Re: conntrack for samba/netbios-ns

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Ted Kaczmarek <tedkaz@optonline.net>
To: Goetz Bock <netfilter@blacknet.de>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: conntrack for samba/netbios-ns
Date: Tue, 04 Nov 2003 21:30:19 -0500	[thread overview]
Message-ID: <1067999419.7813.38.camel@tarkus> (raw)
In-Reply-To: <20031105003401.GA11702@shell.blacknet.de>

udp is connectionless, not sure where you can get a state on it.
I am actually surprised that the udp lines with state even took
or do they only show up on the script.

Anyone else on the list, is their something I am not aware of?
If udp ports are really tracked, then it would have to be done on the
application layer, is their a module or something I am unaware of?

try dropping the -m state --state NEW, ESTABLISHED

and see what happens.

Leave the suffix -j ACCEPT though :-)

Ted

On Tue, 2003-11-04 at 19:34, Goetz Bock wrote:
> Dear list,
> 
> as googeling did not turn up anything nor did a browsing through the
> lists archive turn up anything usefull, I'll just have to ask.
> 
> I'm running (well tried to) a very restricted samba server using the
> excelente fireHOL firewalling script. I allow pc1 (a.b.c.17) to connect
> to the samba server on pc2 (a.b.c.24), everything happens in a /27
> subnet (e.g. a.b.c.31 is broadcast).
> 
> It produces some rules, and the relevant lines are:
> 
> > # Setting up rules for SAMBA/NETBIOS-NS (server)
> > /sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport netbios-ns --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
> > /sbin/iptables -t filter -A in_internet_samba_s2 -p udp -s pc1 --sport 1024:65535 --dport netbios-ns -m state --state NEW\,ESTABLISHED -j ACCEPT
> > /sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport netbios-ns -d pc1 --dport netbios-ns -m state --state ESTABLISHED -j ACCEPT
> > /sbin/iptables -t filter -A out_internet_samba_s2 -p udp --sport netbios-ns -d pc1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> 
> further down all RELATED traffic is allowed. but that's basically it
> (well, ssh and dns are allowed, too)
> 
> 
> Without a firewall a connection attemp looks like this:
> 
> > 01:10:18.364212 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
> > 01:10:18.364637 a.b.c.24.netbios-ns > a.b.c.17.32769: ...
> > 01:10:18.673435 a.b.c.17.32781 > a.b.c.24.netbios-ssn: ...
> 
> so pc1 looks for the samba server using broadcasts, and pc2 replies.
> Than pc1 talks to netbios-ssn and everything is fine.
> 
> With the firewall the following happens:
> 
> > 01:18:44.850282 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
> > 01:18:45.159103 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
> > 01:18:45.459074 a.b.c.17.32769 > a.b.c.31.netbios-ns: ...
> 
> at the same time dmesg logs:
> 
> > OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
> > OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
> > OUT-server:IN= OUT=eth1 SRC=a.b.c.24 DST=a.b.c.17 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=32769 LEN=70
> 
> It looks like if the conntacking modules (all from stock 2.4.22) are not
> ablel to relate the reply a.b.c.24.netbios-ns > a.b.c.17.32769 to the
> request a.b.c.17.32769 > a.b.c.31.netbios-ns.
> 
> Is there a conntrack_netbios-ns or am I doing something wrong?
> 
> BTW: I know that this can be fixed by allowing NEW connections from
>      pc2:netbios-ns to pc1:<highports>. In this scenario this would be
>      basicaly save/sound. But it breaks down if I want to run a simmilar
>      strict firewall (and I want to, on pc1 to be exact) on the client.
>      Than I would have to allow all incomming connections from port
>      netbios-ns to local high ports. And that is not realy desired.

next prev parent reply	other threads:[~2003-11-05  2:30 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-05  0:34 conntrack for samba/netbios-ns Goetz Bock
2003-11-05  2:30 ` Ted Kaczmarek [this message]
2003-11-05  2:58   ` Goetz Bock
2003-11-05  7:23   ` Cedric Blancher
2003-11-05 12:30     ` Ted Kaczmarek
2003-11-05 13:04       ` Cedric Blancher
2003-11-05 13:05       ` Chris Brenton
2003-11-07 16:48 ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1067999419.7813.38.camel@tarkus \
    --to=tedkaz@optonline.net \
    --cc=netfilter@blacknet.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox