smb shares and the firewall

James Wilkinson james at westexe.demon.co.uk
Sun Sep 26 08:26:38 UTC 2004 

Shawn Milo wrote:
> I tried to connect to a network share using the Gnome "connect to 
> server" tool,
> but I could not. I disabled the firewall, and all is working.
> 
> I brought up the firewall tool under System Settings/Security level, and 
> there are
> no options there to enable or disable anything other than www, ftp, ssh, 
> telnet, and
> smtp.
> 
> Do I just have to know, or find out, the port(s) used by smb?

Try ports 137 to 139 and 445 to begin with.

> Is there any way that,
> when a server or a port tries to make a connection for the first time, I 
> can be prompted,
> the way other firewalls work, such as ZoneAlarm?

... "other" firewalls.

ZoneAlarm et al are the exception: most other firewalls, and all the big
ones, work the way that Linux does, based on ports. The thing is, if a
firewall is to protect more than one machine, all it will see is the IP
connection. Doing what ZoneAlarm does requires an ... intimate
relationship with the TCP stack on a machine, and a way of allowing
certain processes to access it, but not others.

That's not how the traditional Unix (= BSD, in this case) network stack
works, and I don't believe there is support in the standard Linux kernel
for it.

SELinux would probably enable such a thing, but at the moment, SELinux
is still at infrastructure stage. You could enable SELinux on FC2 (what
you would need should already be installed or at most a yum install
away) and write your own policies, but this is notoriously difficult to
get right. Fedora tried it for FC2 test, turned it into a non-standard
install option for FC2 itself, and are going back to a policy that
merely targets certain server programs for FC3.

At some point, there will probably be a nice GUI to help you tweak the
permissions on a task-by-task basis, but I'm not aware of any, yet.

James.

-- 
E-mail address: james | So what would happen if an Enterprise security team,
@westexe.demon.co.uk  | who always get killed soon after appearing, fought a
                      | squad of Imperial Stormtroopers, who can't hit the
                      | broad side of a planet?

More information about the fedora-list mailing list