[Samba] Firewall rules to block other's computers browse list
Hi All, My Samba server/firewall has three (two real, one virtual) network cards: eth0.5: connects to a terminal server eth0: internal network with about 10 XP workstations eth1: the Internet Samba is set to talk to only 12.0.0.1, eth0.5 and eth0. I have my firewall iptables rules set so that users on eth0.5 can only use the samba server on my server. They can not share with any other user on eth0. Tested and it works. So far so good. Problem: users on eth0.5 can still see eth0 workstations on their browse list. Even though they can not do anything with them, I would still be nice if eth0.5 users could not see them at all. I do believe the offending rules: VlanNic=eth0.5 Vlan_mask=24 Vlan_net=192.168.254.0/$Vlan_mask Vlan_Broadcast=192.168.254.255 $tbls -A Vlan-in -i $VlanNic -p udp -s $Vlan_net -d \ $Vlan_Broadcast --dport netbios-ns-j ACCEPT $tbls -A Vlan-in -i $VlanNic -p udp -s $Vlan_net -d \ $Vlan_Broadcast --dport netbios-dgm -j ACCEPT I have found that if I do not open up these two rules, domain users on eth0.5 can not get past their user name and password prompts. How do I block eth0 workstations from eth0.5's browse list? Many thanks, -T -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Firewall rules to block other's computers browse list
MargoAndTodd wrote: My Samba server/firewall has three (two real, one virtual) network cards: eth0.5: connects to a terminal server eth0: internal network with about 10 XP workstations eth1: the Internet An Internet firewall should be a dedicated machine. I use IPCop: http://www.ipcop.org/ IPCop has a reasonably simple installer, an excellent CGI interface, lots of features, and is light-weight -- I ran a Pentium 166 machine with 32 MB RAM, 4 GB HDD, and three 10/100 Mbps NIC's until recently. It could have used more RAM, but it worked. HTH, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Firewall rules to block other's computers browse list
On 07/27/2009 06:39 PM, David Christensen wrote: MargoAndTodd wrote: My Samba server/firewall has three (two real, one virtual) network cards: eth0.5: connects to a terminal server eth0: internal network with about 10 XP workstations eth1: the Internet An Internet firewall should be a dedicated machine. Please help us to understand why an Internet firewall should be a dedicated machine. There might be one or two people on this list who would disagree with this assertion. Cheers, John T. I use IPCop: http://www.ipcop.org/ IPCop has a reasonably simple installer, an excellent CGI interface, lots of features, and is light-weight -- I ran a Pentium 166 machine with 32 MB RAM, 4 GB HDD, and three 10/100 Mbps NIC's until recently. It could have used more RAM, but it worked. HTH, David -- John H Terpstra If at first you don't succeed, don't go sky-diving! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Firewall rules to block other's computers browse list
John H Terpstra wrote: Please help us to understand why an Internet firewall should be a dedicated machine. There might be one or two people on this list who would disagree with this assertion. I smell flame bait... ;-) Simply put, because an Internet firewall is providing a security function and if there is a mistake, security suffers. The more software you put on any machine, the more opportunities there are for Murphy's Law to operate. Thus, IPCop, Smoothwall, and other router/ firewall distributions are deliberately stripped-down to the bare essentials. All included software is carefully selected and tested for security and stability. Furthermore, a good web UI makes it easy for the end-user/ administrator to configure the router/ firewall as desired without having to worry about arcane packet filtering syntax, dependencies, restarting services, etc.; thus reducing the likelihood of mis-configuration. I've done the Linux combination firewall/ router/ server in the past; IPCop and a leftover machine is *so* much easier, and I sleep better at night. :-) HTH, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Firewall Log - Follow up on Samba Issue
Here is the firewall log indicating what ports are being used when I try and make an SMB connection: Time:Aug 30 03:08:32 Direction: Inbound In:eth0 Out: Port:34365 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 03:08:45 Direction: Inbound In:eth0 Out: Port:34368 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 03:11:55 Direction: Inbound In:eth0 Out: Port:34370 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 03:12:06 Direction: Inbound In:eth0 Out: Port:34373 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 03:12:07 Direction: Inbound In:eth0 Out: Port:34374 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 03:15:41 Direction: Inbound In:eth0 Out: Port:34398 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 03:15:43 Direction: Inbound In:eth0 Out: Port:34399 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 03:15:53 Direction: Inbound In:eth0 Out: Port:34400 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 04:16:37 Direction: Inbound In:eth0 Out: Port:34481 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 04:16:38 Direction: Inbound In:eth0 Out: Port:34487 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 04:16:38 Direction: Inbound In:eth0 Out: Port:34488 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 04:16:38 Direction: Inbound In:eth0 Out: Port:34487 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 04:16:38 Direction: Inbound In:eth0 Out: Port:34488 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 04:16:38 Direction: Inbound In:eth0 Out: Port:34487 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown Time:Aug 30 04:16:38 Direction: Inbound In:eth0 Out: Port:34488 Source:192.168.1.100 Destination:192.168.1.101 Length:90 TOS:0x00 Protocol:UDP Service:Unknown I seriously doubt its anything on my Samba Share at this point. She can see my port open but cannot connect to my Samba Server. Her computer reports that there is no other computer connected to the HOME network. Even though a scan from her computer shows the SMB ports as open on mine. Now my question is; Is anyone testing Vista Beta with Samba? --Shaun -- It isn't about it being free. Rather its about the freedom it brings. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Firewall problem
Hi List I am having problems getting out of my Linux box to my Win PC's. I can get into the Linux box from the PC's without a problem but I get a Firewall error each time I try the other way around. The only way to get out is to turn off the firewall which I don't want to do. Help would be much appreciated. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Firewall enabled
Hi I have installed and configured Samba using Tweakhound's model. I still am having problems getting into my WindowXP computers because of the firewall on the Linux-Suse 9.3 machine. I can access my Linux machine from the WinXP ones but not the other way around unless I turn off the firewall. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] firewall
It work's OK but. When I installed a wireless acces point Linksys it does not work. I disabled the firewall in the acces point but with no result. Can anybody help me??? Alejandro G. Schujman AGS Computación y Sistemas [EMAIL PROTECTED] MSN [EMAIL PROTECTED] 0341 4219625 Movil 0341 15 5410122 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] firewall
At 06:31 PM 11/25/2005 -0300, contacto_AGS wrote: It work's OK but. When I installed a wireless acces point Linksys it does not work. I disabled the firewall in the acces point but with no result. Can anybody help me??? Many so-called wireless access points (WAP) are in reality a router with a wireless access point attached internally. You haven't given much information here so it's very hard to help you. It doesn't work is not enough. Does it break your whole network? Or is it only equipment connected to the WAP that doesn't work? Or is it only wireless gear attached to the WAP that fails to gain connectivity? What model number Linksys WAP have you got there? Explain what your network looks like too, what's connected to what and using what ports. There's no way to tell from your message if it's a router/WAP or not. Most likely, it is. If so, everything connected to it is on a separate IP subnet from whatever is on its WAN port. Some of them don't care if the subnets are numbered the same: You can have 192.168.0.x on both sides, and they will be separate subnets, and the firmware is too dumb to object. Of course, routing between them is totally screwed up and confused. If you have a true WAP, without a router attached, or with routing turned off, then there's some other problem, like WEP key mismatch or configuration issues. Supply more info. [Government]Foreign aid might be defined as a transfer from poor people in rich countries to rich people in poor countries.--Douglas Casey, Classmate of W.J.Clinton at Georgetown U. (1992) --... ...-- -.. . -. . --.- --.- -... [EMAIL PROTECTED] (remove nospam) N9QQB (amateur radio) HEY YOU (loud shouting) WEB ADDRESS http//www.mixweb.com/tpeters 43° 7' 17.2 N by 88° 6' 28.9 W, Elevation 815', Grid Square EN53wc WAN/LAN/Telcom Analyst, Tech Writer, MCP, CCNA, Registered Linux User 385531 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba/Firewall issues?
The setting are local master = yes domain master = yes perferred master = yes One side affect I am seeing in users are getting xxx domain not available error messages. I am also going to try to pull smbd/nmbd out of xinetd and run them in standalone mode. We are also running a very old dist. of Linux (Redhat v7.3 with a newer kernel) Still debugging this problem! Thanks Paul On Wed, Oct 12, 2005 at 04:46:25PM +0100, Mark Waterhouse - Mailing Lists wrote: Paul Can you confirm what your settings for local master, domain master and preferred master are? You should find these in /etc/smb.conf Mark - Original Message - Greetings, I am running into *possible* Samba/Firewall issues. Our Samba v3.0.11 server is also running iptables. In our log.nmbd file we have noticed the following: [2005/09/27 15:43:41, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (Connection refused) [2005/09/27 15:50:21, 0] libsmb/nmblib.c:send_udp(790) Packet send failed to 130.xx.xx.xx(138) ERRNO=Operation not permitted [2005/09/27 14:07:57, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (No route to host) [2005/09/27 14:12:51, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (Connection refused) [2005/09/27 14:23:04, 1] libsmb/cliconnect.c:cli_connect(1313) A search turned up the following: http://seclists.org/lists/bugtraq/2001/Mar/0285.html Obviously, the netfilter nat code breaks nmap while using the -O flag or using decoy options. The (sendto in send_tcp_raw: sendto) error is a symptom of this. It also breaks other packet shaping utilities such as hping, etc., so this does not appear to be an nmap problem. I don't believe the connection tracking portion of netfilter is to blame in this case. In my tests the connection tracking code, whether it was loaded as a module or built statically into the kernel, didn't seem to get in the way. The cause of the 'sendto..' errors seems to be caused solely by the iptable_nat.o module(which is huge, of course). Once you load that one, or build it into the kernel, nmap -O no worky. Without it, nmap/hping/everything works just peachy. Best Regards, Steve - Now I have removed iptable_nat with rmmod but I am still seeing errors. For our end users the error shows up as Domain not found. Anyone see these errors before ?? Thanks Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba/Firewall issues?
Paul Can you confirm what your settings for local master, domain master and preferred master are? You should find these in /etc/smb.conf Mark - Original Message - Greetings, I am running into *possible* Samba/Firewall issues. Our Samba v3.0.11 server is also running iptables. In our log.nmbd file we have noticed the following: [2005/09/27 15:43:41, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (Connection refused) [2005/09/27 15:50:21, 0] libsmb/nmblib.c:send_udp(790) Packet send failed to 130.xx.xx.xx(138) ERRNO=Operation not permitted [2005/09/27 14:07:57, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (No route to host) [2005/09/27 14:12:51, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (Connection refused) [2005/09/27 14:23:04, 1] libsmb/cliconnect.c:cli_connect(1313) A search turned up the following: http://seclists.org/lists/bugtraq/2001/Mar/0285.html Obviously, the netfilter nat code breaks nmap while using the -O flag or using decoy options. The (sendto in send_tcp_raw: sendto) error is a symptom of this. It also breaks other packet shaping utilities such as hping, etc., so this does not appear to be an nmap problem. I don't believe the connection tracking portion of netfilter is to blame in this case. In my tests the connection tracking code, whether it was loaded as a module or built statically into the kernel, didn't seem to get in the way. The cause of the 'sendto..' errors seems to be caused solely by the iptable_nat.o module(which is huge, of course). Once you load that one, or build it into the kernel, nmap -O no worky. Without it, nmap/hping/everything works just peachy. Best Regards, Steve - Now I have removed iptable_nat with rmmod but I am still seeing errors. For our end users the error shows up as Domain not found. Anyone see these errors before ?? Thanks Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba/Firewall issues?
I don't know the answer to your question. but here is a tip that may be of help. try search Nabble's large archive of software mailing lists and you may be able to find some discussions about nmap and samba: http://www.nabble.com/Software-f94.html Paul Griffith wrote: ... A search turned up the following: http://seclists.org/lists/bugtraq/2001/Mar/0285.html ... -- Sent from the Samba forum at Nabble.com: http://www.nabble.com/Samba-Firewall-issues--t352335.html#a987968 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/Firewall issues?
Greetings, I am running into *possible* Samba/Firewall issues. Our Samba v3.0.11 server is also running iptables. In our log.nmbd file we have noticed the following: [2005/09/27 15:43:41, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (Connection refused) [2005/09/27 15:50:21, 0] libsmb/nmblib.c:send_udp(790) Packet send failed to 130.xx.xx.xx(138) ERRNO=Operation not permitted [2005/09/27 14:07:57, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (No route to host) [2005/09/27 14:12:51, 1] libsmb/cliconnect.c:cli_connect(1313) Error connecting to 130.xx.xx.xx (Connection refused) [2005/09/27 14:23:04, 1] libsmb/cliconnect.c:cli_connect(1313) A search turned up the following: http://seclists.org/lists/bugtraq/2001/Mar/0285.html Obviously, the netfilter nat code breaks nmap while using the -O flag or using decoy options. The (sendto in send_tcp_raw: sendto) error is a symptom of this. It also breaks other packet shaping utilities such as hping, etc., so this does not appear to be an nmap problem. I don't believe the connection tracking portion of netfilter is to blame in this case. In my tests the connection tracking code, whether it was loaded as a module or built statically into the kernel, didn't seem to get in the way. The cause of the 'sendto..' errors seems to be caused solely by the iptable_nat.o module(which is huge, of course). Once you load that one, or build it into the kernel, nmap -O no worky. Without it, nmap/hping/everything works just peachy. Best Regards, Steve - Now I have removed iptable_nat with rmmod but I am still seeing errors. For our end users the error shows up as Domain not found. Anyone see these errors before ?? Thanks Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] firewall dropping packages
Hi! It might be somewhat off-topic but hopefully some people here can help anyway. SuSEfirewall2 drops packages and name resolution/browsing doesn't work: Mar 28 13:57:14 tcn kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:31:4a:73:00:13:77:00:15:15:08:00 SRC=192.168.0.5 DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=230 PROTO=UDP SPT=137 DPT=2435 LEN=70 Mar 28 13:57:14 tcn kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:31:4a:73:00:13:77:00:15:15:08:00 SRC=192.168.0.5 DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=231 PROTO=UDP SPT=137 DPT=2435 LEN=70 Mar 28 13:57:15 tcn kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:31:4a:73:00:13:77:00:15:15:08:00 SRC=192.168.0.5 DST=192.168.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=233 PROTO=UDP SPT=137 DPT=2435 LEN=70 config: # Common: smtp domain FW_SERVICES_EXT_TCP=139 445 microsoft-ds netbios-dgm netbios-ns netbios-ssn ssh ## Type:string # Common: domain FW_SERVICES_EXT_UDP=137 138 FW_SERVICE_SAMBA=yes FW_ALLOW_FW_BROADCAST=yes FW_IGNORE_FW_BROADCAST=yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
Dude -- Your arrogant attitude towards getting help and resolving your problem is not getting you anywhere -- its obviously problematic to pump SMB/CIFS into the internet the way you would like to. Why don't you look at a simpler solution like running an anonymous ftp server and then your pathetic windoze users can just type: ftp://server/directory POOF Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no
Dude -- Your arrogant attitude towards getting help and resolving your problem is not getting you anywhere -- its obviously problematic to pump SMB/CIFS into the internet the way you would like to. Why don't you look at a simpler solution like running an anonymous ftp server and then your pathetic windoze users can just type: The problem here is that *he* is the user that wants to use smb bare-assed over the internet. I doubt this would be that much of an issue if it were a user, since a respected sysadmin can usually tell someone how they should be using a network resource, unless the user is braindead upper management unfortunately. We're into the I'd really like to do it this way for no apparent gain zone on this one. Lets all just let this one die. No poster has touched the issue he's having, and from the people that have posted it doesn't look like anyone is going to be attempting to help, not because no one knows, but because it's been deemed a WTF issue. If Mr. Blank gets this one to work he'll have one more I did a cool thing one day feather in his cap when he goes client scouting. ftp://server/directory POOF Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Wed, 9 Feb 2005, Craig White wrote: Date: Wed, 09 Feb 2005 22:54:10 -0700 From: Craig White [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. On Thu, 2005-02-10 at 00:11 -0500, JLB wrote: Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. and if you do that - someone else will 'poof' that machine before you can do it Precisely how 0wnable is a SPARC64 running a recent version of OpenBSD, with a recent version of Samba and a password-protected share, using a non-dictionary-word password? If I have to install anything, the whole point is moot. seems like an idea that was DOA - moot is probably besides the point Craig We're not talking about exposing a flippin' Win98 box to this traffic. You've yet to explain how/why my box is a security risk, with the software profile I've outlined for it. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Thu, 10 Feb 2005, Ilia Chipitsine wrote: Date: Thu, 10 Feb 2005 11:19:57 +0500 (YEKT) From: Ilia Chipitsine [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. pptp/vpn client is included in windows distribution as well. Is it an optional install? client is pretty well tested and works reasonably good since win95osr2. How does one use it? Start, Run, ...what? so, it is already installed on ANY Windoze :-) Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. If I have to install anything, the whole point is moot. On Thu, 10 Feb 2005, Ilia Chipitsine wrote: Date: Thu, 10 Feb 2005 09:58:32 +0500 (YEKT) From: Ilia Chipitsine [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. you can setup PPTP/VPN server and this eliminates need of using NAT. Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- J. L. Blank, Systems Administrator, twu.net -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
Because an anonymous solution isn't sufficient. I want something easy-- BUT PASSWORD-PROTECTED. (And no, I don't use dictionary-word passwords.) On Thu, 10 Feb 2005, Gordon Russell wrote: Date: Thu, 10 Feb 2005 09:22:48 -0500 From: Gordon Russell [EMAIL PROTECTED] Cc: JLB [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. Dude -- Your arrogant attitude towards getting help and resolving your problem is not getting you anywhere -- its obviously problematic to pump SMB/CIFS into the internet the way you would like to. Why don't you look at a simpler solution like running an anonymous ftp server and then your pathetic windoze users can just type: ftp://server/directory POOF Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
Also, my arrogant attitude is largely due to the fact that nobody's reading my points. I DO NOT want to install OpenVPN. I DO NOT want to run WinSCP. I DO NOT want to run an anonymous FTP server. I want to go: Start Run smb://IP_ADDRESS/sharename (username) (password) POOF. That is what I want. Period. It's not unreasonable; this is Samba, not some Win95 box waiting to be h4x0red. On Thu, 10 Feb 2005, Gordon Russell wrote: Date: Thu, 10 Feb 2005 09:22:48 -0500 From: Gordon Russell [EMAIL PROTECTED] Cc: JLB [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. Dude -- Your arrogant attitude towards getting help and resolving your problem is not getting you anywhere -- its obviously problematic to pump SMB/CIFS into the internet the way you would like to. Why don't you look at a simpler solution like running an anonymous ftp server and then your pathetic windoze users can just type: ftp://server/directory POOF Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
so run a non-anonymous ftp server and have them authenticate I realize you want to do it without installing client software, but you can do that via ftp and skip all the SMB jive JLB wrote: Also, my arrogant attitude is largely due to the fact that nobody's reading my points. I DO NOT want to install OpenVPN. I DO NOT want to run WinSCP. I DO NOT want to run an anonymous FTP server. I want to go: Start Run smb://IP_ADDRESS/sharename (username) (password) POOF. That is what I want. Period. It's not unreasonable; this is Samba, not some Win95 box waiting to be h4x0red. On Thu, 10 Feb 2005, Gordon Russell wrote: Date: Thu, 10 Feb 2005 09:22:48 -0500 From: Gordon Russell [EMAIL PROTECTED] Cc: JLB [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. Dude -- Your arrogant attitude towards getting help and resolving your problem is not getting you anywhere -- its obviously problematic to pump SMB/CIFS into the internet the way you would like to. Why don't you look at a simpler solution like running an anonymous ftp server and then your pathetic windoze users can just type: ftp://server/directory POOF Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
Hi, i think you do not get the point: This is not a single point of failure. Getting your server sharing to the internet will give you nothing. Why? 1st showstopper: The admin of the pc you want to access your server from will have denied outgoing traffic for all smb-packets from the local LAN to the internet. Because windows machines tend to do heavy broadcasts to sync their browselists over these ports. This is unwanted traffic which must be paid for and which reduces available bandwidth. So the Admins block these ports to *save money* 2nd showstopper: Even if your ISP does not, many many ISPs silently drop all traffic on the smb-ports. why? Because there a to much homeusers not using firewalls and therefor their Windows-machines brodcast to the internet to sync their browselists. If ISPs would forward these packets (or answers to them) it would eat their bandwidth and money for nothing. That's the point why they drop these packets: *MONEY* 3rd showstopper: SMB is not designed for unreliable networks with many routers and their latency involved. SMB over internet simply will not work reliable. Christoph JLB schrieb: Also, my arrogant attitude is largely due to the fact that nobody's reading my points. I DO NOT want to install OpenVPN. I DO NOT want to run WinSCP. I DO NOT want to run an anonymous FTP server. I want to go: Start Run smb://IP_ADDRESS/sharename (username) (password) POOF. That is what I want. Period. It's not unreasonable; this is Samba, not some Win95 box waiting to be h4x0red. On Thu, 10 Feb 2005, Gordon Russell wrote: Date: Thu, 10 Feb 2005 09:22:48 -0500 From: Gordon Russell [EMAIL PROTECTED] Cc: JLB [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. Dude -- Your arrogant attitude towards getting help and resolving your problem is not getting you anywhere -- its obviously problematic to pump SMB/CIFS into the internet the way you would like to. Why don't you look at a simpler solution like running an anonymous ftp server and then your pathetic windoze users can just type: ftp://server/directory POOF Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll, following this a longer time now, i want to say open smb to web is a total security desaster. You will be hacked i minutes by broadcasting smb scanners. As others recommend before , use a tunnelstuff i.e openvpn,pptpd,ipsec to tunnel smb in this, or simple use a apache with webdav which is shown as a network share too in windows,with same features as smb shares. Winscp is a very good solution too. Last word about your users, if they want to connect via the internet via smb , their clients must open smb too, so they will be vulnerable too, they dont will feel very cool finding their Bank accounts numbers after a few days, or their private files somewhere in the internet stolen from some kids. As all this stuff is freeware and mostly included in windows and in the most nix distros , there should be no problem to setup a secure smb or equal quality connect through the web. Note: smb is not the solution you need , Apache with webdav will do it quite good. Best Regards Paul Gienger schrieb: | | Dude -- Your arrogant attitude towards getting help and resolving your | problem is not getting you anywhere -- its obviously problematic to | pump SMB/CIFS into the internet the way you would like to. Why don't | you look at a simpler solution like running an anonymous ftp server | and then your pathetic windoze users can just type: | | | The problem here is that *he* is the user that wants to use smb | bare-assed over the internet. I doubt this would be that much of an | issue if it were a user, since a respected sysadmin can usually tell | someone how they should be using a network resource, unless the user is | braindead upper management unfortunately. We're into the I'd really | like to do it this way for no apparent gain zone on this one. | | Lets all just let this one die. No poster has touched the issue he's | having, and from the people that have posted it doesn't look like anyone | is going to be attempting to help, not because no one knows, but because | it's been deemed a WTF issue. If Mr. Blank gets this one to work he'll | have one more I did a cool thing one day feather in his cap when he | goes client scouting. | | | ftp://server/directory | | POOF | | Please read my points on this sort of solution in the past. The whole | REASON I want to use Plain Vanilla SMB is so I can walk up to ANY | Windoze | machine on the entire flippin' Internet and go: | | Start | Run | \\IP_ADDRESS\sharename | (username) | (password) | | POOF. | | | | - -- Mit freundlichen Gruessen Best Regards Robert Schetterer robert_at_schetterer.org Munich / Bavaria / Germany https://www.schetterer.org \** \* gnupgp \* public key: \* https://www.schetterer.org/public.key \** -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCC9Ae+Jw+56iSjEkRAkGQAKCaK23JYwvWGD/oPvZF3WwHe7l2vACgmeAD UeyREkvpDINTuTkgGWaaQQ0= =KfoG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no
On Thu, 10 Feb 2005, Robert Schetterer wrote: Date: Thu, 10 Feb 2005 22:20:30 +0100 From: Robert Schetterer [EMAIL PROTECTED] To: Paul Gienger [EMAIL PROTECTED] Cc: samba@lists.samba.org, Gordon Russell [EMAIL PROTECTED] Subject: Re: [Samba] Firewall piercing - The Specified network name is no -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll, following this a longer time now, i want to say open smb to web is a total security desaster. You will be hacked i minutes by broadcasting smb scanners. HOW? If Samba is so easily hackable... HOW? This is *Samba*. On a SPARC. Running OpenBSD. You wanna tell me how the 31337 h4x0r types-- who are used to 0wning PeeCees running Win9x, not freaking UltraSPARCs running OpenBSD and SPARC-- are going to hack me within a minute? As others recommend before , use a tunnelstuff i.e openvpn,pptpd,ipsec to tunnel smb in this, or simple use a apache with webdav which is shown as a network share too in windows,with same features as smb shares. Winscp is a very good solution too. Last word about your users, if they want to connect via the internet via smb , their clients must open smb too, so they will be vulnerable too, they dont will feel very cool Um, what? How does acting as an SMB --CLIENT-- put one at risk? finding their Bank accounts numbers after a few days, or their private files somewhere in the internet stolen from some kids. As all this stuff is freeware and mostly included in windows and in the most nix distros , there should be no problem to setup a secure smb or equal quality connect through the web. Note: smb is not the solution you need , Apache with webdav will do it quite good. Best Regards Paul Gienger schrieb: | | Dude -- Your arrogant attitude towards getting help and resolving your | problem is not getting you anywhere -- its obviously problematic to | pump SMB/CIFS into the internet the way you would like to. Why don't | you look at a simpler solution like running an anonymous ftp server | and then your pathetic windoze users can just type: | | | The problem here is that *he* is the user that wants to use smb | bare-assed over the internet. I doubt this would be that much of an | issue if it were a user, since a respected sysadmin can usually tell | someone how they should be using a network resource, unless the user is | braindead upper management unfortunately. We're into the I'd really | like to do it this way for no apparent gain zone on this one. | | Lets all just let this one die. No poster has touched the issue he's | having, and from the people that have posted it doesn't look like anyone | is going to be attempting to help, not because no one knows, but because | it's been deemed a WTF issue. If Mr. Blank gets this one to work he'll | have one more I did a cool thing one day feather in his cap when he | goes client scouting. | | | ftp://server/directory | | POOF | | Please read my points on this sort of solution in the past. The whole | REASON I want to use Plain Vanilla SMB is so I can walk up to ANY | Windoze | machine on the entire flippin' Internet and go: | | Start | Run | \\IP_ADDRESS\sharename | (username) | (password) | | POOF. | | | | - -- Mit freundlichen Gruessen Best Regards Robert Schetterer robert_at_schetterer.org Munich / Bavaria / Germany https://www.schetterer.org \** \* gnupgp \* public key: \* https://www.schetterer.org/public.key \** -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCC9Ae+Jw+56iSjEkRAkGQAKCaK23JYwvWGD/oPvZF3WwHe7l2vACgmeAD UeyREkvpDINTuTkgGWaaQQ0= =KfoG -END PGP SIGNATURE- -- J. L. Blank, Systems Administrator, twu.net-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Thu, 10 Feb 2005, Ilia Chipitsine wrote: Date: Thu, 10 Feb 2005 11:19:57 +0500 (YEKT) From: Ilia Chipitsine [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. pptp/vpn client is included in windows distribution as well. Is it an optional install? no, it is included by default. client is pretty well tested and works reasonably good since win95osr2. How does one use it? pptp is ppp over gre, in windows terms workstation just establishes dialup connection to pptp server, if you have pptp/vpn server right between your internet and intranet, so, clients from both segments will be able to connect to it and IP will go over private subnet. that is what we use for almost 2 years. Start, Run, ...what? so, it is already installed on ANY Windoze :-) Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. If I have to install anything, the whole point is moot. On Thu, 10 Feb 2005, Ilia Chipitsine wrote: Date: Thu, 10 Feb 2005 09:58:32 +0500 (YEKT) From: Ilia Chipitsine [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. you can setup PPTP/VPN server and this eliminates need of using NAT. Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- J. L. Blank, Systems Administrator, twu.net -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Firewall piercing - The Specified network name is no longer available.
Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). Are you saying that you're trying to allow access from 'random internet user'(which is probably you) directly to your samba machine? You will have problems with this if it is what you're doing. 1. because you may have a default filter on your firewalls that block it from traversing, although I think most sane manufacturers took this rule off now 2. because your ISP probably blocks/filters those ports. 3. because it's a Bad Thing (TM)(R)(C) Spend a little time and set up a vpn endpoint on your box and just forward the necessary ports over, i think openvpn is 5000. You'll be much happier, sane, and protected as such. I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Wed, 9 Feb 2005, Paul Gienger wrote: Date: Wed, 09 Feb 2005 08:54:57 -0600 From: Paul Gienger [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). Are you saying that you're trying to allow access from 'random internet user'(which is probably you) directly to your samba machine? You will have problems with this if it is what you're doing. 1. because you may have a default filter on your firewalls that block it from traversing, although I think most sane manufacturers took this rule off now I already poked and prodded at all such filters. They seem off now. 2. because your ISP probably blocks/filters those ports. They don't. 3. because it's a Bad Thing (TM)(R)(C) The chance of any random joker stumbling upon a dynamically allocated IP and h4x0ring into a password-protected share on a SPARC64 machine running OpenBSD with a recent version of Samba is slim. Spend a little time and set up a vpn endpoint on your box and just forward the necessary ports over, i think openvpn is 5000. You'll be much happier, sane, and protected as such. And I will make use of this on client machines with strict Thou Shalt Not Install any Unauthorized Software policies... how? I've already set up zero-install Web-based telnet, zero-install Web-based MP3 players... I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... now I need a zero-install way to access my files via Windows machines. And that means SMB. NOT OpenVPN, OpenSSH, OpenVMS or any other Open. I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
JLB wrote: I've already set up zero-install Web-based telnet, zero-install Web-based MP3 players... I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... now I need a zero-install way to access my files via Windows machines. And that means SMB. NOT OpenVPN, OpenSSH, OpenVMS or any other Open. WinSCP is a MUCH better way to go for this type of thing. ...And it can be zero-install. FYI, this will need to connect to an SSH server, and if you're running OpenBSD... (one of the Opens... hehe) it will be probably be via OpenSSH... (another Open) b.t.w., I'm also curious why you threw that OpenVMS in there with OpenSSH and OpenVPN? OpenVMS is an operating system typically run on Digital hardware. P.S. If you don't want any Open software, may I ask why you are running OpenBSD? -- Aaron Zirbes Systems Administrator Environmental Health Sciences University of Minnesota JLB wrote: On Wed, 9 Feb 2005, Paul Gienger wrote: Date: Wed, 09 Feb 2005 08:54:57 -0600 From: Paul Gienger [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). Are you saying that you're trying to allow access from 'random internet user'(which is probably you) directly to your samba machine? You will have problems with this if it is what you're doing. 1. because you may have a default filter on your firewalls that block it from traversing, although I think most sane manufacturers took this rule off now I already poked and prodded at all such filters. They seem off now. 2. because your ISP probably blocks/filters those ports. They don't. 3. because it's a Bad Thing (TM)(R)(C) The chance of any random joker stumbling upon a dynamically allocated IP and h4x0ring into a password-protected share on a SPARC64 machine running OpenBSD with a recent version of Samba is slim. Spend a little time and set up a vpn endpoint on your box and just forward the necessary ports over, i think openvpn is 5000. You'll be much happier, sane, and protected as such. And I will make use of this on client machines with strict Thou Shalt Not Install any Unauthorized Software policies... how? I've already set up zero-install Web-based telnet, zero-install Web-based MP3 players... I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... now I need a zero-install way to access my files via Windows machines. And that means SMB. NOT OpenVPN, OpenSSH, OpenVMS or any other Open. I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- J. L. Blank, Systems Administrator, twu.net -- Aaron Zirbes Systems Administrator Environmental Health Sciences University of Minnesota [EMAIL PROTECTED] 612-625-3460
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Wed, 9 Feb 2005, Aaron J. Zirbes wrote: Date: Wed, 09 Feb 2005 09:16:46 -0600 From: Aaron J. Zirbes [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. JLB wrote: I've already set up zero-install Web-based telnet, zero-install Web-based MP3 players... I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... now I need a zero-install way to access my files via Windows machines. And that means SMB. NOT OpenVPN, OpenSSH, OpenVMS or any other Open. WinSCP is a MUCH better way to go for this type of thing. ...And it can be zero-install. FYI, this will need to connect to an SSH server, ...I know what WinSCP is, and I certainly know how it works ;) and if you're running OpenBSD... (one of the Opens... hehe) it will be probably be via OpenSSH... (another Open) b.t.w., I'm also curious why you threw that OpenVMS in there with OpenSSH and OpenVPN? OpenVMS is an operating system typically run on Digital hardware. Just because it began with Open and ended in a three-letter acronym. Had I been able to think of another, fourth such word, I would have tossed it in as well ;) P.S. If you don't want any Open software, may I ask why you are running OpenBSD? It was merely a play on words. I happen to LIKE the Open software. However, typical Windows-running people (who get skittish enough when you simply open a command prompt window, thinking you're hacking) make my job more difficult by creating a situation in which things go much more smoothly when I don't have to install ANYTHING, much less some open-source software that'll creep them out. (N.b. in some situations, installing open-source/free software on Windows boxes run by F/OSS-phobic Windows types makes a lot more sense than NOT doing so... e.g. I am about to half-heartedly start a project for people to install FireFox on Windows users' computers, sometimes without their knowledge, but that's due to the impact of spambot-infested Windows boxes on the Internet at large, and the global impact of productivity lost to the slowdowns caused by spyware) -- Aaron Zirbes Systems Administrator Environmental Health Sciences University of Minnesota JLB wrote: On Wed, 9 Feb 2005, Paul Gienger wrote: Date: Wed, 09 Feb 2005 08:54:57 -0600 From: Paul Gienger [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). Are you saying that you're trying to allow access from 'random internet user'(which is probably you) directly to your samba machine? You will have problems with this if it is what you're doing. 1. because you may have a default filter on your firewalls that block it from traversing, although I think most sane manufacturers took this rule off now I already poked and prodded at all such filters. They seem off now. 2. because your ISP probably blocks/filters those ports. They don't. 3. because it's a Bad Thing (TM)(R)(C) The chance of any random joker stumbling upon a dynamically allocated IP and h4x0ring into a password-protected share on a SPARC64 machine running OpenBSD with a recent version of Samba is slim. Spend a little time and set up a vpn endpoint on your box and just forward the necessary ports over, i think openvpn is 5000. You'll be much happier, sane, and protected as such. And I will make use of this on client machines with strict Thou Shalt Not Install any Unauthorized Software policies... how? I've already set up zero-install Web-based telnet, zero-install Web-based MP3 players... I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... now I need a zero-install way to access my files via Windows machines. And that means SMB. NOT OpenVPN, OpenSSH, OpenVMS or any other Open. I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection
OT: Re: [Samba] Firewall piercing (nitpicky correction)
On Wed, 9 Feb 2005, JLB wrote: JLB wrote: I've already set up zero-install Web-based telnet, zero-install Web-based Err, actually, zero-install Web-based **SSH**. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
So am I correct in assuming nobody has any further suggestions? Is there at least a way to get the damned thing to LOG PROPERLY? Is there a way to talk raw SMB by telnetting into the port and typing, like how one can speak raw SMTP by telnetting to port 25? I need a way of diagnosing the problem. Is there a simple Perl script out somewhere that simply attempts to connect to a SMB/CIFS share and returns detailed information on what's going on? E.g.: Trying to connect to 1.2.3.4 on port 139... SUCCESS Trying to query list of shares... SUCCESS Trying to connect to share FOO... FAILED; error code returned is 862 (Bad Foo or Bar) I need a way to DIAGNOSE this problem. On Wed, 9 Feb 2005, JLB wrote: Date: Wed, 9 Feb 2005 10:20:09 -0500 (EST) From: JLB [EMAIL PROTECTED] To: Aaron J. Zirbes [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. On Wed, 9 Feb 2005, Aaron J. Zirbes wrote: Date: Wed, 09 Feb 2005 09:16:46 -0600 From: Aaron J. Zirbes [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. JLB wrote: I've already set up zero-install Web-based telnet, zero-install Web-based MP3 players... I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... now I need a zero-install way to access my files via Windows machines. And that means SMB. NOT OpenVPN, OpenSSH, OpenVMS or any other Open. WinSCP is a MUCH better way to go for this type of thing. ...And it can be zero-install. FYI, this will need to connect to an SSH server, ...I know what WinSCP is, and I certainly know how it works ;) and if you're running OpenBSD... (one of the Opens... hehe) it will be probably be via OpenSSH... (another Open) b.t.w., I'm also curious why you threw that OpenVMS in there with OpenSSH and OpenVPN? OpenVMS is an operating system typically run on Digital hardware. Just because it began with Open and ended in a three-letter acronym. Had I been able to think of another, fourth such word, I would have tossed it in as well ;) P.S. If you don't want any Open software, may I ask why you are running OpenBSD? It was merely a play on words. I happen to LIKE the Open software. However, typical Windows-running people (who get skittish enough when you simply open a command prompt window, thinking you're hacking) make my job more difficult by creating a situation in which things go much more smoothly when I don't have to install ANYTHING, much less some open-source software that'll creep them out. (N.b. in some situations, installing open-source/free software on Windows boxes run by F/OSS-phobic Windows types makes a lot more sense than NOT doing so... e.g. I am about to half-heartedly start a project for people to install FireFox on Windows users' computers, sometimes without their knowledge, but that's due to the impact of spambot-infested Windows boxes on the Internet at large, and the global impact of productivity lost to the slowdowns caused by spyware) -- Aaron Zirbes Systems Administrator Environmental Health Sciences University of Minnesota JLB wrote: On Wed, 9 Feb 2005, Paul Gienger wrote: Date: Wed, 09 Feb 2005 08:54:57 -0600 From: Paul Gienger [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). Are you saying that you're trying to allow access from 'random internet user'(which is probably you) directly to your samba machine? You will have problems with this if it is what you're doing. 1. because you may have a default filter on your firewalls that block it from traversing, although I think most sane manufacturers took this rule off now I already poked and prodded at all such filters. They seem off now. 2. because your ISP probably blocks/filters those ports. They don't. 3. because it's a Bad Thing (TM)(R)(C) The chance of any random joker stumbling upon a dynamically allocated IP and h4x0ring into a password-protected share on a SPARC64 machine running OpenBSD with a recent version of Samba is slim. Spend a little time and set up a vpn endpoint on your box and just forward the necessary ports over, i think openvpn is 5000. You'll be much happier, sane, and protected as such. And I will make use of this on client machines with strict Thou Shalt Not Install any Unauthorized Software policies... how? I've already set up zero-install Web-based telnet, zero
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Wed, 9 Feb 2005, [ISO-8859-1] Jörn Nettingsmeier wrote: The chance of any random joker stumbling upon a dynamically allocated IP and h4x0ring into a password-protected share on a SPARC64 machine running OpenBSD with a recent version of Samba is slim. maybe, but this is such an abysmal solution that you should just forget about it. how can somebody both geeky and security-concious enough to run openbsd on a 64bit sparc even consider letting smb traffic out on the internet Because I don't keep anything private on the share I'd be allowing out? Because I won't be flinging around private files even if I did have the private files there (and the filenames themselves contain nothing incriminating, even among my personal stuff)? Because the chance of someone sitting there with a packet sniffer between Joe Windows-using Client and my home box, watching for my personal shite is VERY slim? Because, as noted earlier, the chance of someone 0wning my SPARC64/OpenBSD box, with its recent version of Samba, REGARDLESS of how many SMB ports I open, is quite slim? Because the convenience I would gain (i.e. being able to access work-related files, MP3s, etc. without circumventing or bending ANY corporate thou shalt not install anything poolicies) would outweigh any miniscule risks? Spend a little time and set up a vpn endpoint on your box and just forward the necessary ports over, i think openvpn is 5000. You'll be much happier, sane, and protected as such. And I will make use of this on client machines with strict Thou Shalt Not Install any Unauthorized Software policies... how? wait. you have such a restrictive security policy (which you are obviously willing to respect), and at the same time you want to bypass the most basic security precautions by tunnelling the living shit out of the firewall and having unprotected smb over the internet? sorry, but this does not make sense at all. You're confusing the sides of the firewall. The restrictive security policies are on the side of the clients I work for. THEIR firewalls are often quite restrictive. The other side of the equation is my box at home, which has no such policy. I've already set up zero-install Web-based telnet, zero-install Web-based MP3 players... I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... just keep putty and winscp on your keychain as well. Why do that, and leave suspicious entries in the run history, when you can do it right in the browser? now I need a zero-install way to access my files via Windows machines. And that means SMB. NOT OpenVPN, OpenSSH, OpenVMS or any other Open. talk to the guy who enforces the security policy at your site. this should be worked out in a sane fashion, and your network admin will benefit as well by not having to cope rogue tunnels and other weird stuff. I temp. I'm often at a client for one or two days. Not enough time to gain a rapport with the network person (who is often an idiot MCSE-type), much less to actually get him/her to work around the policy. i mean, you are a sysadmin too. if you say no to something on your networks, you want that to mean no, don't you? I don't generally say no, except where it's something possibly incriminating. i have a policy here that people can use tunnels if they must, but i require *notification* and want to give the users a quick run-down on what not to do (anybody seen those funny ssh tunnels on port 25 with the open-to-the-world switch on ? great fun indeed. oh, i thought it's ok since everything is encrypted, right?) -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
You're confusing the sides of the firewall. The restrictive security policies are on the side of the clients I work for. THEIR firewalls are often quite restrictive. Ok, I've almost responded at least a couple times, but this is getting ludicrious now. If they're restrictive on their side, then how the hell do you plan on getting out with your traffic??? Besides that, I'd be really surprised if this connection would work at all with the sheer number of different networks you'd be crossing, any number of which are filtering for smb ported traffic. Most consumer grade ISPs filter for all these ports, the one you run your mail server on seems to, or at least your server is filtered. Our firewalls will allow just about anything out, but not smb because it's just wrong. I believe some of these ports talk back to you also, at least 445, so you're probably not going to get back with the corresponding channel, much like non-passive ftp. The other side of the equation is my box at home, which has no such policy. Who is your ISP? I'd love a no-rules account with them. I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... Do you have nmap? try and portscan your home box and see if you get the ports... it will tell you if you're getting filtered or not. I'm guessing this is the case -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Wed, 9 Feb 2005, Paul Gienger wrote: You're confusing the sides of the firewall. The restrictive security policies are on the side of the clients I work for. THEIR firewalls are often quite restrictive. Ok, I've almost responded at least a couple times, but this is getting ludicrious now. If they're restrictive on their side, then how the hell do you plan on getting out with your traffic??? Why would they restrict OUTGOING SMB/CIFS traffic? Besides that, I'd be really surprised if this connection would work at all with the sheer number of different networks you'd be crossing, any number of which are filtering for smb ported traffic. Most consumer grade ISPs filter for all these ports, the one you run your mail server on seems to, or at least your server is filtered. Our firewalls will allow just about anything out, but not smb because it's just wrong. I believe some of these ports talk back to you also, at least 445, so you're probably not going to get back with the corresponding channel, much like non-passive ftp. The other side of the equation is my box at home, which has no such policy. Who is your ISP? I'd love a no-rules account with them. I mean they don't seem to filter things, or at least not that I've found. I even concocted a zero-install CygWin workalike and keep it on my keychain USB drive... Do you have nmap? try and portscan your home box and see if you get the ports... it will tell you if you're getting filtered or not. I'm guessing this is the case [EMAIL PROTECTED] bar]# nmap baz.fnord.net -sT Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on x.big-isp.net (x.y.z.a): (The 1593 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 22/tcp openssh 23/tcp filteredtelnet 25/tcp opensmtp 80/tcp openhttp 139/tcpopennetbios-ssn 443/tcpopenhttps 8080/tcp openhttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds [EMAIL PROTECTED] bar]# Does that answer your question? -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Firewall piercing - The Specified network name is nolonger available.
-Original Message- From: [EMAIL PROTECTED] Sent: Thursday, 10 February 2005 9:27 AM To: Paul Gienger Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is nolonger available. On Wed, 9 Feb 2005, Paul Gienger wrote: You're confusing the sides of the firewall. The restrictive security policies are on the side of the clients I work for. THEIR firewalls are often quite restrictive. Ok, I've almost responded at least a couple times, but this is getting ludicrious now. If they're restrictive on their side, then how the hell do you plan on getting out with your traffic??? Why would they restrict OUTGOING SMB/CIFS traffic? At a minimum to prevent saturation of the outbound link with pointless SMB broadcast packets but much more importantly to avoid having some lowlife from enumerating the internal systems names etc by taking apart the packets. Only a certifiable looney would jack a real windows LAN directly into the net! Cheers, Frank. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
you can setup PPTP/VPN server and this eliminates need of using NAT. Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. If I have to install anything, the whole point is moot. On Thu, 10 Feb 2005, Ilia Chipitsine wrote: Date: Thu, 10 Feb 2005 09:58:32 +0500 (YEKT) From: Ilia Chipitsine [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. you can setup PPTP/VPN server and this eliminates need of using NAT. Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
On Thu, 2005-02-10 at 00:11 -0500, JLB wrote: Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. and if you do that - someone else will 'poof' that machine before you can do it If I have to install anything, the whole point is moot. seems like an idea that was DOA - moot is probably besides the point Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
pptp/vpn client is included in windows distribution as well. client is pretty well tested and works reasonably good since win95osr2. so, it is already installed on ANY Windoze :-) Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. If I have to install anything, the whole point is moot. On Thu, 10 Feb 2005, Ilia Chipitsine wrote: Date: Thu, 10 Feb 2005 09:58:32 +0500 (YEKT) From: Ilia Chipitsine [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. you can setup PPTP/VPN server and this eliminates need of using NAT. Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
pptp/vpn is NOT opposite to plain vanilla smb, it just allows You to maintain regular IP transport without NAT. and You can run your plain vanilla SMB over that protocol. Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. If I have to install anything, the whole point is moot. On Thu, 10 Feb 2005, Ilia Chipitsine wrote: Date: Thu, 10 Feb 2005 09:58:32 +0500 (YEKT) From: Ilia Chipitsine [EMAIL PROTECTED] To: JLB [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. you can setup PPTP/VPN server and this eliminates need of using NAT. Hi all. I'm trying to set up one of my Unix machines at home so I can access my stuff there via SMB from the Internet at large (read: from Windows-using clients'). I'm behind two NATting devices-- the lame-p Prestige DSL modem provided by Sprint DSL (a.k.a. Earthlink?) and a more typical home DSL/cable gateway device. I've poked holes in BOTH of these devices on ports 137, 138, 139 AND 445. Only port 139 actually responds to TCP connections (well, only port 139 accepts a telnet, even from localhost. See: -- -bash-2.05b# telnet localhost 137 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 138 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -bash-2.05b# telnet localhost 139 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet close Connection closed. -bash-2.05b# telnet localhost 445 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused -- It should go without saying that this machine's Samba shares work PERFECTLY WELL within the LAN. ;) Now, from the outside, I can telnet to port 139 on the machine just fine, through both NAT devices. However, when I go Start, Run, \\x.y.z.a\sharename (where x.y.z.a is the IP address-- not the FQDN-- of the machine), Windows vomits up this unhelpful message: -- \\x.y.z.a\sharename The specified network name is no longer available. -- See: http://jlb.twu.net/tmp/unhelpful.png Any ideas? The client machine runs Windows 2000 Pro. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Firewall Blocking PDC
Hi I'm currently running Samba 3.0.7 on Fedora C2. I just installed APF firewall. I've configured all the ports so that ports 137, 138, 139 and 445 are open but I am having problems with the network. When I go to network neighbourhood and open the domain it only shows the PDC and no other machines on the network. I can login to accounts that are on the PDC though. Have I missed some ports or something from APF's configuration that would be blocking Samba? Thanks in advanced ~Über~ _ Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Firewall IPtables to use the SAMBA server
Hi, This question is about how to set up the firewall iptables in sysconfig? I have my firewall set to high and have no luck connecting to the SAMBA server (a low firewall works fine). I feel this is because the port is being blocked. I used Lokkit to generate the iptables and set the level to high. I also found on the SAMBA site what ports are used, unfortunately I don't know what to add to the iptables file. Suggestions? Eric -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall transparancy?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anders Norrbring írta: | Hi! | | I was thinking, is there a way to use a linux box with Samba running in the | DMZ of a firewall and to validate logons from the internal network? | | I.e. the users workstations are on the protected net on 192.168.111.xx and | the Samba PDC resides in the DMZ, running subnet 192.168.222.xx. If it's | possible, what ports need to be open? | | Anders Norrbring | | Something a little bit more secure, IMHO would be: | Internet | --- | Firewall |--| DMZ | |/ | / | / | /NMB traffic |/SMB traffic | /CIFS traffic | / | / |/ | LAN |/ On the DMZ network in smb.conf allow only your LAN to access the servers. Make sure, you have forwarding between interfaces disabled on them. Regards, Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAE4OM/PxuIn+i1pIRAtcQAJ9qjAPRwkKKbQ468PIFAc4B4va+QQCfV61V Ssvn/7VCjuC0VbMgHXYWHpY= =AgHW -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Firewall transparancy?
Hi! I was thinking, is there a way to use a linux box with Samba running in the DMZ of a firewall and to validate logons from the internal network? I.e. the users workstations are on the protected net on 192.168.111.xx and the Samba PDC resides in the DMZ, running subnet 192.168.222.xx. If it's possible, what ports need to be open? Anders Norrbring -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Firewall samba
Thanks Tori, I have opened those ports on the firewall and created a rule to use those ports on the specific server. I also made the relevant entries in the lmhosts file. I can ping the server and use ftp. Should I be able to use the net use command under windows - ie net use r: \\10.10.10.10\homes?? I have tried but it does not recognize my server. Allison Cooney Systems Administrator Tel: Office: 01 - 6799933 Direct: 01 - 6752213 Mobile: 087 - 2365032 This e-mail transmission may contain confidential information that is intended for the individual or entity named on the e-mail address. If you are not the intended recipient, please reply to the sender so that Quest Computing Ltd can arrange for the proper delivery, and then please delete the message from your inbox. If you have received this e-mail in error, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail is strictly prohibited. -Original Message- From: Tori Williamson [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 15:38 To: [EMAIL PROTECTED] Subject: Re: [Samba] Firewall samba Well... it depends upon how you want your machines to see each other. Gregis close. But you don't need 135 UDP or TCP 445. TCP 137 138 need to be opened to allow the machines on the other side through. But make sure that you ONLY open those ports for the machine to machine traffic. And write a rule AFTER that rule that prevents any further traffic on those ports. .t - Original Message - From: Greg Hirsch [EMAIL PROTECTED] To: Allison Cooney [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 06, 2003 6:43 AM Subject: RE: [Samba] Firewall samba Unless I'm forgetting something, you should just need to open up your firewall for UDP on ports 135, 137, and 138, and TCP on ports 135, 139, and 445. That might even be overkill for your setup - you might not need 445 open. Greg Hirsch Product Support/IT Specialist LOGICARE Corporation (800) 848-0099 -Original Message- From: Allison Cooney [mailto:[EMAIL PROTECTED] Subject: [Samba] Firewall samba Hi Just wondering if anyone could help with regarding the following. I have a number of Linux servers within an NT domain and I can access all of them. But I have a linux server behind our (raptor) firewall - samba has been configured on it and appears to be running. What I want to know is how do I access it from the NT domain. I know I will have to make some changes on the firewall - but how do I get to see it through the NT domain. I can ping the server. Any one got any suggestions? Allison Cooney Tel: Office: 01 - 6799933 Direct: 01 - 6752213 Mobile: 087 - 2365032 This e-mail transmission may contain confidential information that is intended for the individual or entity named on the e-mail address. If you are not the intended recipient, please reply to the sender so that Quest Computing Ltd can arrange for the proper delivery, and then please delete the message from your inbox. If you have received this e-mail in error, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Firewall samba
Hi Just wondering if anyone could help with regarding the following. I have a number of Linux servers within an NT domain and I can access all of them. But I have a linux server behind our (raptor) firewall - samba has been configured on it and appears to be running. What I want to know is how do I access it from the NT domain. I know I will have to make some changes on the firewall - but how do I get to see it through the NT domain. I can ping the server. Any one got any suggestions? Allison Cooney Tel: Office: 01 - 6799933 Direct: 01 - 6752213 Mobile: 087 - 2365032 This e-mail transmission may contain confidential information that is intended for the individual or entity named on the e-mail address. If you are not the intended recipient, please reply to the sender so that Quest Computing Ltd can arrange for the proper delivery, and then please delete the message from your inbox. If you have received this e-mail in error, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Firewall samba
Unless I'm forgetting something, you should just need to open up your firewall for UDP on ports 135, 137, and 138, and TCP on ports 135, 139, and 445. That might even be overkill for your setup - you might not need 445 open. Greg Hirsch Product Support/IT Specialist LOGICARE Corporation (800) 848-0099 -Original Message- From: Allison Cooney [mailto:[EMAIL PROTECTED] Subject: [Samba] Firewall samba Hi Just wondering if anyone could help with regarding the following. I have a number of Linux servers within an NT domain and I can access all of them. But I have a linux server behind our (raptor) firewall - samba has been configured on it and appears to be running. What I want to know is how do I access it from the NT domain. I know I will have to make some changes on the firewall - but how do I get to see it through the NT domain. I can ping the server. Any one got any suggestions? Allison Cooney Tel: Office: 01 - 6799933 Direct: 01 - 6752213 Mobile: 087 - 2365032 This e-mail transmission may contain confidential information that is intended for the individual or entity named on the e-mail address. If you are not the intended recipient, please reply to the sender so that Quest Computing Ltd can arrange for the proper delivery, and then please delete the message from your inbox. If you have received this e-mail in error, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall samba
Well... it depends upon how you want your machines to see each other. Gregis close. But you don't need 135 UDP or TCP 445. TCP 137 138 need to be opened to allow the machines on the other side through. But make sure that you ONLY open those ports for the machine to machine traffic. And write a rule AFTER that rule that prevents any further traffic on those ports. .t - Original Message - From: Greg Hirsch [EMAIL PROTECTED] To: Allison Cooney [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 06, 2003 6:43 AM Subject: RE: [Samba] Firewall samba Unless I'm forgetting something, you should just need to open up your firewall for UDP on ports 135, 137, and 138, and TCP on ports 135, 139, and 445. That might even be overkill for your setup - you might not need 445 open. Greg Hirsch Product Support/IT Specialist LOGICARE Corporation (800) 848-0099 -Original Message- From: Allison Cooney [mailto:[EMAIL PROTECTED] Subject: [Samba] Firewall samba Hi Just wondering if anyone could help with regarding the following. I have a number of Linux servers within an NT domain and I can access all of them. But I have a linux server behind our (raptor) firewall - samba has been configured on it and appears to be running. What I want to know is how do I access it from the NT domain. I know I will have to make some changes on the firewall - but how do I get to see it through the NT domain. I can ping the server. Any one got any suggestions? Allison Cooney Tel: Office: 01 - 6799933 Direct: 01 - 6752213 Mobile: 087 - 2365032 This e-mail transmission may contain confidential information that is intended for the individual or entity named on the e-mail address. If you are not the intended recipient, please reply to the sender so that Quest Computing Ltd can arrange for the proper delivery, and then please delete the message from your inbox. If you have received this e-mail in error, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail is strictly prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] firewall continued
I have been following the recent firewall thread with interest. I am trying to get nmblookup and findsmb to work too. Samba shares are visible from the Windows client and server, but nmblookup '*' only lists the local machine. I dertermined from the 'firewall' thread that my firewall could be the problem, and turned it off. Sure enough, all the machines in my domain showed up when I ran nmblookup '*' or findsmb. So there is something going on in my firewall chains. Here is my ipchain setup. Chain input (policy ACCEPT): target prot opt sourcedestination ports ACCEPT all -- anywhere anywhere n/a ACCEPT tcp -y anywhere anywhere any - smtp ACCEPT tcp -y anywhere anywhere any - http ACCEPT tcp -y anywhere anywhere any - ftp ACCEPT tcp -y anywhere anywhere any - ssh ACCEPT tcp -- 192.168.0.0/24 anywhere any - netbios-ssn ACCEPT udp -- 192.168.0.0/24 anywhere any - netbios-ns:netbios-ssn ACCEPT udp -- dns1.net anywhere domain - any ACCEPT udp -- ns1.mydns.com anywhere domain - any ACCEPT udp -- ns2.mydns.com anywhere domain - any REJECT tcp -y anywhere anywhere any - any REJECT udp -- anywhere anywhere any - any Chain forward (policy ACCEPT): Chain output (policy ACCEPT): Please note that by default all output packets are accepted. If I change input rule 7 (the first udp rule) to allow all udp packets, ACCEPT udp -- 192.168.0.0/24 anywhere any - any my findsmb lists all the machines in my domain. If I restrict this rule to allow only packets to ports 137:139, ACCEPT udp -- 192.168.0.0/24 anywhere any - netbios-ns:netbios-ssn only the local machine is listed by findsmb (or nmblookup) even though tcpdump shows udp packets coming in from all machines (to 137). So these packets are being rejected. This is very puzzling to me because the rule specifically allows 137:139. If I modify the rule again to allow packets addressed to 1024: (1024 and above) only, findsmb will list all machines EXCEPT the local machine.. and very slowly. Here tcpdump shows heavy traffic. My question to a samba guru: exactly what ports do I need to accept udp packets on for samba to be fully functional? It seems that the respone to a broadcast on 192.168.0.255 137 (netbios-ns) is responded to on ports other than 137:139, and that if 137:139 are the only ports whose packets are accepted, findsmb will not work. Thanks. By looking throught the archives I can see this is a recurring problem, but solutions are elusive. Maybe people get their network up and simply do not post their solution, I don't know. But, please, Mr. guru, help! - Original Message - From: Ulrich Kohlhase [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 03, 2002 11:25 AM Subject: [Samba] RE: firewall Justin, -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT Did you specify OUTPUT rules also ? You may want to try the following lines taken from a working server config. keep_state is a special chain for stateful inspection and logging purposes: -A INPUT -p tcp -s 192.168.1.0/24 --sport 1024: --dport 137:139 -j ACCEPT -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 137:139 --dport 1024: -j keep_state -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 1024: --dport 137:139 -j ACCEPT -A INPUT -p tcp -s 192.168.1.0/24 --sport 137:139 --dport 1024: -j keep_state -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT -A OUTPUT -p udp -d 192.168.1.0/24 --dport 137:139 -j ACCEPT -N keep_state -A keep_state -m state --state INVALID -j DROP -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT # debug, info, notice, warning, err, crit, alert und emerg -A keep_state -m limit --limit 10/minute --limit-burst 10 -j LOG --log-level notice --log-prefix Packets dropped: -A keep_state -j DROP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] firewall
Try adding the following rule before deny /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT replace eth0 with your interface. This would let ur firewall accept any pre-established connections, required for most cases where replies are sent to random ports. --- Justin Georgeson [EMAIL PROTECTED] wrote: No change, interestingly enough, iptables says --cport is unknown without -m, and I don't see mention of what -m does in the man page. I have version 1.2.6a-2 of iptables, packaged by RedHat. Looking at tcpdump, the netbios-ns reply packets from the server are being dropped by my firewall. Having discovered that, I've found that I can mount a file share by IP with my current rules. I just can't do netbios-ns or netbios-dgm. Here is the full results of iptables-save *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 137:139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -j ACCEPT -A INPUT -p udp -m udp -s 66.150.129.229 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --syn -j REJECT -A INPUT -p udp -m udp -j REJECT COMMIT How can I allow the reply packets, since they're addressed to a randomly selected port? James Hubbard wrote: This depends on how restrictive your firewall rules are but why don't you just use this: -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT I'm not sure what the -m stands for. You'll need to change eth0 to match your internal ethernet card. Make sure you insert this before the reject rules. James Hubbard Justin Georgeson wrote: Ok, so I know from `netstat --ip -lnp` that the only ports smbd and nmbd are using are TCP 139, and UDP 137 and 138. I find it a little odd though that nmbd is bound to both 0.0.0.0 AND my primary interface. My problem is that I can't access shares on a windows machine unless I turn off my firewall. I'm using RH 8 and the 2.2.6-2 RPMs from the web page (working fine so far, barring this firewall thing). I have these rules added in iptables -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT tcpdump shows ports TCP 139 and UDP 137 being accessed when I run findsmb. But nothing is listed when I do. If I turn off my firewall, the other machine on the LAN, my windows box, is listed. What am I missing? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] firewall
Hrm, no change. :( Would that need the ip_conntrakc module loaded? It didn't have any change whether the module was loaded or not. Ultimately this isn't too big a deal, I'll never be doing SMB over the internet, and I don't have any multiple-subnet LANS anywhere, so I can just disable the firewall when I need SMB. Hesham S. Ahmed wrote: Try adding the following rule before deny /sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT replace eth0 with your interface. This would let ur firewall accept any pre-established connections, required for most cases where replies are sent to random ports. --- Justin Georgeson wrote: No change, interestingly enough, iptables says --cport is unknown without -m, and I don't see mention of what -m does in the man page. I have version 1.2.6a-2 of iptables, packaged by RedHat. Looking at tcpdump, the netbios-ns reply packets from the server are being dropped by my firewall. Having discovered that, I've found that I can mount a file share by IP with my current rules. I just can't do netbios-ns or netbios-dgm. Here is the full results of iptables-save *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 137:139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -j ACCEPT -A INPUT -p udp -m udp -s 66.150.129.229 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --syn -j REJECT -A INPUT -p udp -m udp -j REJECT COMMIT How can I allow the reply packets, since they're addressed to a randomly selected port? James Hubbard wrote: This depends on how restrictive your firewall rules are but why don't you just use this: -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT I'm not sure what the -m stands for. You'll need to change eth0 to match your internal ethernet card. Make sure you insert this before the reject rules. James Hubbard Justin Georgeson wrote: Ok, so I know from `netstat --ip -lnp` that the only ports smbd and nmbd are using are TCP 139, and UDP 137 and 138. I find it a little odd though that nmbd is bound to both 0.0.0.0 AND my primary interface. My problem is that I can't access shares on a windows machine unless I turn off my firewall. I'm using RH 8 and the 2.2.6-2 RPMs from the web page (working fine so far, barring this firewall thing). I have these rules added in iptables -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT tcpdump shows ports TCP 139 and UDP 137 being accessed when I run findsmb. But nothing is listed when I do. If I turn off my firewall, the other machine on the LAN, my windows box, is listed. What am I missing? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba __ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ -- Justin Georgeson UnBound Technologies, Inc. http://www.unboundtech.com Main 713.329.9330 Fax713.460.4051 Mobile 512.789.1962 5295 Hollister Road Houston, TX 77040 Real Applications using Real Wireless Intelligence(tm) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] firewall
Ok, so I know from `netstat --ip -lnp` that the only ports smbd and nmbd are using are TCP 139, and UDP 137 and 138. I find it a little odd though that nmbd is bound to both 0.0.0.0 AND my primary interface. My problem is that I can't access shares on a windows machine unless I turn off my firewall. I'm using RH 8 and the 2.2.6-2 RPMs from the web page (working fine so far, barring this firewall thing). I have these rules added in iptables -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT tcpdump shows ports TCP 139 and UDP 137 being accessed when I run findsmb. But nothing is listed when I do. If I turn off my firewall, the other machine on the LAN, my windows box, is listed. What am I missing? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] firewall
This depends on how restrictive your firewall rules are but why don't you just use this: -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT I'm not sure what the -m stands for. You'll need to change eth0 to match your internal ethernet card. Make sure you insert this before the reject rules. James Hubbard Justin Georgeson wrote: Ok, so I know from `netstat --ip -lnp` that the only ports smbd and nmbd are using are TCP 139, and UDP 137 and 138. I find it a little odd though that nmbd is bound to both 0.0.0.0 AND my primary interface. My problem is that I can't access shares on a windows machine unless I turn off my firewall. I'm using RH 8 and the 2.2.6-2 RPMs from the web page (working fine so far, barring this firewall thing). I have these rules added in iptables -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT tcpdump shows ports TCP 139 and UDP 137 being accessed when I run findsmb. But nothing is listed when I do. If I turn off my firewall, the other machine on the LAN, my windows box, is listed. What am I missing? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] firewall
No change, interestingly enough, iptables says --cport is unknown without -m, and I don't see mention of what -m does in the man page. I have version 1.2.6a-2 of iptables, packaged by RedHat. Looking at tcpdump, the netbios-ns reply packets from the server are being dropped by my firewall. Having discovered that, I've found that I can mount a file share by IP with my current rules. I just can't do netbios-ns or netbios-dgm. Here is the full results of iptables-save *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 137:139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -j ACCEPT -A INPUT -p udp -m udp -s 66.150.129.229 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p udp -m udp -s 24.219.4.35 --sport 53 -d 0/0 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137:139 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --syn -j REJECT -A INPUT -p udp -m udp -j REJECT COMMIT How can I allow the reply packets, since they're addressed to a randomly selected port? James Hubbard wrote: This depends on how restrictive your firewall rules are but why don't you just use this: -A INPUT -p udp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT -A INPUT -p tcp -s 192.168.1.0/24 --dport 137:139 -i eth0 -j ACCEPT I'm not sure what the -m stands for. You'll need to change eth0 to match your internal ethernet card. Make sure you insert this before the reject rules. James Hubbard Justin Georgeson wrote: Ok, so I know from `netstat --ip -lnp` that the only ports smbd and nmbd are using are TCP 139, and UDP 137 and 138. I find it a little odd though that nmbd is bound to both 0.0.0.0 AND my primary interface. My problem is that I can't access shares on a windows machine unless I turn off my firewall. I'm using RH 8 and the 2.2.6-2 RPMs from the web page (working fine so far, barring this firewall thing). I have these rules added in iptables -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 139 --syn -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 137 -j ACCEPT -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 138 -j ACCEPT tcpdump shows ports TCP 139 and UDP 137 being accessed when I run findsmb. But nothing is listed when I do. If I turn off my firewall, the other machine on the LAN, my windows box, is listed. What am I missing? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall rules
On Thu, Oct 10, 2002 at 02:11:44PM +0200, Alexander Saers wrote: Hello Can anybody tell me what ports samba uses. I have a firewall and i want to open it up for some ip so that you can log on and share files from the outside. I have noticed that port 136-139 are for netbios From 137 - 139 tcp and udp: netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp Frank. -- Frank Matthieß[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall rules
Actually, that opens up more than is needed: tcp port 139 (could be 445 instead of you set samba to that) udp port 137 udp port 138 --Kaleb On Thursday 10 October 2002 06:35 am, you wrote: On Thu, Oct 10, 2002 at 02:11:44PM +0200, Alexander Saers wrote: Hello Can anybody tell me what ports samba uses. I have a firewall and i want to open it up for some ip so that you can log on and share files from the outside. I have noticed that port 136-139 are for netbios From 137 - 139 tcp and udp: netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp Frank. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] FireWall Effects on Samba (Newbie)
Dear List, I have been wrestling with getting Samba 2.2.5 on Redhat 7.1 working on a Windows NT network containing W2K, W98 and Mac machines. I can see the Samba server (gargoyle) from the Win machines fine, but cannot browse any shares (Network unreachable error message). This seems a relatively common problem, but seems harder to resovle in my case :-) I have walked through the toubleshooting chapter and fail at a certain point. If I use net view from the Win machines I see the server, but net view \\gargoyle fails, but should have listed the available shares. Interestingly from the linux side I can browse outwards and see shares on the Win machines and the NT server fine. I can see the samba shares fine from the linux side but nmblookup -B 192.168.1.253 gargoyle command returns a name query failed result (.253 is the NT server). Presumably then gargoyle is not announcing itself correctly? BTW I have added the linux server to the NT's LMHOSTS file and to the Win machines LMHOSTS file and this helps with name resolution but not the share problem. I have added the users to the linux system and to the samba password file and just aboiut every other thing suggested in the troubleshooting chapter. OR, is it to do with firewall configuration rejecting the packets at the lowest level? Given I am a Linux newbie, can someone provide a walkthrough of where I go to broaden my firewall (if this really is the problem)? I am at a loss as to where to go (smb.conf is shown below). Unless I crack this and a netatalk installation I will be stuck with configuring a Mac server! Yuk! BTW the netatalk stuff doesn't work either, hence the firewall suspicion. cheers, Alex [global] smb passwd file = /etc/samba/smbpasswd remote announce = 192.168.1.253 dns proxy = no security = user encrypt passwords = yes workgroup = ICON server string = Samba Server %v socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 netbios name = GARGOYLE log file = /var/log/samba/log.%m load printers = yes wins support = no printcap name = /etc/printcap max log size = 50 guest account = pcguest [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes writable = no printable = yes [tmp] comment = Temporary file space path = /tmp read only = no public = yes [public] path = /iconshare public = yes only guest = yes writable = yes printable = no -- Alexander C. Le Dain, PhD Manager of Programming ICON Technologies Pty Ltd www.icon-tech.com.au -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] FireWall Effects on Samba (Newbie)
I am fairly certain RH 7.1 out of the box blocks port 139. You will have to learn how to open up your ports to let samba work. I don't use RH anymore, but you may have either iptables or ipchains on your system. Joel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
