darryl Gregorash wrote: > If you have any XP systems in the network you must also enable port 445 > on TCP. > > The port 1024 reference someone mentioned is in error. No, it wasn't. The actual reference was to udp port 1024: which is shorewall shorthand for 1024 and up. If you are not aware of the use of this in the windows environment you can read up on RPC, DFSR, TrkSvr, and MSDTC services here http://support.microsoft.com/kb/832017 The larger your domain (most especially if you USE a domain at all) you need to allow egress on udp and tcp to the from the server to the local network. In a simple home network without a domain you can get by without these. -- _ John Andersen -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On 2007-04-13 19:20, Registration Account wrote: > > > Double oops: you must also allow broadcasting on port 137 (FW_ALLOW_FW_BROADCAST_INT in /etc/sysconfig/SuSEfirewall2). -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On 2007-04-13 19:20, Registration Account wrote: > I have set up a samba server all o.k. I cannot even view any workgroup. > Oops -- Just one addendum that I think no one mentioned before: you need service nmbd running in addition to the Samba server. -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
On 2007-04-13 19:20, Registration Account wrote: > I have set up a samba server all o.k. I cannot even view any workgroup. > This is a result of internal security which I control. I was of the > belief that Samba uses Netbios for transmitting and advertising on the > LAN and have enabled TCP/UDP 137-139 on the required route > 192.168.100.0/24 that the workstations are on that I want Samba services > to be available. > Explicitly verify in /etc/sysconfig/SuSEfirewall2 that FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP include this port range. You actually don't need all the ports in both places, but it doesn't really make any difference -- for example, on my system I have UDP open for port 137 only. Do note that port ranges are specified using a colon, eg. 137:139. If you have any XP systems in the network you must also enable port 445 on TCP. The port 1024 reference someone mentioned is in error. -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[opensuse] RE: Ports used for Samba service - Just one more time is someones knows the answer
I have set up a samba server all o.k. I cannot even view any workgroup. This is a result of internal security which I control. I was of the belief that Samba uses Netbios for transmitting and advertising on the LAN and have enabled TCP/UDP 137-139 on the required route 192.168.100.0/24 that the workstations are on that I want Samba services to be available. As I cannot see the workgroup I have obviously missed some other dependant Ports to Samba services. Can anyone tell me which Ports are required to be open. This has nothing to do the the PC firewall which is correctly displaying 'samba server' on the PC that is running the process and I have tried turning off all PC firewalls on the PC's which I want samba services to be available. If someone can let me know what Ports Samba requires I can correct the Internal Security issue. Many Thanks Scott Thanks to those who have offered suggestions udp 137:139 tcp 137,139 udp 137 udp 137:139 tcp 137,139 In my original text above I already have enabled these Ports - These ports as a groups represent Netbios! As for Port 1024 - It is currently reserved not for use and no one have requested its reservation udp 1024: 137 -- _ John Andersen udp 137, 138 tcp 139 (and if xp) 445 John - Again I have already opened these Ports with the exception of TCP/UDP 445 - which is designated as Microsoft - DNS. Opening or closing port 445 on a Linux or Windows XP has no consequences. Port 445 is only one of the ports used by Microsoft to facilitate remtore-access and is not applicable. -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 udp 137, 138 tcp 139 (and if xp) 445 Joe - please see above. With respect to XP security you want to add a large section of remote access capability you need to halt the process SVCHOST.exe. This process is not widely understood, however it is an integral part of remote access. If deny this service (and there are multiple copies normally running) you will inhibit, Synchronisation of Date/Time, Auto Downloads of uplodes, AND you will stop the abundant number of messages sent via either HTTP AND HTTPS that are sent automatically to Microsoft ever 3-5 minutes. There is no knowledge of the contents of this traffic or why it is initiated - it plays NO part in checking for MS updates - only auo downloading them Apart from that XP will function perfectly and if you have a large Network it will cut your traffic down quite a bit. Now back to Samba - The Samba Server Must use a Port number to facilitate comms to it. I just thought that someone might still know off the top of their head which Port(s) it requires. The Port will of course be above 1024. Any other security consultants out there who might know - No Problem if there is not - I can monitor the LAN with Wireshark, however it is my last resport as it would take many hours of recording Lan traffic and sitting down for analysis. Scott smime.p7s Description: S/MIME Cryptographic Signature
Re: [opensuse] RE: Ports used for Samba service
Registration Account wrote: > If someone can let me know what Ports Samba requires I can correct the > Internal Security issue. > udp 137, 138 tcp 139 (and if xp) 445 -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] RE: Ports used for Samba service
On Wednesday 11 April 2007, Registration Account wrote: > I have set up a samba server all o.k. I cannot even view any workgroup. > This is a result of internal security which I control. I was of the > belief that Samba uses Netbios for transmitting and advertising on the > LAN and have enabled TCP/UDP 137-139 on the required route > 192.168.100.0/24 that the workstations are on that I want Samba services > to be available. > > As I cannot see the workgroup I have obviously missed some other > dependant Ports to Samba services. Can anyone tell me which Ports are > required to be open. This has nothing to do the the PC firewall which is > correctly displaying 'samba server' on the PC that is running the > process and I have tried turning off all PC firewalls on the PC's which > I want samba services to be available. > > If someone can let me know what Ports Samba requires I can correct the > Internal Security issue. > > Many Thanks > > Scott udp 137:139 tcp 137,139 udp 1024: 137 udp 137:139 tcp 137,139 udp 1024: 137 -- _ John Andersen pgpr5CfyheAqf.pgp Description: PGP signature
[opensuse] RE: Ports used for Samba service
I have set up a samba server all o.k. I cannot even view any workgroup. This is a result of internal security which I control. I was of the belief that Samba uses Netbios for transmitting and advertising on the LAN and have enabled TCP/UDP 137-139 on the required route 192.168.100.0/24 that the workstations are on that I want Samba services to be available. As I cannot see the workgroup I have obviously missed some other dependant Ports to Samba services. Can anyone tell me which Ports are required to be open. This has nothing to do the the PC firewall which is correctly displaying 'samba server' on the PC that is running the process and I have tried turning off all PC firewalls on the PC's which I want samba services to be available. If someone can let me know what Ports Samba requires I can correct the Internal Security issue. Many Thanks Scott smime.p7s Description: S/MIME Cryptographic Signature
