Jump to content

Firewall & Security Questions [solved]


vixenk
 Share

Recommended Posts

I'm a bit new to Mandriva, so take it easy on me. ;)

 

First of all, I would like to set up the firewall in Mandriva, but whenever I try to do it it blocks filesharing on my LAN, even if I allow all the connections in the first screen. Could someone help me configure the firewall and/or network settings so that it blocks outside attempts but allows file and printer sharing within the LAN?

 

Second, what security setting should Mandriva be set up for? While going through setup "high" was the default but I was worried that would be too strong for the LAN so I selected standard. If this isn't a recommended setting and it should be on high *and high won't screw with my LAN*, is there any way to change it without reinstalling?

Link to comment
Share on other sites

I'm a bit new to Mandriva, so take it easy on me. ;)

 

First of all, I would like to set up the firewall in Mandriva, but whenever I try to do it it blocks filesharing on my LAN, even if I allow all the connections in the first screen. Could someone help me configure the firewall and/or network settings so that it blocks outside attempts but allows file and printer sharing within the LAN?

 

You can use shorewall (MCC --> Security --> Set up firewall...) (translation from finnish) and open ports that you want to. I don't remember port numbers for Samba or NFS, so you have to find them yourself.

Click the "Advanced Settings" -button (translation from finnish, so it might not be the same on your computer) to configure ports manually.

Example:

22/tcp

This would open a port for SSH server (no need to do it this way, because there is a checkbox for that).

Remember that this opens the port for all traffic, outbound and inbound.

 

Second, what security setting should Mandriva be set up for? While going through setup "high" was the default but I was worried that would be too strong for the LAN so I selected standard. If this isn't a recommended setting and it should be on high *and high won't screw with my LAN*, is there any way to change it without reinstalling?

 

You can select your security level from the same place (MCC --> Security --> Set security level...) (translation, again).

I had some problems when I set my security level too high. I wasn't able to log in via SSH and do some other things, so you have to try them out and drop the security level if you can't access some services on your server from outside.

 

There it is, have fun. :thumbs:

Link to comment
Share on other sites

Any ports you select to allow, only allow inbound connections. Outbound connections are always allowed for port 22, or whatever other ports you want to connect to.

 

The check boxes, and any ports you specify in the advanced section are for incoming only. This is so you can access SSH on this machine with the firewall. With the option disabled, you can still connect to another machine using SSH, samba, or whatever.

Link to comment
Share on other sites

The easiest thing is to start samba, and when running, do this:

 

netstat -tan

 

will list all ports that are listening for connections. Samba is SMB so is Windows sharing, so will be something like ports 139 or similar.

Link to comment
Share on other sites

Ok, I found the ports that samba was using, both on my end and on the other computers end, and set them up in the firewall to be allowed.

 

However, whenever I go into Samba with the firewall enabled, it still tells me:

 

"An error occurred while trying to get the list of shares.... Unable to find a suitable server"

Link to comment
Share on other sites

Ok, I found the ports that samba was using, both on my end and on the other computers end, and set them up in the firewall to be allowed.

 

However, whenever I go into Samba with the firewall enabled, it still tells me:

 

"An error occurred while trying to get the list of shares.... Unable to find a suitable server"

 

IIRC, windoze shares need 2 different ports to use shares. One to query for shares, and one to transfer files. I might be all wrong, but I just have this feeling right now. :P

 

EDIT: Some mistypes...

Edited by Murda
Link to comment
Share on other sites

Ok... I'm getting a little confused now, so I'm going to try going into more depth about what I'm doing and the situation at hand, lol.

 

In netstat it shows the other computer as having one port open for filesharing with mine. One this computer it shows it having 3 ports open for filesharing with the other computer. I thought that I would only need to open the 3 ports this computer is using, but when that didn't work, I set it up to open the port the other computer was using as well. This was done with everything checked off *except the "everything no firewall" option, lol*. When this is done, and I refresh the view in Samba, it doesn't show the workgroup or any of the computers on the network, including mine.

 

So I have two questions, now:

 

1. Do I even need to open the ports on this computer that the Windows machine uses? And if so, what is the second port Windows *XP* uses by default? The only port showing up as it using is 139/tcp.

 

2. Do I need to open the ports that are showing up as connected to localhost *127.0.0.1* or something? I.E., is there some port I need to open that's not-so-obvious? Right now, I'm only opening the ports that are showing connections between my IP and the other computer's IP.

Link to comment
Share on other sites

Ok, maybe I didn't explain this earlier, I'm not sure...

 

I'm not sharing anything on the network. I'm just trying to access the files *no printers* on another computer on the network. I can access them fine with the firewall turned off, but with the firewall turned on, the workgroup doesn't even show up in Samba. Nothing. Blank, white page. The shares still show up as being mounted but I can't access them, I get some error message referring to Samba not being able to find the requested share on the network. I've tried checking off everything in the firewall options + opening all the ports that netstat shows as being the ports used between my computer and the other computer, but it doesn't work. :S

 

If no one can help me with this, does anyone know of another software firewall that I can download?

Link to comment
Share on other sites

It's been almost two weeks since I started this thread and no one could even seem to suggest a different firewall. :(

 

I have been up and down Google since then trying my best to find a solution to this. I found out all the ports Windows uses and tried enabling them with no luck. If there was some way I could add the other computer's IP to the whitelist it might solve this issue, but all the explanations I've found on editing Linux's native whitelist give very little information as to how to actually do it... they give example scripts and that's it. No idea as to how to configure them for your own use.

 

I decided to try out another firewall, first kmyfirewall, which crashed on the splash screen, then firestarter, which gave me a script on creating a network bridge with no idea as to how to turn it from a txt file into an application... much less what system folder to put it in...

 

I did get somewhere with Mandriva's firewall. Now Samba shows the computers on my network, but doesn't show the other computer's IP and still won't let me access its shares. In Gnome, it shows the Windows Network folder but the contents are empty. And right now I'm stuck between a rock and a hard place because I found out the hard way that I couldn't rely on my hardware firewall to keep my computer protected from "guests"... but with a software firewall enabled I can't access the other computer's shares... which just so happen to be all the files on my backup hdd that I couldn't access in Mandriva because it locked the hdd every time I tried to mount it in this system. *sigh*

 

The funniest thing of all is the Windows machine can access any files I share on the network perfectly well.

 

Sorry to go off on a rant like this, but I am very, very frustrated.

Link to comment
Share on other sites

vixenk,

(one newbee helps another newbee)

 

First, let me tell you that I too have not succeeded to setup shorewall via MCC once I needed something more than a basic thing.

 

To set up shorewall the way you want, you may just edit the file /etc/shorewall/rules. That's what gets updated anyway, if you try to setup the firewall from mandriva's MCC.

 

The syntax for "rules" is explained in the file's comments. It looks like this:

AllowSMB fw net:192.168.2.0/24 
AllowSMB net:192.168.2.0/24 fw

 

Here you setup that samba services should be allowed from you (fw) to all (net), and backwards. In this example "net" is restricted to local network only, which is denoted as :192.168.2.0/24 . /24 is a mask that says "The last octet (digits after the last dot) may be any from 0 till 255.

 

AllowSMB is not just a phrase, but an action that resides in /usr/share/shorewall/action.AllowSMB , and is listed in /usr/share/shorewall/actions.std .

Actually if you view the former you'll see the ports that should be open for samba to work. You need to make sure that either the two named lines are in /etc/shorewall/rules , or the content of action.AllowSMB is in there. If it gets written there via MCC, then there is somewhere else you should be looking.

 

Don't forget to restart shorewall service if you edit rules, either via MCC or using command

service shorewall restart

 

You can also make sure that it is the shorewall that impedes your samba traffic. In /var/log/messages there should be lines that obviously tell you that shorewall has Dropped or Rejected some access attempts to the ports of Samba. It looks as something like that:

Mar 28 07:51:44 kokoc kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC= SRC=192.168.2.100 DST=224.0.0.251 LEN=107 TOS=0x00 PREC=0x00 TTL=255 ID=9 DF PROTO=UDP SPT=5353 DPT=5353 LEN=87
, with different port numbers and adresses. You should be looking for lines containing the samba ports.

 

 

And the last, but not least,

on my system there is a bug: whnever I edit network setting in MCC (one of "reconfigure network interface" or "alter misc. network setting"), the /etc/shorewall/rules is replaced with the original version that does not allow anything. I filed that as a bug, but apparently this is not reproducable on all configurations.

 

Hope this helps.

 

PS

concerning your other question, I use the "high" security setting, I have samba, local web server functional.

Link to comment
Share on other sites

Wow! Thank you so much! I didn't even know the firewall in Mandriva had a name, lol. You explained things perfectly. :D

 

This has turned out to be a two part issue. After setting up the rules to allow the other computer's IP, it worked. :D Then after a couple of hours it didn't work. :S Samba was still showing the other computer in the network list, but no IP again. Looking at the network tab, I noticed that it was looking like something deeper than the firewall... for IP, etc. it said unknown, which just seemed rather off... I mean, why would it detect the other computer and not the IP as well?

 

After knowing it COULD work, I started to check out the other computer's network settings again. Everything looked fine, and my fiance *the owner of the other computer* wasn't even running his software firewall. Then I remembered what his firewall was *ZoneAlarm*, and since I've had problems with it blocking network connections despite them being in the trusted zone in the past, I decided to try uninstalling it - and it worked! I then installed a different firewall, and everything has been working fine since then. :)

Edited by vixenk
Link to comment
Share on other sites

good!

 

For the record: you could probably have figured out that something was blocking Samba traffic on the other computer by looking at /var/log/samba/xxxx.log files. "xxxx" by default contains the IP address or hostname of the connecting PC.

 

It is almost always rewarding to check log files when something stops/isn't working.

Link to comment
Share on other sites

You could check the ZoneAlarm logs, and allow blocked events related to your SMB client... but since ZoneAlarm isn't (IMHO) a good firewall anymore, then well done...

For the record, Jetico is a fine personal firewall for windows, and it's still free of charge.

Edited by scarecrow
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...