Samba & IPTables

Trimble, Nathan G nathan.trimble at pnl.gov
Fri Aug 1 16:42:41 UTC 2003


Redhat indirectly addressed this issue before they took down their rhl.redhat.com site.  It mentioned the need for an improved GUI for the firewall/iptables interface.  One problem the current app has is that it doesn't include smb ports in it's list.  You have to type it in after figuring out what ports smb/CIFS run on.  This can be bothersome.  Note it's not critical but a nusiance.

To get the smb up and running right now on a Redhat box (using their "tools") you have to do three things.

1.  Configure smb.conf using redhat-config-samba.
2.  Turn the service on using redhat-config-services.
3.  Punch a hole in your firewall using redhat-config-securitylevel

This is 1 too many steps.  Here is why:

If you're creating "shares" on your machine it should be assumed you want the service to run...So it should get enabled when redhat-config-samba is run and configured.  I don't agree with magically putting holes in the IP/Tables.  How about making the redhat-config-securitylevel interface easier to use and more powerful and then giving the user some instruction on enabling access through smb ports.

My two cents.

-----Original Message-----
From: Tom Diehl [mailto:tdiehl at rogueind.com]
Sent: Friday, August 01, 2003 9:24 AM
To: 'rhl-list at redhat.com'
Subject: Re: Samba & IPTables


Hi,

PLEASE WRAP YOUR LINES at less than 80 characters per line.

On Fri, 1 Aug 2003, Epps, Aaron M. wrote:

>     Here's my suggestion...  When a user configures their server to have Samba start on boot, don't you think they'd probably want to open the appropriate ports so that people can connect to their Samba Server?  I think that when I uses clicks on the checkbox in the Services Config Tool it should prompt the user, asking them if they'd like to open the appropriate ports in their firewall for Samba (137-139).   Otherwise, if you don't realize that IPTables is what's stopping your Samba Server from being available in "Network Neighborhood" you'll have to dig around and manually configure iptables, which isn't necessarily the most intuitive thing in the world.   This could also be done for similar servers that require certain ports to be opened up (SSH, FTP, Apache, Etc...)  Thoughts anyone? 
> 

What you auggest would be bad. Think about the case where you have 2 nic's
in a machine and you have things configured to automagically open up the ports
to the outside world. If you have a single machine behand a firewall and 
the complexities of samba + iptables are too much to handle then turn off
iptables. If you are paranoid enough to want iptables enabled on such a machine
then you should be paranoid enough to not want things messing with your rules
without your knowledge. What you are suggesting would end up being a support 
nightmare. Yes I know they way it is now is also a problem but at least now
it is simple to say turn off iptables and try again. If it now works then
you know where to look.

HTH,

-- 
......Tom		Registered Linux User #14522	http://counter.li.org
tdiehl at rogueind.com	My current SpamTrap ------->	mtd123 at rogueind.com


--
Rhl-list mailing list
Rhl-list at redhat.com
http://www.redhat.com/mailman/listinfo/rhl-list





More information about the fedora-list mailing list