Results 1 to 9 of 9

Thread: [SOLVED] samba and ufw

  1. #1
    Join Date
    May 2008
    Location
    Center of England
    Beans
    219
    Distro
    Ubuntu 10.04 Lucid Lynx

    Question [SOLVED] samba and ufw

    I have been trying to set up an ubuntu box (8.04) to provide some network storage for some windows PCs. I am using ufw as a firewall and samba as the file server. There is a router allowing the windows PCs to access the internet, so the idea of the firewall is to stop anyone connecting from outside the local network. The default for ufw is to deny.

    The only way I can get it to work is with ufm set up as shown by the status:
    Code:
    $ ufw status
    Firewall loaded
    
    To               Action  From
    --               ------  ----
    Anywhere         ALLOW   192.168.0.0/24
    I know samba is supposed to use ports 135, 137, 138, 139 and 445.

    However if I only open these ports (tcp and udp) I can't connect from the windows PCs. Interestingly I can't see any logging of dropped packets in the syslog (yes, logging is turned on).

    I have seen one comment that said you need ports 1024 to 65535 to be open as well. However ufw does not allow you to specify a rage of ports so opening large number of ports is impractical.

    Is this the best I can do or do ?

    or do I need to learn IP tables

    Thanks in advance

  2. #2
    Join Date
    May 2008
    Location
    Center of England
    Beans
    219
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: samba and ufw

    OK the lack of response tells me I need to go iptables.

    Thanks to the excellent IPTables HowTo I have managed to get to grips with iptables. With far better resolution on the ports I allow and block.

    just one word of warning. The howto tells you to add the following line to the /etc/network/interfaces file:
    Code:
    post-down iptables-save -c > /etc/iptables.rules
    I had to change the line to:
    Code:
    post-down sh -c "iptables-save -c > /etc/iptables.rules"
    to get it to work.

    I still think I have a little way to go as "apt-get update" has stopped working so I will have to work out how to get that passed the firewall.

    Still I am one step closer to setting up a NAS box at work.

    Edit:Two points.

    1) I have found the answer to allowing 'apt-get update' to work you need to do the following (It was actually in the IPTables HOWTO I referenced above.).
    Code:
    sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    2) As noted by:
    Quote Originally Posted by tebbens View Post
    Using ufw, here is mine....it works great.

    sudo ufw allow proto udp from 192.168.1.0/24 to any port 137
    sudo ufw allow proto udp from 192.168.1.0/24 to any port 138
    sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139
    sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445
    This worked when I built a new system recently and did not interfere with apt-get. So I don't know what I was doing wrong originally.
    Last edited by kamaji792; September 15th, 2008 at 07:26 PM.
    vim Java PHP Perl and C a long time ago :/
    ssh_user to ssh in then su to sudo_user. They have to guess 'name' and 'password' X 2 - sudo is good

  3. #3
    Join Date
    Mar 2006
    Location
    Lagrangeville, NY
    Beans
    34

    Re: [SOLVED] samba and ufw

    Quote Originally Posted by kamaji792 View Post
    I have been trying to set up an ubuntu box (8.04) to provide some network storage for some windows PCs. I am using ufw as a firewall and samba as the file server. There is a router allowing the windows PCs to access the internet, so the idea of the firewall is to stop anyone connecting from outside the local network. The default for ufw is to deny.

    The only way I can get it to work is with ufm set up as shown by the status:
    Code:
    $ ufw status
    Firewall loaded
    
    To               Action  From
    --               ------  ----
    Anywhere         ALLOW   192.168.0.0/24
    I know samba is supposed to use ports 135, 137, 138, 139 and 445.

    However if I only open these ports (tcp and udp) I can't connect from the windows PCs. Interestingly I can't see any logging of dropped packets in the syslog (yes, logging is turned on).

    I have seen one comment that said you need ports 1024 to 65535 to be open as well. However ufw does not allow you to specify a rage of ports so opening large number of ports is impractical.

    Is this the best I can do or do ?

    or do I need to learn IP tables

    Thanks in advance

    Using ufw, here is mine....it works great.

    sudo ufw allow proto udp from 192.168.1.0/24 to any port 137
    sudo ufw allow proto udp from 192.168.1.0/24 to any port 138
    sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139
    sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445

  4. #4
    Join Date
    Apr 2006
    Beans
    Hidden!

    Re: [SOLVED] samba and ufw

    For ubuntu 8.04 and 8.10

    Taken from ...

    http://log.logfish.net/node/31

    OR

    http://www.mypcsupport.de/net/linux/ubuntu-ufw/

    1/

    You might also want to change /etc/default/ufw and add add the netbios_ns line so you can use samba:
    Code:
    # The nf_contrack_netbios_ns has been added
    IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"

    2/

    #Samba sharing [1]
    Code:
    sudo ufw allow proto tcp to any port 135 from 192.168.0.0/16
    sudo ufw allow proto udp to any port 137 from 192.168.0.0/16
    sudo ufw allow proto udp to any port 138 from 192.168.0.0/16
    sudo ufw allow proto tcp to any port 139 from 192.168.0.0/16
    sudo ufw allow proto tcp to any port 445 from 192.168.0.0/16
    3/

    #Allow avahi/bonjour/zeroconf [2]
    Code:
    sudo ufw allow proto udp to any port 5353 from 192.168.0.0/16

    Additionally install:
    samba-tools
    system-config-samba

    Access system-config-samba via System -> Administration -> Samba and do all you configuration there.

