smb browsing broken by firewall
shane at geeklords.org
shane at geeklords.org
Tue Jan 20 08:11:16 UTC 2004
On Tue, 20 Jan 2004, Charles R. Anderson wrote:
> Port 137 is not the source port that the client uses when making a
> query, and queries by the client system only happen when the user
> requests such action, i.e. by opening smb:/// in Nautilus, or by using
> smbclient. Perhaps you are confusing the SMB *server* with the
> client. I'm talking about the *client*, i.e. no samba server running.
> Client only systems need not show up in browse lists...
>
> The SMB client sends a udp broadcast from port 32768-61000 (default
> ip_local_port_range) to port 137. Since there are no OUTPUT chain
> rules, this goes through fine. One or more servers on the local LAN
> reply to the client, from port 137 to port 32768-61000. The INPUT
> chain needs to accept this reply, or the client doesn't work. You can
> either accept this always for all possible local ports (stateless
> firewall) or only accept this in response to a client's initial
> outbound query, for the specific ports used in that query (stateful).
>
> Now do you see why a stateful firewall is more secure?
>
My apologies, I was operating on the thought that the netbios-ns service
was not a client server operation, but a server to server operation i.e.
src_ip udp/137 -> broadcast_request - and then the browser list would
come back to the requester's netbios-ns port (137). I guess I am getting
my netbuei/ipx (rip/sap) behaviors mixed in with netbios over tcp/ip :)
Cheers,
Shane.
--
"Given enough time, all legal battles in the tech industry will invoke the
DMCA. This generally means that all constructive arguments have ended."
-NialScorva
More information about the fedora-devel-list
mailing list