Web lists-archives.com

Re: [Samba] firewalld services to open for an ADDC




There ought to be a better way to do it than that.

On Tue, Feb 13, 2018 at 9:07 AM, L.P.H. van Belle via samba
<samba@xxxxxxxxxxxxxxx> wrote:
> Hai,
>
> Not complete yet, but functional, tested on debian Stretch.
>
> This is a bit what i use to setup every server.
>
> https://raw.githubusercontent.com/thctlo/debian-scripts/master/setup-ufw.sh
>
> Setup Ufw , in restrictive mode.
> Autodetects the AD DC's.
> Autodetects your mail server if MX is in the dns.
> Enable/disable ipv6
> Enable ping out.
> Restrict logging to ufw.
>
> More to come, but its a work in progress, depends on which server im working. ;-)
>
> I'll have a look at the systemd firewall also, looks interesting.
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: Jeff Sadowski [mailto:jeff.sadowski@xxxxxxxxx]
>> Verzonden: dinsdag 13 februari 2018 16:46
>> Aan: L.P.H. van Belle
>> CC: samba@xxxxxxxxxxxxxxx
>> Onderwerp: Re: [Samba] firewalld services to open for an ADDC
>>
>> On Tue, Feb 13, 2018 at 8:30 AM, L.P.H. van Belle via samba
>> <samba@xxxxxxxxxxxxxxx> wrote:
>> > Hai,
>> >
>> > If you use that or the AD, then its incomplete, imo.
>> > Your missing ldaps (636) and the GC (ssl) 3268/3269) ports
>> and maybe NTP (123/tcp) if installed.
>> > Maybe you dont need them, just an observation.
>> >
>>
>> Oh I see I need to look at the ports in the chart not just the ones
>> listed in the example.
>>
>> I'll add to my list.
>>
>> >
>> > Greetz,
>> >
>> > Louis
>> >
>> >
>> >
>> >> -----Oorspronkelijk bericht-----
>> >> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Jeff
>> >> Sadowski via samba
>> >> Verzonden: dinsdag 13 februari 2018 16:05
>> >> Aan: Marc Muehlfeld
>> >> CC: Ing. Luis Felipe Domíngu.
>> >> Onderwerp: Re: [Samba] firewalld services to open for an ADDC
>> >>
>> >> On Mon, Feb 12, 2018 at 11:50 PM, Marc Muehlfeld
>> >> <mmuehlfeld@xxxxxxxxx> wrote:
>> >> > Hi Jeff,
>> >> >
>> >> > Am 13.02.2018 um 05:16 schrieb Jeff Sadowski via samba:
>> >> >> So my question is what services or ports am I missing to open?
>> >> >
>> >> > AD DCs:
>> >> > https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
>> >>
>> >> perfect exactly what I was looking for
>> >> I found some docs about firewalld that the service files
>> are kept in
>> >> /usr/lib/firewalld/services
>> >> so I did
>> >> [root@dc1 ~]# grep -e 139 -e 88 -e 445
>> >> /usr/lib/firewalld/services/*.xml
>> >> /usr/lib/firewalld/services/freeipa-ldaps.xml:  <port
>> >> protocol="tcp" port="88"/>
>> >> /usr/lib/firewalld/services/freeipa-ldaps.xml:  <port
>> >> protocol="udp" port="88"/>
>> >> /usr/lib/firewalld/services/freeipa-ldap.xml:  <port
>> >> protocol="tcp" port="88"/>
>> >> /usr/lib/firewalld/services/freeipa-ldap.xml:  <port
>> >> protocol="udp" port="88"/>
>> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port
>> protocol="tcp"
>> >> port="138-139"/>
>> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port
>> protocol="udp"
>> >> port="138-139"/>
>> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port
>> protocol="tcp"
>> >> port="445"/>
>> >> /usr/lib/firewalld/services/freeipa-trust.xml:  <port
>> protocol="udp"
>> >> port="445"/>
>> >> /usr/lib/firewalld/services/kerberos.xml:  <port
>> >> protocol="tcp" port="88"/>
>> >> /usr/lib/firewalld/services/kerberos.xml:  <port
>> >> protocol="udp" port="88"/>
>> >> /usr/lib/firewalld/services/samba.xml:  <port protocol="tcp"
>> >> port="139"/>
>> >> /usr/lib/firewalld/services/samba.xml:  <port protocol="tcp"
>> >> port="445"/>
>> >> so by adding
>> >>
>> >> firewall-cmd --add-service=dns --permanent
>> >> firewall-cmd --add-service=samba --permanent
>> >> firewall-cmd --add-service=kerberos --permanent
>> >> firewall-cmd --reload
>> >>
>> >> I should have all the ports I need.
>> >> Thank you.
>> >>
>> >> >
>> >> > Domain members:
>> >> > https://wiki.samba.org/index.php/Samba_Domain_Member_Port_Usage
>> >> >
>> >> >
>> >> > Regards,
>> >> > Marc
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba