Web lists-archives.com

Re: [Samba] Samba and ufw




On Wed, 6 Feb 2019 16:05:40 -0500
Martin McGlensey via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Rowland,
> 
> Did some editing in smb.conf that I had to reverse. Now I'm back to 
> being able to connect with the firewall disabled. When I enable the 
> firewall I get as far as windows network -> workgroup but no
> connection. I have only the rules you recommended in your last email.
> 

Running 'diff' against your rules and mine produces this:

diff yours mine
63d62
yours# -A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
85,87d83
yours# -A ufw-before-logging-forward -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-input -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
yours# -A ufw-before-logging-output -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
92c88
yours# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
---
mine# -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
108,109c106,107
yours# -A ufw-user-input -s 192.168.0.0/16 -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
yours# -A ufw-user-input -s 192.168.0.0/16 -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
---
mine# -A ufw-user-input -p udp -m multiport --dports 137,138 -m comment --comment "\'dapp_Samba\'" -j ACCEPT
mine# -A ufw-user-input -p tcp -m multiport --dports 139,445 -m comment --comment "\'dapp_Samba\'" -j ACCEPT

You have a few lines I don't have, I have a line that you do not have,
but it is very similar to one of yours and I am allow access to Samba
from anywhere, but you are limiting it to '192.168.x.x'

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba