Package: firestarter
Version: 1.0.3-6
Severity: important
Tags: patch
Firestarter contains two options for blocking broadcasts:
- Preferences->Firewall->Advanced Options->Block broadcasts from external
- Preferences->Firewall->Advanced Options->Block broadcasts from
internal network
Even with both options deselected, NetBIOS traffic will not flow
properly. In particular, SMB/CIFS name lookups always fail. This thread
on the Ubuntu forums suggested a solution:
http://ubuntuforums.org/showthread.php?t=190542
I'm not sure whether the fact that iptables doesn't recognize UDP
replies to a UDP broadcast as RELATED is a bug or not, but since it does
not, one needs to allow NEW packets. The attached diff implements this
change in /etc/firestarter/inbound/setup, and seems to allow NetBIOS
browsing to work properly on my systems.
Whether or not this is an acceptable "out of the box" security stance,
or whether more fine-grained solutions are possible, is a different
matter. Nevertheless, it offers a solution for a widespread problem with
Firestarter, so I hope it helps.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (700, 'unstable'), (600, 'stable'), (550,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages firestarter depends on:
ii gconf2 2.22.0-1 GNOME configuration database syste
ii gksu 2.0.0-5 graphical frontend to su
ii iptables 1.4.0-4 administration tools for packet fi
ii libart-2.0-2 2.3.20-2 Library of functions for 2D graphi
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libbonobo2-0 2.22.0-1 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.22.0-1 The Bonobo UI library
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libcairo2 1.6.4-1+b1 The Cairo 2D vector graphics libra
ii libfontconfig1 2.5.0-2 generic font configuration library
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.22.0-1 GNOME configuration database syste
ii libglade2-0 1:2.6.2-1 library to load .glade files at ru
ii libglib2.0-0 2.16.3-2 The GLib library of C routines
ii libgnome-keyring0 2.22.1-1 GNOME keyring services library
ii libgnome2-0 2.20.1.1-1 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.20.1.1-1 A powerful object-oriented display
ii libgnomeui-0 2.20.1.1-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 1:2.22.0-2 GNOME Virtual File System (runtime
ii libgtk2.0-0 2.12.9-3 The GTK+ graphical user interface
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii liborbit2 1:2.14.12-0.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.20.2-2 Layout and rendering of internatio
ii libpng12-0 1.2.27-1 PNG library - runtime
ii libpopt0 1.10-3 lib for parsing cmdline parameters
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxcursor1 1:1.1.9-1 X cursor management library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio
ii libxi6 2:1.1.3-1 X11 Input extension library
ii libxinerama1 2:1.0.3-1 X11 Xinerama extension library
ii libxml2 2.6.32.dfsg-2 GNOME XML library
ii libxrandr2 2:1.2.2-1 X11 RandR extension library
ii libxrender1 1:0.9.4-1 X Rendering Extension client libra
ii lsb-base 3.2-11 Linux Standard Base 3.2 init scrip
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
firestarter recommends no packages.
-- no debconf information
--- setup 2008/05/06 03:08:33 1.1
+++ setup 2008/05/06 03:08:46
@@ -8,7 +8,7 @@
# Allow response traffic
$IPT -A INBOUND -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPT -A INBOUND -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
+$IPT -A INBOUND -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Hosts from which connections are always allowed
while read host garbage
