can't take it anymore: samba/firewall

I'm at the end of my rope. I barely qualify as a networking noob so it's
been a week's worth of evenings and all I have to show for it is two
smashed up kbs scattered about my feet.

I have a DSL transceiver connected to an ethernet card on my home PC. I'm
running win98 in vmware4 (2.4.20). Works fine. I installed samba 2.2.8a.
Works fine. win98 guest can print via samba just fine... unless the
*&^#*&@ firewall is running (shorewall 1.4).

Shorewall is set up perfectly for what I need so long as I don't want to
print from a vmware guest. So I'd like to get the last tweak in shorewall
to get things working and not dump it for firestarter or anything (mainly
because all I know about firewalls is what I've learned with this problem
which is more than I wanted to know).

Only when shorewall is running do I get the following nmb error:

Packet send failed to 172.16.141.255(138) ERRNO=Operation not permitted

(I've set 172.16.141.10 as the IP for win98, and I believe vmware is using
172.16.141.1 for its NAT whatever). If I shut the firewall off I don't
believe I ever see nmb use *255 (I have no idea what the *255 is all about
since when the firewall is down it uses *.1 and *.10 for successful back
and forth). If I could just figure out how to let that through maybe
things would work?

Pertinent smb.conf:

[global]
interfaces = 172.16.141.0/255.255.255.0
bind interfaces only = yes
security = USER


I've tried numerous different smb.conf:interface incantations. AFAICT
/etc/services has the correct entries. shorewall has a (supposed) samba
help page but it's not a drop-in solution (at least not for me). His
network setup help (which I guess expands on his samba help) is way over
my head. And the many past nights of incremental fiddling with
shorewall's cfg files (rules, interfaces, zones, policy, etc.) aren't
getting me anywhere. One hit said
shorewall/rules: 'ACCEPT net:172.16.141.0/255.255.255.0 fw' worked for him
but it doesn't for me. I have no idea why not.

I'm wondering if I traced the problem back to shorewall's policy cfg file:

fw net ACCEPT
loc net ACCEPT
loc fw ACCEPT
net all DROP
all all REJECT

IIRC when I commented "net/all" line it effectively shut off the firewall
and win98 guest could then see my printer. But I don't understand how to
deal with that if it is the problem. I figured samba sent a signal to my
ethernet card ("loc") and somehow came right back to the vmware instance.
But this experiment seems to indicate the samba signal leaves my computer
altogether (? See, noob). But if that's true then couldn't anyone use
that IP to access my computer if the firewall is going to allow it to come
from "net"? Totally confused.

I'd really appreciate help...

Mike
--

mikeballard--at--verizon.net

"Roses are red, violets are blue,
I'm schizophrenic and so am I"

Mike Ballard wrote:
> I'm at the end of my rope. I barely qualify as a networking noob so it's
> been a week's worth of evenings and all I have to show for it is two
> smashed up kbs scattered about my feet.

Don't despair... - Violence is not a solution... ;|


> Only when shorewall is running do I get the following nmb error:
>
> Packet send failed to 172.16.141.255(138) ERRNO=Operation not permitted
>
> (I've set 172.16.141.10 as the IP for win98, and I believe vmware is using
> 172.16.141.1 for its NAT whatever). If I shut the firewall off I don't
> believe I ever see nmb use *255 (I have no idea what the *255 is all about
> since when the firewall is down it uses *.1 and *.10 for successful back
> and forth). If I could just figure out how to let that through maybe
> things would work?

OK, smb works with so-called broadcasts (unless configured correctly),
which will eventually be .255 in any case. nmbd/smbd should be allowed
to see or generate this sort of traffic.


> Pertinent smb.conf:
>
> [global]
> interfaces = 172.16.141.0/255.255.255.0
> bind interfaces only = yes
> security = USER

You should not have an interface IP ending in .0 with a netmask of /24.
It simply won't work.


> I'd really appreciate help...

Well, all the rest of Your post was referring to some shorewall setup,
which I don't use. If all of the above won't get You onto the track,
just holler. - Prepare to have a packet sniffer ready, then.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

On Sat Feb 28, jack disturbed my nap when he said:

> Mike Ballard wrote:
> > I'm at the end of my rope. I barely qualify as a networking noob so it's
> > been a week's worth of evenings and all I have to show for it is two
> > smashed up kbs scattered about my feet.
>
> Don't despair... - Violence is not a solution... ;|
>
>
> > Only when shorewall is running do I get the following nmb error:
> > Packet send failed to 172.16.141.255(138) ERRNO=Operation not permitted (I've
> > set 172.16.141.10 as the IP for win98, and I believe vmware is using
> > 172.16.141.1 for its NAT whatever). If I shut the firewall off I don't
> > believe I ever see nmb use *255 (I have no idea what the *255 is all about
> > since when the firewall is down it uses *.1 and *.10 for successful back
> > and forth). If I could just figure out how to let that through maybe
> > things would work?
>
> OK, smb works with so-called broadcasts (unless configured correctly),
> which will eventually be .255 in any case. nmbd/smbd should be allowed
> to see or generate this sort of traffic.
>
>
> > Pertinent smb.conf:
> > [global]
> > interfaces = 172.16.141.0/255.255.255.0
> > bind interfaces only = yes
> > security = USER
>
> You should not have an interface IP ending in .0 with a netmask of /24.
> It simply won't work.
>
>
> > I'd really appreciate help...
>
> Well, all the rest of Your post was referring to some shorewall setup,
> which I don't use. If all of the above won't get You onto the track,
> just holler. - Prepare to have a packet sniffer ready, then.
>

Thanks.

I got the firewall problem figured out so I can now run with the firewall
enabled and have smb communicating with the win98 instance. Almost done.

Problem is, the ports used (137:139, 445) no longer show up as "blocked",
just "closed" (before opening them up for samba all ports were "blocked").
I followed the firewall docs for this particular circumstance and
according to the rules it appears the ports are only supposed to be open
on the local/fw path so I don't understand why the outside world doesn't
still see them as blocked. What's the normal method for allowing local
communication through these ports but making them appear "blocked" to the
outside world? When I use the blackhole IPs are those broadcast out onto
Internet or is pptp/eth supposed to know to not send them outside my
machine?

I use pptp for DSL and although I have an ethernet card someone told me
(I'm pretty sure) that through some means, eth0 "disappears" into ppp0.
Is there some way to addr eth0 because shorewall could use its hardware
addr for filtering which I think would solve the closed port problem.
shorewall doesn't recognize eth0 as being "up" (ifconfig shows it; route
doesn't). Would using nmbd/WINS resolve this problem?

Mike
--

mikeballard--at--verizon.net

"Roses are red, violets are blue,
I'm schizophrenic and so am I"

On Sat Feb 28, Mike Ballard disturbed my nap when he said:

> On Sat Feb 28, jack disturbed my nap when he said:
>
> > Mike Ballard wrote:
> > > I'm at the end of my rope. I barely qualify as a networking noob so it's
> > > been a week's worth of evenings and all I have to show for it is two
> > > smashed up kbs scattered about my feet.
> >
> > Don't despair... - Violence is not a solution... ;|
> >
> >
> > > Only when shorewall is running do I get the following nmb error:
> > > Packet send failed to 172.16.141.255(138) ERRNO=Operation not permitted (I've
> > > set 172.16.141.10 as the IP for win98, and I believe vmware is using
> > > 172.16.141.1 for its NAT whatever). If I shut the firewall off I don't
> > > believe I ever see nmb use *255 (I have no idea what the *255 is all about
> > > since when the firewall is down it uses *.1 and *.10 for successful back
> > > and forth). If I could just figure out how to let that through maybe
> > > things would work?
> >
> > OK, smb works with so-called broadcasts (unless configured correctly),
> > which will eventually be .255 in any case. nmbd/smbd should be allowed
> > to see or generate this sort of traffic.
> >
> >
> > > Pertinent smb.conf:
> > > [global]
> > > interfaces = 172.16.141.0/255.255.255.0
> > > bind interfaces only = yes
> > > security = USER
> >
> > You should not have an interface IP ending in .0 with a netmask of /24.
> > It simply won't work.
> >
> >
> > > I'd really appreciate help...
> >
> > Well, all the rest of Your post was referring to some shorewall setup,
> > which I don't use. If all of the above won't get You onto the track,
> > just holler. - Prepare to have a packet sniffer ready, then.
> >
>
> Thanks.
>
> I got the firewall problem figured out so I can now run with the firewall
> enabled and have smb communicating with the win98 instance. Almost done.
>
> Problem is, the ports used (137:139, 445) no longer show up as "blocked",
> just "closed" (before opening them up for samba all ports were "blocked").
> I followed the firewall docs for this particular circumstance and
> according to the rules it appears the ports are only supposed to be open
> on the local/fw path so I don't understand why the outside world doesn't
> still see them as blocked. What's the normal method for allowing local
> communication through these ports but making them appear "blocked" to the
> outside world? When I use the blackhole IPs are those broadcast out onto
> Internet or is pptp/eth supposed to know to not send them outside my
> machine?
>
> I use pptp for DSL and although I have an ethernet card someone told me
> (I'm pretty sure) that through some means, eth0 "disappears" into ppp0.
> Is there some way to addr eth0 because shorewall could use its hardware
> addr for filtering which I think would solve the closed port problem.
> shorewall doesn't recognize eth0 as being "up" (ifconfig shows it; route
> doesn't). Would using nmbd/WINS resolve this problem?
>


Never mind.

Apparently shorewall will let me connect ppp0 to the vmware i/f. No idea
why this works but it does allow samba to communicate and those ports I
asked about show up as blocked again. win98 can't see Internet through
this path tho' like I was hoping but that's the least of my problems. OP
has been resolved....

Mike
--

mikeballard--at--verizon.net

"Roses are red, violets are blue,
I'm schizophrenic and so am I"