Web lists-archives.com

Re: [Samba] Samba and ufw




Hai, 

Not everyone understand iptables that good Reindl. 

Ufw can be handy and its usable, now gufw thats the problem here.
Gufw added the profile and sadly i dont know anything about gufw, 
execpt thats a gui on ufw.
I dont know the modifications Gufw made on ufw, exacpt i noticed the profiles.

Now martin, ok, great. You removed ufw ang gufw. 
The output looks good. 
All tables are cleaned up. 

Run : apt-get autoremove to remove left over packages from the install. 
If you plan to install gufw again, dont run the autoremove.

Ok, backup the leftovers in /etc en /etc/gufw ( just rename the folders  to .old ) 
Install ufw again. 
ufw allow 22/tcp
ufw allow 139,445/tcp
ufw allow 137,138/udp  ( if you network browsing, but not really needed. ) 
( add other ports if needed ) 


ufw --force enable

Thats a minimal setting that must work. 
Im moving a bit ahead in time now. 

While i totaly agree with Reindl, i dont suggest moving to plain iptables. 
If you switch now, drop iptables start learning nftables, 
but ufw can be handy, its just what you need. 

Nftables ( as of debian buster)
https://wiki.debian.org/nftables works the same for mint. 
https://wiki.nftables.org/wiki-nftables/index.php/Main_Page more general. 


Greetz, 

Louis





 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Reindl Harald via samba
> Verzonden: maandag 11 februari 2019 18:28
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Samba and ufw
> 
> 
> 
> Am 11.02.19 um 17:35 schrieb Martin McGlensey via samba:
> > Louis,
> > 
> > Followed your instructions so far. Take a look at the output of the
> > various steps. I'm down to removing items form /etc/ufw. 
> I'm not sure
> > what I should delete. I know some of the files are backups generated
> > after some rules were deleted. Please tell me what is safe to delete
> > before I procede further.
> > 
> > martin@radio:~$ sudo apt-get remove --purge ufw gufw
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > The following packages were automatically installed and are 
> no longer
> > required:
> >   libqt5positioning5 libqt5qml5 libqt5quick5 libqt5sensors5
> 
> frankly why don#t you throw away all that crap and start write a
> "iptables.sh" which is even for a datacenter firewall doing NAT and
> firewalling in front of a /24 network no rocket science
> 
> also looking what rules are currently active is a no-brainer
> 
> [root@firewall:~]$  cat /usr/local/bin/firewall_status
> #!/bin/bash
> 
> IPTABLES="/sbin/iptables"
> DEFAULT_COLOR_START="\e[36m"
> DEFAULT_COLOR_STOP="\e[0m"
> 
> function firewall_status
> {
>  # Ausgabemodus
>  if [ "$1" != "short" ]; then
>   VERBOSE="--verbose"
>  fi
>  # Alle geladenen Tabellen sortiert durchlaufen
>  for table in `cat /proc/net/ip_tables_names | sort`
>  do
>   echo -e
> "${DEFAULT_COLOR_START}---------------------------------------
> ------------------------------------------------${DEFAULT_COLOR_STOP}"
>   echo -e "${DEFAULT_COLOR_START}`echo $table: | tr a-z
> A-Z`${DEFAULT_COLOR_STOP}"
>   echo -e
> "${DEFAULT_COLOR_START}---------------------------------------
> ------------------------------------------------${DEFAULT_COLOR_STOP}"
>   $IPTABLES -t "$table" --list --numeric --line-numbers $VERBOSE
>   echo ""
>  done
> }
> 
> if [ -t 1 ];
> then
>  firewall_status "$1" | less -R
> else
>  firewall_status "$1" | sed -r 
> "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g"
> fi
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba