Problem with Samba ports

jasonhirsh · Nov 21, 2010

I have recently started a new server running 8.1 with IPFW complied. I have been trying to get samba 3.4 running so I have IPFW running in open mode. TESTPARM shows samba is running properly

Sockstat shows (in part)

Code:

root     smbd       1153  24 tcp4   *:445                 *:*
root     smbd       1153  25 tcp4   *:139                 *:*

which I understand means Samba is using those ports as it should

IPFW SHOEW resulys:

Code:

00100    332   113122 allow ip from any to any via lo0
00200      0        0 deny ip from any to 127.0.0.0/8
00300      0        0 deny ip from 127.0.0.0/8 to any
00400      0        0 deny ip from any to ::1
00500      0        0 deny ip from ::1 to any
00600      0        0 allow ipv6-icmp from :: to ff02::/16
00700      0        0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800      0        0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900      0        0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000      0        0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 114484 24508193 allow ip from any to any
65535      3      507 deny ip from any to any

but smbclient - L can't find the services, the smb logs show no connection and an external port scan shows 139 open but 445 closed. Sounds like a firewall issue to me...

jasonhirsh · Nov 23, 2010

OK a different look

OK I have modifed the rules

IPFW Show now states

Code:

00010   5881  16467066 allow ip from any to any via lo0
00011 414132 100083705 allow ip from any to any via re0
00012      0         0 allow ip from any to any via re0_alias
00020      0         0 allow ip from any to 127.0.0.0/8
00030      0         0 allow ip from 127.0.0.0/8 to any
00040      0         0 deny tcp from any to any frag
00050      0         0 check-state
00060    138     16645 allow tcp from any to any established
00070    247     49357 allow ip from any to any out keep-state
00080      0         0 allow icmp from any to any
00110      0         0 allow tcp from any to any dst-port 21 in
00120      0         0 allow tcp from any to any dst-port 21 out
00130      1        64 allow tcp from any to any dst-port 22 in
00140      0         0 allow tcp from any to any dst-port 22 out
00150      0         0 allow tcp from any to any dst-port 25 in
00160      0         0 allow tcp from any to any dst-port 25 out
00170      0         0 allow udp from any to any dst-port 53 in
00175      0         0 allow tcp from any to any dst-port 53 in
00180      0         0 allow udp from any to any dst-port 53 out
00185      0         0 allow tcp from any to any dst-port 53 out
00200      0         0 allow tcp from any to any dst-port 80 in
00210      0         0 allow tcp from any to any dst-port 80 out
00211     14      1092 allow udp from any to any dst-port 137 in
00212      0         0 allow tcp from any to any dst-port 137 in
00231      0         0 allow tcp from any to any dst-port 993 in
00232      0         0 allow tcp from any to any dst-port 993 out
00233      0         0 allow tcp from any to any dst-port 995 in
00234      0         0 allow tcp from any to any dst-port 995 out
00235      0         0 allow ip from any to any dst-port 1194 setup
00240      0         0 allow udp from any to me dst-port 1194
00245      0         0 allow tcp from any to any dst-port 2500 in
00250      0         0 allow tcp from any to any dst-port 2500 out
00255      0         0 allow tcp from any to any dst-port 9000 in
00255      0         0 allow tcp from any to any dst-port 9000 out
00500    426     53948 deny log ip from any to any
65535      2       156 deny ip from any to any

but when i do a port scan

Code:

Port Scanning host: 209.160.65.133

	 Open TCP Port: 	21     		ftp
	 Open TCP Port: 	22     		ssh
	 Open TCP Port: 	25     		smtp
	 Open TCP Port: 	53     		domain
	 Open TCP Port: 	80     		http
	 Open TCP Port: 	110    		pop3
	 Open TCP Port: 	143    		imap
	 Open TCP Port: 	465    		urd
	 Open TCP Port: 	587    		submission
	 Open TCP Port: 	993    		imaps
	 Open TCP Port: 	995    		pop3s
	 Open TCP Port: 	2500   		rtsserv

my rules

Code:

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 11 allow all from any to any via re0
$IPF 12 allow all from any to any via re0_alias
$IPF 15 allow all from any to any via tap0 ks
$IPF 20 allow  all from any to 127.0.0.0/8
$IPF 30 allow  all from 127.0.0.0/8 to any
$IPF 35 allow  all from any to 10.8.0.0/24
$IPF 37 allow  all from 10.8.0.0/24 to any
$IPF 40 deny tcp from any to any frag


# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 211 allow udp from any to any 137 in
$IPF 212 allow tcp from any to any 137 in
$IPF 213 allow udp from any to any 137 out KS
$IPF 214 allow tcp from any to any 137 out KS
$IPF 215 allow udp from any to any 138 in KS
$IPF 216 allow tcp from any to any 138 in KS
$IPF 217 allow udp from any to any 138 out KS
$IPF 218 allow tcp from any to any 138 out KS
$IPF 223 allow udp from any to any 139 in KS
$IPF 224 allow udp from any to any 139 out KS
$IPF 225 allow tcp from any to any 139 in KS
$IPF 226 allow tcp from any to any 139 out 

$IPF 227 allow tcp from any to any 445 in KS
$IPF 228 allow udp from any to any 445 in KS
$IPF 229 allow tcp from any to any 445 out KS
$IPF 230 allow udp from any to any 445 ou KSt
$IPF 231 allow tcp from any to any 993 in
$IPF 232 allow tcp from any to any 993 out
$IPF 233 allow tcp from any to any 995 in
$IPF 234 allow tcp from any to any 995 out
$IPF 235 allow all from any to any dst-port 1194 setup
$IPF 240 allow udp from any to me dst-port 1194
$IPF 245 allow tcp from any to any 2500 in
$IPF 250 allow tcp from any to any 2500 out

jasonhirsh · Jan 10, 2011

Solved in other thread

solved when i opened port 81 for Netbios

SirDice · Jan 11, 2011

jasonhirsh said:
solved when i opened port 81 for Netbios

Netbios doesn't use port 81?!? Actually, nothing does.

jasonhirsh · Jan 11, 2011

Ok maybe it isn't netbios but when I opened port 81 as suggested in http://forums.freebsd.org/showthread.php?t=19675 Samba finally started working...

Problem with Samba ports

jasonhirsh

jasonhirsh

jasonhirsh

SirDice

Administrator

jasonhirsh