Web lists-archives.com

Re: [Samba] Samba and ufw




Hai Marty,

On tony's responce, yes.. He has a point but these are not needed for now. 
And, i've shown the rules already in the thread. ;-) 
These rules are in case of "allow outgoing" not needed. ( for now ).

Ok, now what exact is going i dont know, but i found a workaround. 

I've installed a ubuntu 18.04 server, clean, only ssh. 

I did run the following. 
apt install samba ufw
For everything I kept the defaults. 

Only added this to smb.conf
[testingUfw]
    comment = Test for UFW
    path = /tmp
    guest ok = yes
   browseable = yes

After install

Started windows explorer. \\ip\ 
And it works fine.. 

ufw logging high
ufw allow 22
ufw allow 139,445/tcp
ufw --force enable


Started windows explorer. \\ip\ 
And... Nothing. So thats confirmed.   Your not crazy Martin..  ;-) 

Rebooted the server and cleared the logs. 

Tried again. . \\ip\  No go. 
Must strange thing here, even with logging set high, which logs everything, 
and i dont see UFW BLOCKED. ?? Huh?? Strange.. 

Now i did remember a simular thing on one of my server, which was going, i've checked that servers logs. 
All i could see was that i added the webserver ports..

So lets try that. 
ufw allow 80,443

Started windows explorer. \\ip\ 
And hoppa, working, dont ask my why... This i dont know. 

Now it worked, i removed these rules again. 
ufw status numbered
ufw delete X
ufw status numbered
ufw delete X
2x delete due to Ipv4 and ipv6.

Rebooted the server. 

So now only port 22,139,445 are open again. 

Tried again from my win10 pc. 
Still working..  ???? Uhmm... Even stranger. 

I have NOT rebooted the Win10 pc, with SMB1 enbled, yeah.. i still need that for 1 server.. 

Next, I removed port 139,445 and check \\ip\  not working, so thats good. Just checking .. 
Only allow port 445 now. 

ufw allow 445/tcp 
\\ip\ and No access

ufw allow 80,443/tcp
\\ip\ and No access

And removed 80,443 again, to keep the as clean as possbile. 

Added 139 again. 

\\ip\ and No access 

Now added again : 
ufw allow 80,443

\\ip\ and Yes access.. 



And most strang thing in above tests... 
0 UFW BLOCKS... 

I've repeated above steps with smbd and nmbd enabled and only smbd.

Can someone repeat my above steps and see if we can figure out whats going on here.
because i've lots it. 

This must be a windows thing, because why im i not seeing any UFW BLOCKS.

