Package: firestarter Version: 1.0.3-6 Severity: important Tags: patch
Firestarter contains two options for blocking broadcasts: - Preferences->Firewall->Advanced Options->Block broadcasts from external - Preferences->Firewall->Advanced Options->Block broadcasts from internal network Even with both options deselected, NetBIOS traffic will not flow properly. In particular, SMB/CIFS name lookups always fail. This thread on the Ubuntu forums suggested a solution: http://ubuntuforums.org/showthread.php?t=190542 I'm not sure whether the fact that iptables doesn't recognize UDP replies to a UDP broadcast as RELATED is a bug or not, but since it does not, one needs to allow NEW packets. The attached diff implements this change in /etc/firestarter/inbound/setup, and seems to allow NetBIOS browsing to work properly on my systems. Whether or not this is an acceptable "out of the box" security stance, or whether more fine-grained solutions are possible, is a different matter. Nevertheless, it offers a solution for a widespread problem with Firestarter, so I hope it helps. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (700, 'unstable'), (600, 'stable'), (550, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.24-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages firestarter depends on: ii gconf2 2.22.0-1 GNOME configuration database syste ii gksu 2.0.0-5 graphical frontend to su ii iptables 1.4.0-4 administration tools for packet fi ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit ii libbonobo2-0 2.22.0-1 Bonobo CORBA interfaces library ii libbonoboui2-0 2.22.0-1 The Bonobo UI library ii libc6 2.7-10 GNU C Library: Shared libraries ii libcairo2 1.6.4-1+b1 The Cairo 2D vector graphics libra ii libfontconfig1 2.5.0-2 generic font configuration library ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib ii libgconf2-4 2.22.0-1 GNOME configuration database syste ii libglade2-0 1:2.6.2-1 library to load .glade files at ru ii libglib2.0-0 2.16.3-2 The GLib library of C routines ii libgnome-keyring0 2.22.1-1 GNOME keyring services library ii libgnome2-0 2.20.1.1-1 The GNOME 2 library - runtime file ii libgnomecanvas2-0 2.20.1.1-1 A powerful object-oriented display ii libgnomeui-0 2.20.1.1-1 The GNOME 2 libraries (User Interf ii libgnomevfs2-0 1:2.22.0-2 GNOME Virtual File System (runtime ii libgtk2.0-0 2.12.9-3 The GTK+ graphical user interface ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library ii liborbit2 1:2.14.12-0.1 libraries for ORBit2 - a CORBA ORB ii libpango1.0-0 1.20.2-2 Layout and rendering of internatio ii libpng12-0 1.2.27-1 PNG library - runtime ii libpopt0 1.10-3 lib for parsing cmdline parameters ii libsm6 2:1.0.3-1+b1 X11 Session Management library ii libx11-6 2:1.0.3-7 X11 client-side library ii libxcursor1 1:1.1.9-1 X cursor management library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio ii libxi6 2:1.1.3-1 X11 Input extension library ii libxinerama1 2:1.0.3-1 X11 Xinerama extension library ii libxml2 2.6.32.dfsg-2 GNOME XML library ii libxrandr2 2:1.2.2-1 X11 RandR extension library ii libxrender1 1:0.9.4-1 X Rendering Extension client libra ii lsb-base 3.2-11 Linux Standard Base 3.2 init scrip ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime firestarter recommends no packages. -- no debconf information
--- setup 2008/05/06 03:08:33 1.1 +++ setup 2008/05/06 03:08:46 @@ -8,7 +8,7 @@ # Allow response traffic $IPT -A INBOUND -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -$IPT -A INBOUND -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT +$IPT -A INBOUND -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Hosts from which connections are always allowed while read host garbage