Firewall/Samba access problem 1

[hvn]

I've got a Red Hat 7.2 system running Samba 2.2.1a and ipchains for the firewall. I'm using IPXD to route the NetBIOS packets for the Novell Netware part of the network, and both Netware and Groupwise works 100% with the firewall up and running.

The problem I'm having is that you cannot connect to the Samba shared directory while the firewall is up. If you flush the firewall rules, connect to the Samba share and bring the firewall back up, you can access the data in the share as long as you dont disconnect from the shared folder.

My ipchains is set to allow connections from the internal network to the firewall machine on ports 137,138 and 139, which is used by Netware and Samba, and from the INT to the EXT network. I've allowed specific EXT hosts access up to the Firewall for access to the Samba share.

Does anybody have any idea why the Netware works fine, but Samba that uses the same ports as Netware doesn't?

Any help would be appreciated

Thanx

 

[fluid11]

Your running Samba on NetWare 6?

Connect to the Linux server and run 'netstat -nat' to see which ports it is using.


ChrisP ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says "Mark this post as a helpful/expert post".

 

[hvn]

No Samba on 4.83 Netware. I hate novell to be quite honest, and I'm only dealing with it because of the fact that I'm looking after a network that's part of a bigger Novell setup.

The samba connects to port 139 on the Linux machine, which is open and listening for connections with the firewall on or off. What I did do was change my default policies from DENY to ACCEPT, and then the connection works with the firewall up and running. If I understand this correctly it then means that even if the connection happens on port 139, it seems like the request for the connection is not being made to a port that's open for connections while the FW is up, and therefore it gets rejected. Doesn't make sense to me.

What I've decided to do is to leave the policy on ACCEPT, do a portscan and security analisys on the system from the outside network and then close off whatever I dont need. This seems to me to be the easiest way around the problem I'm having.

Thanx for the help

Hannes

 

[fluid11]

There isn't a NetWare 4.83. NW 4.2 is the highest in the 4.x series. Your thinking of the NetWare 4.83 client for Windows. I didn't know that Samba could run on pre-NetWare 6.0 servers. Interesting. I personally like NetWare servers, especially for file sharing. I think that they do a better job than anybody as a file server.


When you do your port scan, I would recommend using nmap for Linux -->

http://www.insecure.org/.

When your firewall is up and you can't connect to port 139, what does your ipchains filter table report? I've never used ipchains, but the iptables command was 'iptables -L -n'. Maybe 'ipchains -L -n' will work.


ChrisP

------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says "Mark this post as a helpful/expert post".

 

[hvn]

It is 4.38 client, but I've got no clue as to what ver the server's running since I don't have access to the server itself.

ipchains -L does show my rules for the 137-139 ports and it's set to accept from the internal and external hosts, but I still get the same problem as soon as I bring the firewall up. I just want to get the machine running for now and will spend some time on trying to get the FW running with the default policies on DENY.

If there is any other suggestions in the meantime it would be greatly appreciated.

Thanx

Hannes

 

[fluid11]

Did a port scan show that the correct ports were open when the firewall is up?


ChrisP ------------------------------------------------------------------------------
If somebody helps you, please click the link in the botton left hand corner that says "Mark this post as a helpful/expert post".

 

[hvn]

Yes, if you do a scan on the ports it does show that 139 is open with the firewall up or down, so in theory you should be able to connect to the samba share since the required port is open and listening for connections, yet as soon as the firewall comes up and you try to connect you get the message in windoze stating that the path to the samba share can not be found. Disable the firewall and you can connect without any problems. I'm not sure if there are any other ports used during the samba connection negotiation that might be blocked, but I'm unable to pick up if this is the case since the samba is set up in a standard configuration and I did not change the default port for connections. If you know of any way to pick up if other ports are being used it would help a great deal.

Thanx

Hannes

 

[fluid11]

'netstat -nat' tells you what ports are in use. Connect to a share on the Samba server and then run the netstat -nat command from the Samba server. It should tell you that someone is in using port 139. When the firewall is up, try telnetting to port 139 using "telnet samba_computer_name 139". It will either refuse it, or allow you in where you will see a blank screen and nothing will happen. Its just a test to see if the port is open or not.


I want to make sure I understand the situation right. You Linux server runs Samba and is also the firewall for you LAN. You also have a NetWare server on the LAN, but nobody has any problems connecting to this server from outside the firewall. Your problem is that hosts outside the network can't connect to the Linux server when the firewall is up? Corrrect? If so, can they connect to any services on the Linux server? Start sendmail and try to telnet to port 25 when the firewall is up, for example.


ChrisP ------------------------------------------------------------------------------
If somebody helps you, please vote for them for "Tipmaster of the Week" by giving them a "purple star". This can be done by clicking the "Mark this post as a helpful/expert post" button.

 

[hvn]

The setup here works like this:

The whole organisation is running on one big MS/Novell LAN containing various smaller subnets. The firewall sits between a subnet and another subnet on the bigger LAN:

(LAN)*.*.10.0 <=*.*.253.0(GW 253.3)=> <=FW=> *.*.238.0

You can't get access to .238.0 from the lan side unless you come via .253.0, and the same going from 238.0 to the lan.

The firewall I'm working on now is in place between the 253.0 and 238.0 subnets, which both belong to one Project, but the 238.0 is then a smaller dept. of the Project.

The whole network for all the different Projects gets administered by a central computing dept. These are the guys running the MS/Novell network servers and stuff. I've been employed by one of the Projects to administer their production systems which is mostly Unix and Linux based and which does not fall under the normal network support, but is essentially a part of the bigger network.

At the moment I'm in the process of beefing up the network security since the Project I'm working for should actually not be open to unauthorized people, which includes the people from the LAN support team. I'm still in the process of negotiating the Firewall between the LAN and the whole project, but at the moment the priority is isolating the 238.0 from the LAN, and since I cannot yet isolate the .253.0 network I need to isolate the 238.0 from the 253.0 tho achieve this. The Samba is not ideal on the FW itself, but the people want's it like that, and the proposed 2nd FW should make this less of an issue. Hope this makes the setup a bit clearer. (When I started here about 2 months ago I was pretty confused at first to be quite honest.)

As for the sencond question, I can telnet the ports and they do respond to indicate that the service for the port are listening for connections. netstat -nat also indicates that the ports are up and listening for connections, so all that seems fine.

I have however finished re-doing my chains to deny the stuff I don't want and I'm currently testing the new configuration. I'll probably go with this configuration for the firewall if it is secure, and I'll just make sure not to run Samba on the second firewall, so then I should be able to run it using DENY for everything and just allow the stuff in that I require, wich I think should be more secure.

Thanks for your help in any case, and if I do pick up what was causing the problem when I can play around a bit at a later stage I'll let you know, or if you pick up something you think might be the cause let me know, but no need to waste time on it for now since I've got a working solution in place.

Thanx again

Hannes

 

[Guest_imported]

I may be 'some' help but not alot..I also know that aside from port 139..there's also a port in the 400's that needs to be open..like 449 I think..it's somewhere around there in the 400's...I know it's not a complete solution but it's a start.

 

[fluid11]

445, but I think thats only Windows 2000. ------------------------------------------------------------------------------
If somebody helps you, please vote for them for &quot;Tipmaster of the Week&quot; by giving them a &quot;purple star&quot;. This can be done by clicking the &quot;Mark this post as a helpful/expert post&quot; button.