Greetz, 

Louis









> -----Oorspronkelijk bericht-----
> Van: Martin McGlensey [mailto:mmcg29440@xxxxxxxxxxxx] 
> Verzonden: dinsdag 12 februari 2019 17:38
> Aan: L.P.H. van Belle; samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: Samba and ufw (Martin McGlensey)
> 
> Louis,
> 
> Made the changes. Still unable to mount office. Firewall also blocks 
> Thunderbird mail and maybe internet. Will check that more fully 
> later.Any thoughts ob Tony's response?
> 
> Outputs:
> 
> martin@radio:/etc$ sudo apt-get install ufw
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> The following packages were automatically installed and are no longer 
> required:
>    libqt5positioning5 libqt5qml5 libqt5quick5 libqt5sensors5 
> libqt5webchannel5
>    libqt5webkit5 python-pyatspi
> Use 'sudo apt autoremove' to remove them.
> The following NEW packages will be installed:
>    ufw
> 0 upgraded, 1 newly installed, 0 to remove and 32 not upgraded.
> Need to get 147 kB of archives.
> After this operation, 838 kB of additional disk space will be used.
> Get:1 http://archive.ubuntu.com/ubuntu bionic/main amd64 ufw 
> all 0.35-5 
> [147 kB]
> Fetched 147 kB in 1s (216 kB/s)
> Preconfiguring packages ...
> Selecting previously unselected package ufw.
> (Reading database ... 324048 files and directories currently 
> installed.)
> Preparing to unpack .../archives/ufw_0.35-5_all.deb ...
> Unpacking ufw (0.35-5) ...
> Setting up ufw (0.35-5) ...
> 
> Creating config file /etc/ufw/before.rules with new version
> 
> Creating config file /etc/ufw/before6.rules with new version
> 
> Creating config file /etc/ufw/after.rules with new version
> 
> Creating config file /etc/ufw/after6.rules with new version
> Created symlink 
> /etc/systemd/system/multi-user.target.wants/ufw.service 
> ??? /lib/systemd/system/ufw.service.
> Processing triggers for ureadahead (0.100.0-20) ...
> ureadahead will be reprofiled on next reboot
> Processing triggers for systemd (237-3ubuntu10.11) ...
> Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
> Processing triggers for rsyslog (8.32.0-1ubuntu4) ...
> martin@radio:/etc$ ^C
> martin@radio:/etc$
> 
> 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXX
> martin@radio:/etc$ sudo ufw allow 22/tcp
> Rules updated
> Rules updated (v6)
> martin@radio:/etc$ sudo ufw allow 139,445/tcp
> Rules updated
> Rules updated (v6)
> martin@radio:/etc$ sudo ufw allow 137,138/udp
> Rules updated
> Rules updated (v6)
> martin@radio:/etc$ sudo ufw --force enable
> Firewall is active and enabled on system startup
> martin@radio:/etc$
> 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXX
> martin@radio:/etc$ sudo iptables --list-rules
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -N ufw-after-forward
> -N ufw-after-input
> -N ufw-after-logging-forward
> -N ufw-after-logging-input
> -N ufw-after-logging-output
> -N ufw-after-output
> -N ufw-before-forward
> -N ufw-before-input
> -N ufw-before-logging-forward
> -N ufw-before-logging-input
> -N ufw-before-logging-output
> -N ufw-before-output
> -N ufw-logging-allow
> -N ufw-logging-deny
> -N ufw-not-local
> -N ufw-reject-forward
> -N ufw-reject-input
> -N ufw-reject-output
> -N ufw-skip-to-policy-forward
> -N ufw-skip-to-policy-input
> -N ufw-skip-to-policy-output
> -N ufw-track-forward
> -N ufw-track-input
> -N ufw-track-output
> -N ufw-user-forward
> -N ufw-user-input
> -N ufw-user-limit
> -N ufw-user-limit-accept
> -N ufw-user-logging-forward
> -N ufw-user-logging-input
> -N ufw-user-logging-output
> -N ufw-user-output
> -A INPUT -j ufw-before-logging-input
> -A INPUT -j ufw-before-input
> -A INPUT -j ufw-after-input
> -A INPUT -j ufw-after-logging-input
> -A INPUT -j ufw-reject-input
> -A INPUT -j ufw-track-input
> -A FORWARD -j ufw-before-logging-forward
> -A FORWARD -j ufw-before-forward
> -A FORWARD -j ufw-after-forward
> -A FORWARD -j ufw-after-logging-forward
> -A FORWARD -j ufw-reject-forward
> -A FORWARD -j ufw-track-forward
> -A OUTPUT -j ufw-before-logging-output
> -A OUTPUT -j ufw-before-output
> -A OUTPUT -j ufw-after-output
> -A OUTPUT -j ufw-after-logging-output
> -A OUTPUT -j ufw-reject-output
> -A OUTPUT -j ufw-track-output
> -A ufw-after-input -p udp -m udp --dport 137 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p udp -m udp --dport 138 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p tcp -m tcp --dport 139 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p tcp -m tcp --dport 445 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p udp -m udp --dport 67 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p udp -m udp --dport 68 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -m addrtype --dst-type BROADCAST -j 
> ufw-skip-to-policy-input
> -A ufw-after-logging-forward -m limit --limit 3/min 
> --limit-burst 10 -j 
> LOG --log-prefix "[UFW BLOCK] "
> -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j 
> LOG --log-prefix "[UFW BLOCK] "
> -A ufw-before-forward -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A ufw-before-forward -j ufw-user-forward
> -A ufw-before-input -i lo -j ACCEPT
> -A ufw-before-input -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT
> -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
> -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
> -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
> -A ufw-before-input -j ufw-not-local
> -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 
> 5353 -j ACCEPT
> -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp 
> --dport 1900 -j 
> ACCEPT
> -A ufw-before-input -j ufw-user-input
> -A ufw-before-output -o lo -j ACCEPT
> -A ufw-before-output -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT
> -A ufw-before-output -j ufw-user-output