  5. #5
    Join Date
    Oct 2010
    Beans
    1

    Re: [SOLVED] samba and ufw

    It's really simple. Just issue
    Code:
     sudo ufw allow Samba
    This configures it for all samba ports via the app facility in ufw... man ufw for more details. This was with Ubuntu 10.4.

  6. #6
    Join Date
    Dec 2009
    Beans
    5,339

    Re: [SOLVED] samba and ufw

    mfrederickson67, That's very interesting.

    So if I wanted to replicate the same samba settings that sefs did then the syntax would be this:

    Code:
     sudo ufw allow from 192.168.0.0/16 to any app Samba
    Is that how you understand the syntax?

  7. #7
    Join Date
    Feb 2010
    Location
    Prague, Czech Republic
    Beans
    9
    Distro
    Ubuntu 9.10 Karmic Koala

    Lightbulb Re: [SOLVED] samba and ufw

    The right rule is this:

    Code:
    sudo ufw allow from any app Samba to "yourlinuxboxIP"

  8. #8
    Join Date
    Jun 2007
    Beans
    16
    Distro
    Ubuntu Studio 10.04 Lucid Lynx

    Re: [SOLVED] samba and ufw

    Me thinks this is back to front (or un-documented alternative syntax)...
    Quote Originally Posted by k23 View Post
    The right rule is this:

    Code:
    sudo ufw allow from any app Samba to "yourlinuxboxIP"
    From the man page...
    Users can specify one of the applications names when adding rules. For
    example, when using the simple syntax, users can use:

    ufw allow <name>

    Or for the extended syntax:

    ufw allow from 192.168.0.0/16 to any app <name>

    You should not specify the protocol with either syntax, and with the
    extended syntax, use app in place of the port clause.
    This worked for me
    Code:
    sudo ufw allow from 192.168.1.0/24 to any app samba
    sudo ufw allow from 192.168.1.0/24 to any app cups
    So just to check...
    Code:
    sudo ufw status verbose
    Status: active
    Logging: off
    Default: deny (incoming), allow (outgoing)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    137,138/udp (Samba)        ALLOW IN    192.168.1.0/24
    139,445/tcp (Samba)        ALLOW IN    192.168.1.0/24
    631 (CUPS)                 ALLOW IN    192.168.1.0/24
    I'd be interested in any other comments as I have found UFW to be a little quirky, especially...

    Re: the logging (rather the lack of it) mentioned by kamaji792 in the original post.
    I have found a couple of errors in the man page.
    log-all, mentioned briefly in the man page, does nothing
    Syntax for setting log level seems not to work, except for default level of low

    Code:
    sudo ufw logging off
    Again just checking
    Code:
    sudo ufw status verbose
    Status: active
    Logging: off
    ....
    Try to turn on logging and set log level in one command
    Code:
    sudo ufw logging on high
    Checking
    Code:
    sudo ufw status verbose
    Status: active
    Logging: on (low)
    I found I could only set the log level to higher than low with 2 commands.
    First turn logging on
    Code:
    sudo ufw logging on
    Then set a higher level
    Code:
    sudo ufw logging medium
    While I'm here I might mention the other inconsistency I came across in the use of the pre-defined application rules for SAMBA.

    The SAMBA manual clearly states these ports are used by SAMBA (smbd & nmbd) as referenced by kamaji792 in this post Firewall & ports
    Port 135/TCP - used by smbd
    Port 137/UDP - used by nmbd
    Port 138/UDP - used by nmbd
    Port 139/TCP - used by smbd
    Port 445/TCP - used by smbd
    Yet the Samba application rule omits port 135, which BTW is Microsoft Remote Procedure Call (RPC) service.

    Code:
    sudo ufw app info Samba
    Profile: Samba
    Title: LanManager-like file and printer server for Unix
    Description: The Samba software suite is a collection of programs that
    implements the SMB/CIFS protocol for unix systems, allowing you to serve
    files and printers to Windows, NT, OS/2 and DOS clients. This protocol is
    sometimes also referred to as the LanManager or NetBIOS protocol.
    
    Ports:
      137,138/udp
      139,445/tcp
    More info from Gibson Research Corporation

    Name: dcom-scm
    Purpose: DCOM Service Control Manager
    Description: Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.

  9. #9
    Join Date
    Dec 2008
    Beans
    5

    Re: [SOLVED] samba and ufw

    Quote Originally Posted by tebbens View Post
    Using ufw, here is mine....it works great.

    sudo ufw allow proto udp from 192.168.1.0/24 to any port 137
    sudo ufw allow proto udp from 192.168.1.0/24 to any port 138
    sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139
    sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445
    i like this one

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •