conntrack for samba/netbios-ns

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Goetz Bock <netfilter@blacknet.de>
To: netfilter <netfilter@lists.netfilter.org>
Subject: conntrack for samba/netbios-ns
Date: Wed, 5 Nov 2003 01:34:01 +0100	[thread overview]
Message-ID: <20031105003401.GA11702@shell.blacknet.de> (raw)


Dear list,

as googeling did not turn up anything nor did a browsing through the
lists archive turn up anything usefull, I'll just have to ask.

I'm running (well tried to) a very restricted samba server using the
excelente fireHOL firewalling script. I allow pc1 (a.b.c.17) to connect
to the samba server on pc2 (a.b.c.24), everything happens in a /27
subnet (e.g. a.b.c.31 is broadcast).

It produces some rules, and the relevant lines are:

> # Setting up rules for SAMBA/NETBIOS-NS (server)
> /sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport netbios-ns --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
> /sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport 1024:65535 --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
> /sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport netbios-ns -d pc1 --dport netbios-ns -m state --state ESTABLISHED -j ACCEPT
> /sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport netbios-ns -d pc1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

further down all RELATED traffic is allowed. but that's basically it
(well, ssh and dns are allowed, too)


Without a firewall a connection attemp looks like this:

> 01:10:18.364212 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
> 01:10:18.364637 a.b.c.24.netbios-ns > a.b.c.17.32769: ...
> 01:10:18.673435 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...

so pc1 looks for the samba server using broadcasts, and pc2 replies.
Than pc1 talks to netbios-ssn and everything is fine.

With the firewall the following happens:

> 01:18:44.850282 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
> 01:18:45.159103 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
> 01:18:45.459074 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...

at the same time dmesg logs:

> OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
> OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
> OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70

It looks like if the conntacking modules (all from stock 2.4.22) are not
ablel to relate the reply a.b.c.24.netbios-ns > a.b.c.17.32769 to the
request a.b.c.17.32769 > a.b.c.31.netbios-ns.

Is there a conntrack_netbios-ns or am I doing something wrong?

BTW: I know that this can be fixed by allowing NEW connections from
     pc2:netbios-ns to pc1:<highports>. In this scenario this would be
     basicaly save/sound. But it breaks down if I want to run a simmilar
     strict firewall (and I want to, on pc1 to be exact) on the client.
     Than I would have to allow all incomming connections from port
     netbios-ns to local high ports. And that is not realy desired.
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /                     (c) 2003 as GNU FDL 1.1
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]

next             reply	other threads:[~2003-11-05  0:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-05  0:34 Goetz Bock [this message]
2003-11-05  2:30 ` conntrack for samba/netbios-ns Ted Kaczmarek
2003-11-05  2:58   ` Goetz Bock
2003-11-05  7:23   ` Cedric Blancher
2003-11-05 12:30     ` Ted Kaczmarek
2003-11-05 13:04       ` Cedric Blancher
2003-11-05 13:05       ` Chris Brenton
2003-11-07 16:48 ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20031105003401.GA11702@shell.blacknet.de \
    --to=netfilter@blacknet.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.