> -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG 
> --log-prefix "[UFW ALLOW] "
> -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 
> 3/min --limit-burst 10 -j RETURN
> -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG 
> --log-prefix "[UFW BLOCK] "
> -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
> -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
> -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
> -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j 
> ufw-logging-deny
> -A ufw-not-local -j DROP
> -A ufw-skip-to-policy-forward -j DROP
> -A ufw-skip-to-policy-input -j DROP
> -A ufw-skip-to-policy-output -j ACCEPT
> -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
> -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
> -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
> -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT
> -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT
> -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix 
> "[UFW LIMIT 
> BLOCK] "
> -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
> -A ufw-user-limit-accept -j ACCEPT
> martin@radio:/etc$
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXX
> 
> After REBOOT
> 
> martin@radio:~$ sudo iptables --list-rules
> [sudo] password for martin:
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -N ufw-after-forward
> -N ufw-after-input
> -N ufw-after-logging-forward
> -N ufw-after-logging-input
> -N ufw-after-logging-output
> -N ufw-after-output
> -N ufw-before-forward
> -N ufw-before-input
> -N ufw-before-logging-forward
> -N ufw-before-logging-input
> -N ufw-before-logging-output
> -N ufw-before-output
> -N ufw-logging-allow
> -N ufw-logging-deny
> -N ufw-not-local
> -N ufw-reject-forward
> -N ufw-reject-input
> -N ufw-reject-output
> -N ufw-skip-to-policy-forward
> -N ufw-skip-to-policy-input
> -N ufw-skip-to-policy-output
> -N ufw-track-forward
> -N ufw-track-input
> -N ufw-track-output
> -N ufw-user-forward
> -N ufw-user-input
> -N ufw-user-limit
> -N ufw-user-limit-accept
> -N ufw-user-logging-forward
> -N ufw-user-logging-input
> -N ufw-user-logging-output
> -N ufw-user-output
> -A INPUT -j ufw-before-logging-input
> -A INPUT -j ufw-before-input
> -A INPUT -j ufw-after-input
> -A INPUT -j ufw-after-logging-input
> -A INPUT -j ufw-reject-input
> -A INPUT -j ufw-track-input
> -A FORWARD -j ufw-before-logging-forward
> -A FORWARD -j ufw-before-forward
> -A FORWARD -j ufw-after-forward
> -A FORWARD -j ufw-after-logging-forward
> -A FORWARD -j ufw-reject-forward
> -A FORWARD -j ufw-track-forward
> -A OUTPUT -j ufw-before-logging-output
> -A OUTPUT -j ufw-before-output
> -A OUTPUT -j ufw-after-output
> -A OUTPUT -j ufw-after-logging-output
> -A OUTPUT -j ufw-reject-output
> -A OUTPUT -j ufw-track-output
> -A ufw-after-input -p udp -m udp --dport 137 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p udp -m udp --dport 138 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p tcp -m tcp --dport 139 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p tcp -m tcp --dport 445 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p udp -m udp --dport 67 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -p udp -m udp --dport 68 -j 
> ufw-skip-to-policy-input
> -A ufw-after-input -m addrtype --dst-type BROADCAST -j 
> ufw-skip-to-policy-input
> -A ufw-after-logging-forward -m limit --limit 3/min 
> --limit-burst 10 -j 
> LOG --log-prefix "[UFW BLOCK] "
> -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j 
> LOG --log-prefix "[UFW BLOCK] "
> -A ufw-before-forward -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
> -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A ufw-before-forward -j ufw-user-forward
> -A ufw-before-input -i lo -j ACCEPT
> -A ufw-before-input -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT
> -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
> -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
> -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
> -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
> -A ufw-before-input -j ufw-not-local
> -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 
> 5353 -j ACCEPT
> -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp 
> --dport 1900 -j 
> ACCEPT
> -A ufw-before-input -j ufw-user-input
> -A ufw-before-output -o lo -j ACCEPT
> -A ufw-before-output -m conntrack --ctstate 
> RELATED,ESTABLISHED -j ACCEPT
> -A ufw-before-output -j ufw-user-output
> -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG 
> --log-prefix "[UFW ALLOW] "
> -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 
> 3/min --limit-burst 10 -j RETURN
> -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG 
> --log-prefix "[UFW BLOCK] "
> -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
> -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
> -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
> -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j 
> ufw-logging-deny
> -A ufw-not-local -j DROP
> -A ufw-skip-to-policy-forward -j DROP
> -A ufw-skip-to-policy-input -j DROP
> -A ufw-skip-to-policy-output -j ACCEPT
> -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
> -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
> -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
> -A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT
> -A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT
> -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix 
> "[UFW LIMIT 
> BLOCK] "
> -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
> -A ufw-user-limit-accept -j ACCEPT
> martin@radio:~$
> 
> Regards,
> 
> Marty
> 
> 
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba