Web lists-archives.com

Re: [Samba] Samba and firewalling




On Tue, 4 Dec 2018 15:53:29 +0100
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Hai, 
>  
> Just a questions, this might be a bug, might not, but for this one i
> need some help. 
> Setup, debian 9. 
>  
> Member server samba 4.9.3
> AD DC servers samba 4.8.7 
>  
> Im setting up the member with a very tight firewall, so nothing
> in/our/routed unless its defined. Im using UFW firewall for it. 
>  
> I notice the following in my member its firewall logs, and this only
> happend when i run : id or getent passwd wbinfo -u  ( any wbinfo
> command )  no INVALID/BLOCKED in the logs. 
> And any other thing thats configured, what im testing, as i see, no
> problems at all. Everything works as it should im only not happy with
> the lines UFW AUDIT INVALID and BLOCK. And i cant stand i cant figure
> this out, or at least i'm not sure of. 
>  
> IP : .100 is the member 
> IP: .1 and .2 are DC1 and DC2. 
>  
> The Log part. 
> # The request out to DC2. 
> Dec  4 14:52:05 kernel: [969364.260134] [UFW AUDIT] IN= OUT=eno1
> SRC=192.168.0.100 DST=192.168.0.2 LEN=419 TOS=0x00 PREC=0x00 TTL=64
> ID=19101 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00 ACK PSH
> URGP=0 Dec  4 14:52:05 kernel: [969364.260257] [UFW AUDIT] IN=
> OUT=eno1 SRC=192.168.0.100 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00
> TTL=64 ID=19102 DF PROTO=TCP SPT=45690 DPT=389 WINDOW=452 RES=0x00
> ACK FIN URGP=0 ## DC2 gets invalid and blocked. Dec  4 14:52:05
> kernel: [969364.260373] [UFW AUDIT INVALID] IN=eno1 OUT=
> SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 Dec
> 4 14:52:05 kernel: [969364.260386] [UFW BLOCK] IN=eno1 OUT=
> SRC=192.168.0.2 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> ID=0 DF PROTO=TCP SPT=389 DPT=45690 WINDOW=0 RES=0x00 RST URGP=0 #

I would be more worried about the port: 45690

The only trace I could find is:

AEON
stratum+tcp://aeon.pool.minergate.com:45690

The good thing is that your firewall blocked it ;-)

If you don't want those messages in your logs, my understanding is that
replacing this:

ufw logging medium

with this:

ufw logging low

will stop them.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba