Unable to allow local samba network

[jonahnaylor]

Hi I hope someone can please help.

I have a server that I use externally for backup and cloud storage, however locally for convenience I'd like to allow samba shares.

I don't need these externally, just for my local network. Currently CSF+LFD just blocks Samba completely so I have to temorarily disable the firewall to use it. Does anybody please know how to just allow samba internally and keep it blocked externally?

I've tried adding the below to my /etc/csf/csf.allow file and restarted but for some reason it is still blocked:

Code: Select all

# TCP connections inbound to port 139 and 445 from local network (192.168.0.0/24)
tcp|in|d=139|s=192.168.0.0/24
tcp|in|d=445|s=192.168.0.0/24

# UDP connections inbound to port 137 and 138 from local network (192.168.0.0/24)
udp|in|d=137|s=192.168.0.0/24
udp|in|d=138|s=192.168.0.0/24

Also netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
gives me this:

Code: Select all

tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      23102/smbd      
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      23102/smbd      
tcp6       0      0 :::139                  :::*                    LISTEN      23102/smbd      
tcp6       0      0 :::445                  :::*                    LISTEN      23102/smbd      
udp        0      0 192.168.122.255:137     0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.122.1:137       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.255:137       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.100:137       0.0.0.0:*                           1267/nmbd       
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.122.255:138     0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.122.1:138       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.255:138       0.0.0.0:*                           1267/nmbd       
udp        0      0 192.168.0.100:138       0.0.0.0:*                           1267/nmbd       
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1267/nmbd

Thanks for any help with this.

[jonahnaylor]

Hi I've checked the syslog and it's giving this error when I try to connect to samba:

Code: Select all

Jan 21 11:56:46 svr kernel: [63782.300001] Firewall: *UDP_OUT Blocked* IN= OUT=p2p1 SRC=192.168.0.100 DST=192.168.0.16 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=24138 DF PROTO=UDP SPT=137 DPT=40757 LEN=70 UID=0 GID=0

So this made me think I need to add udp_out rules to my allow file which I did as follows:

Code: Select all

# TCP connections inbound to port 139 and 445 from local network (192.168.0.0/24)
tcp|in|d=139|s=192.168.0.0/24
tcp|in|d=445|s=192.168.0.0/24

# UDP connections inbound to port 137 and 138 from local network (192.168.0.0/24)
udp|in|d=137|s=192.168.0.0/24
udp|in|d=138|s=192.168.0.0/24

# UDP connections outbound to port 137 to local network (192.168.0.0/24)
udp|out|d=137|s=192.168.0.0/24

but I still get the same udp_out block error after restarting the firewall...

[jonahnaylor]

Hi just an update. I finally managed to get this working by changing the last line from:

Code: Select all

udp|out|d=137|s=192.168.0.0/24

to instead be:

Code: Select all

udp|out|s=137|s=192.168.0.0/24

I'm not sure if all my rules are 100% right as this has all be achieved through trial and error but it seems there is a big difference between setting source or destination ports in the rule set.

If any one can please advise if any of my other rules should be adjusted for better security that would be really appreciated. Thanks.