SMB netbios broadcast name resolution linux iptables problem - SMB

This is a discussion on SMB netbios broadcast name resolution linux iptables problem - SMB ; I have had nightmars configuring the firewall to let me access windows machines from my linux box, and am hoping someone would be able to sheed some light on my problem. When the firewall is enabled, i cannot resolve pc ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: SMB netbios broadcast name resolution linux iptables problem

  1. SMB netbios broadcast name resolution linux iptables problem

    I have had nightmars configuring the firewall to let me access windows
    machines from my linux box, and am hoping someone would be able to
    sheed some light on my problem.

    When the firewall is enabled, i cannot resolve pc names through netbios
    broadcast resolution. Everything is fine when the firewall is manually
    disabled.

    I have enabled all the required ports required for smb.

    On inspection of net traffic to and from the nic, the following is
    what i have identified.

    - linux box broadcasts to resolve name. source port is normal random
    available port.

    - windows pc accepts broadcast and replys to the random port stating
    ipaddress

    - firewall has no allowed rule for random port and so dropps the
    packet.

    Based on my analysis i do not now how to allow incommin connections to
    support netbios as the target pc replies to the source port of the
    originating broadcast which is not consistent.

    As far as i am aware, there is no connection either so we cannot query
    the connection state.

    As an interm workaround, i have set a firewall rule to allow all
    traffic where the source port is 137. This port the windows pcs source
    port when replying to netbios broadcast requests.

    This solution is far from ideal though as it means anybody that sets
    their soruce port to 137 can bypass the firewall on the pc.

    Does anyone know of a better solution?

    Regards
    Daniel


  2. Re: SMB netbios broadcast name resolution linux iptables problem

    geekboxnz@gmail.com schrieb:
    > I have had nightmars configuring the firewall to let me access windows
    > machines from my linux box, and am hoping someone would be able to
    > sheed some light on my problem.
    >
    > When the firewall is enabled, i cannot resolve pc names through netbios
    > broadcast resolution. Everything is fine when the firewall is manually
    > disabled.
    >
    > I have enabled all the required ports required for smb.
    >
    > On inspection of net traffic to and from the nic, the following is
    > what i have identified.
    >
    > - linux box broadcasts to resolve name. source port is normal random
    > available port.
    >
    > - windows pc accepts broadcast and replys to the random port stating
    > ipaddress
    >
    > - firewall has no allowed rule for random port and so dropps the
    > packet.
    >
    > Based on my analysis i do not now how to allow incommin connections to
    > support netbios as the target pc replies to the source port of the
    > originating broadcast which is not consistent.
    >
    > As far as i am aware, there is no connection either so we cannot query
    > the connection state.
    >
    > As an interm workaround, i have set a firewall rule to allow all
    > traffic where the source port is 137. This port the windows pcs source
    > port when replying to netbios broadcast requests.
    >
    > This solution is far from ideal though as it means anybody that sets
    > their soruce port to 137 can bypass the firewall on the pc.
    >
    > Does anyone know of a better solution?
    >
    > Regards
    > Daniel
    >


    Hello,
    maybe the ipfilter software does what you want, see
    http://coombs.anu.edu.au/~avalon/exa...ml#packetstate
    For outgoing UDP packets it expects an answer and keeps this
    state.
    But this means you have to uninstall your current firewall
    and install ipfilter instead.
    Ipfilter uses another syntax to specify the rules.
    So you will need time for installing and configuring
    that firewall.
    If you want to contact only a small number of Windows PCs
    it's possibly a better idea to allow incoming traffic coming
    from ports 137,138,139 and 445 on these PCs. So you will have
    up to 8 rules per PC.
    Or you configure a WINS server and use this server for name
    resolution instead of broadcast.
    Hope this helps.
    Regards,

    Dirk

    --
    Dipl.-Ing. Dirk Krause
    http://www.fh-schmalkalden.de/url.ph...lect_wert/3023
    Please use the web form in the line above to establish personal contact.
    Do not use the e-mail address shown in the header lines, mails to this
    address go into the electronic trash can. Thanks.

  3. Re: SMB netbios broadcast name resolution linux iptables problem

    > Hello,
    > maybe the ipfilter software does what you want, see
    > http://coombs.anu.edu.au/~avalon/exa...ml#packetstate
    > For outgoing UDP packets it expects an answer and keeps this
    > state.
    > But this means you have to uninstall your current firewall
    > and install ipfilter instead.
    > ...
    >
    > Dirk
    >


    Just to correct myself: iptables also allows filtering rules based
    on the "connection state" - also for stateless UDP communication.
    See
    http://iptables-tutorial.frozentux.n...tml#STATEMATCH
    Regards,

    Dirk

    --
    Dipl.-Ing. Dirk Krause
    http://www.fh-schmalkalden.de/url.ph...lect_wert/3023
    Please use the web form in the line above to establish personal contact.
    Do not use the e-mail address shown in the header lines, mails to this
    address go into the electronic trash can. Thanks.

+ Reply to Thread