smb browsing broken by firewall
shane at geeklords.org
shane at geeklords.org
Mon Jan 19 17:58:10 UTC 2004
On Mon, 19 Jan 2004, Charles R. Anderson wrote:
> Unfortunately, even specifying the correct options manually in
> smb.conf does not seem to affect SMB clients, such as Nautilus,
> although I have not investigated this thoroughly yet. Nautilus always
> attempted broadcast to find the master browser, which won't work with
> the default firewall configuration (unless the netfilter code is
> enhanced, perhaps trivially).
>
> Besides that, there are legitimate uses of B-nodes. Home networks
> will almost never have a WINS server, so they must broadcast.
The problem I see with modifying netfilter to behave in this manner is
that "stateful" communication requires src-ip/src-protocol/src-port ->
dst-ip/dst-protocol/dst-port to be stateful, at least thats my
understanding. If iptables does not know who to expect a response back
from then at best it can allow anyone to respond back within a given
period of time without any real ability to verify the person responding
is related to the original request. Worse yet it seems to me that
iptables would not have a good way to determine how long to keep the port
open, since the first response might not be the correct one.
In short even if you got the above working, I don't see how its any more
secure than just opening the netbios port in question. The end result
seems to be the same, in fact I would argue it is more secure, as we are not
assuming security where there is none.
Shane
--
"Given enough time, all legal battles in the tech industry will invoke the
DMCA. This generally means that all constructive arguments have ended."
-NialScorva (slashdot poster)
More information about the fedora-devel-list
mailing list