On 02/11/2018 06:19 AM, Thomas wrote: > Hi, > > I have a working Shorewall firewall connection. > Just recently I setup a VPN connection between two FRITZ!Box networks > <https://en.avm.de/service/fritzbox/fritzbox-7390/knowledge-base/publication/show/5_Setting-up-a-VPN-connection-between-two-FRITZ-Box-networks/>: > netA + netB > Hereby I can connect to a PC in netB from any PC in netA using SSH. > However, I cannot connect to a Windows server in netB from a PC in netA > using Samba CIFS. > > I have created a TCPdump on Windows server when trying to establish > connection from client: /tcpdump_cifs_server_failure.txt/ > > And I have created a TCPdump on the Linux client (in netA) when trying > to establish connection: /tcpdump_cifs_client.txt/ > > In addition I have created shorewall dump and attached to this email. > > To verify if the CIFS connection is working, I connected from client in > netB to Windows server, and this was successfull. The relevant TCPdump > is attached, too: /tcpdump_cifs_server_working.txt/ > > My assumption was that Shorewall is filtering CIFS (port 445), but I'm > not sure how to verify this. > Is it necessary to define rules for to connect to servers in netB?
In general, if the applicable Shorewall policy is not ACCEPT, then rules must be specified to allow *ANY* traffic to be passed through a Shorewall-based firewall. > > Please advise how to proceed here for solving this issue? There are a couple of unknowns in this problem report: a) You don't mention how the client and server relate to the Shorewall box. In other words, in which zone is the client and in which zone is the server? b) The tcpdumps didn't specify the -n option, so rather than IP addresses, the dumps contain DNS names. Consequently they aren't helpful in answering the question in a), and from a troubleshooting point of view, they are not helpful. Your Shorewall configuration has REJECT policies that don't specify a log level. There are a large number of connections being rejected, but we can't see what those connections are because they are not being logged. That is probably not relevant in this case, as the tcpdump in tcpdump_cifs_server_failure.txt suggests that the SYN packets are being dropped rather than rejected. The packets that the dump shows being dropped are broadcast packets, which indicates to me that it is not the Shorewall-generated ruleset that is dropping the packets (assuming that you tried to connect after the rulset was reset ( 4. Feb 15:07:50 CET 2018) and when the Shorewall dump was taken (4. Feb 15:07:49 CET 2018). -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
