# What are correct IPFW settings for SAMBA?



## jasonhirsh (Nov 25, 2010)

I have samba 3.3 on my 8.1 box.   I am running IPFW.    I can connect to samba over my VPN but I can not connectto it through normal means nor can I get smbclient to show resources  I have asked else where but perhaps mis-stated the subject


my ipfw.rules are 


```
KS="keep-state"
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
#$IPF 11 allow all from any to any via re0
#$IPF 12 allow all from any to any via re0_alias
$IPF 15 allow all from any to any via tap0
$IPF 20 deny  all from any to 127.0.0.0/8
$IPF 30 deny  all from 127.0.0.0/8 to any
$IPF 35 allow  all from any to 10.8.0.0/24
$IPF 37 allow  all from 10.8.0.0/24 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 211 allow udp from any to any 137 in
$IPF 212 allow tcp from any to any 137 in
$IPF 213 allow udp from any to any 137 out
$IPF 214 allow tcp from any to any 137 out
$IPF 215 allow udp from any to any 138 in
$IPF 216 allow tcp from any to any 138 in
$IPF 217 allow udp from any to any 138 out
$IPF 218 allow tcp from any to any 138 out
$IPF 223 allow udp from any to any 139 in
$IPF 224 allow udp from any to any 139 out
$IPF 225 allow tcp from any to any 139 in
$IPF 226 allow tcp from any to any 139 out
$IPF 227 allow tcp from any to any dst-port 445 in
$IPF 228 allow tcp from any to any dst-port 445 out
$IPF 229 allow udp from any to any dst-port 445 in
$IPF 230 allow udp from any to any dst-port 445 out
$IPF 231 allow tcp from any to any 993 in
$IPF 232 allow tcp from any to any 993 out
$IPF 233 allow tcp from any to any 995 in
$IPF 234 allow tcp from any to any 995 out
$IPF 235 allow all from any to any dst-port 1194 setup
$IPF 240 allow udp from any to me dst-port 1194
$IPF 245 allow tcp from any to any 2500 in
$IPF 250 allow tcp from any to any 2500 out
$IPF 255 allow tcp from any to any 9000 in
$IPF 255  allow tcp from any to any 9000 out
# deny and log everything
$IPF 500 deny log all from any to any
```

IPFW Show


```
00010  0    0 allow ip from any to any via lo0
00015  0    0 allow ip from any to any via tap0
00020  0    0 deny ip from any to 127.0.0.0/8
00030  0    0 deny ip from 127.0.0.0/8 to any
00035  0    0 allow ip from any to 10.8.0.0/24
00037  0    0 allow ip from 10.8.0.0/24 to any
00040  0    0 deny tcp from any to any frag
00050  0    0 check-state
00060 33 2756 allow tcp from any to any established
00070  0    0 allow ip from any to any out keep-state
00080  0    0 allow icmp from any to any
00110  0    0 allow tcp from any to any dst-port 21 in
00120  0    0 allow tcp from any to any dst-port 21 out
00130  0    0 allow tcp from any to any dst-port 22 in
00140  0    0 allow tcp from any to any dst-port 22 out
00150  0    0 allow tcp from any to any dst-port 25 in
00160  0    0 allow tcp from any to any dst-port 25 out
00170  0    0 allow udp from any to any dst-port 53 in
00175  0    0 allow tcp from any to any dst-port 53 in
00180  0    0 allow udp from any to any dst-port 53 out
00185  0    0 allow tcp from any to any dst-port 53 out
00200  0    0 allow tcp from any to any dst-port 80 in
00210  0    0 allow tcp from any to any dst-port 80 out
00211 60 4680 allow udp from any to any dst-port 137 in
00212  0    0 allow tcp from any to any dst-port 137 in
00213  0    0 allow udp from any to any dst-port 137 out
00214  0    0 allow tcp from any to any dst-port 137 out
00215  3  606 allow udp from any to any dst-port 138 in
00216  0    0 allow tcp from any to any dst-port 138 in
00217  0    0 allow udp from any to any dst-port 138 out
00218  0    0 allow tcp from any to any dst-port 138 out
00223  0    0 allow udp from any to any dst-port 139 in
00224  0    0 allow udp from any to any dst-port 139 out
00225  0    0 allow tcp from any to any dst-port 139 in
00226  0    0 allow tcp from any to any dst-port 139 out
00227  0    0 allow tcp from any to any dst-port 445 in
00228  0    0 allow tcp from any to any dst-port 445 out
00229  0    0 allow udp from any to any dst-port 445 in
00230  0    0 allow udp from any to any dst-port 445 out
00231  0    0 allow tcp from any to any dst-port 993 in
00232  0    0 allow tcp from any to any dst-port 993 out
00233  0    0 allow tcp from any to any dst-port 995 in
00234  0    0 allow tcp from any to any dst-port 995 out
00235  0    0 allow ip from any to any dst-port 1194 setup
00240  1   81 allow udp from any to me dst-port 1194
00245  0    0 allow tcp from any to any dst-port 2500 in
00250  0    0 allow tcp from any to any dst-port 2500 out
00255  0    0 allow tcp from any to any dst-port 9000 in
00255  0    0 allow tcp from any to any dst-port 9000 out
00500 34 5372 deny log ip from any to any
65535  1   78 deny ip from any to any
```


----------



## qsecofr (Nov 30, 2010)

There's a lot of denied packets.  Check /var/log/security or wherever you're logging to.  My guess is you're allowing connections into the host on ports 137,138,139, 445, but not allowing those response packets back out.  The destination port on the client computer is probably not the well-known port number..  It doesn't appear your ruleset is making full use of stateful connections.  It may be that the response packets are going out via rule #60, but if not then the logging will give you some better insight.


----------



## jasonhirsh (Dec 1, 2010)

The logs have not been too insightful.. nothing really showing the ip i am coming from.. I will investigate more

If samba is trying to respond to a client behind a NAT wouldn't I have to route appropriate traffic??


I will research keep-stat I did not feel comfortable with it so I did not use it beyond the template i borrowed


----------



## qsecofr (Dec 1, 2010)

It would be helpful also if you had a pseudo-diagram or explanation of where the host & client sit in relation to the firewall/NAT.  Are they both behind it?  Are both on the same subnet?  Who do you want firewalled from your samba? etc


example: my Samba sits on the host which also acts as firewall/NAT.  It listens on an internal interface.  The clients are internal only, 192.168 address space.  I want to deny external clients from the net at large.  This may or may not be what you want.
$oif = my external IP address and is defined at the top of the script.
Service names from /etc/services

```
#
#
# samba: some packets destined for .255 broadcast address
        $ipfw -q add allow udp from any to any netbios\\-ns,netbios\\-dgm,loc\\-srv in not via $oif keep-state
        $ipfw -q add allow tcp from any to me netbios\\-ssn,microsoft\\-ds,loc\\-srv in not via $oif setup keep-state
        $ipfw -q add allow udp from me netbios\\-ns,netbios\\-dgm,loc\\-srv to any out not via $oif keep-state
        $ipfw -q add allow tcp from me netbios\\-ssn,microsoft\\-ds,loc\\-srv to any out not via $oif setup keep-state
```
Denied packets, if the rule is logged, will most often tell what the issue is.  In your case, if the response packets from samba are getting blocked, you'll probably see your IP:samba-port in the message. The message looks something like

```
ipfw: 12500 Deny UDP 192.168.1.3:2909 x.y.z.239:443 in via bge1
```
You may have to play around with logging & log levels, and restart your firewall script (from a console preferably) a few times to get the info you need..


----------



## codeWarrior (Dec 11, 2010)

I hope this help you. Here's a copy my ipfw-rules.sh shell script. 

1) Save this as /usr/local/etc/ipfw-rules.sh
2) adjust the script according to your needs
2) make it executable [CMD=]chmod +x /usr/local/etc/ipfw-rules.sh[/CMD]
3) run the rules script [CMD=]sh /usr.local/etc/ipfw-rules.sh[/CMD]
4) set your system so that it runs /usr/local/etc/ipfw-rules.sh at startup to open the firewall.

It should open the correct IP prots for Samba. If you are only interested in the Samba ports you need to allow *BOTH TCP* and *UDP* in both direction [*IN/OUT*] on the following ports:


81
137
138
139
445



```
PF="ipfw -q add"
ipfw -q -f flush

# BRUTE FORCE ATTACK BLOCKING:
$IPF deny ip from me to table\(1\)
$IPF deny ip from table\(1\) to me

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# FTP: 
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out

# SSH:
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out

# MAIL:
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out

# BIND / DNS:
$IPF 170 allow udp from any to any 53 in
$IPF 172 allow tcp from any to any 53 in
$IPF 174 allow udp from any to any 53 out
$IPF 176 allow tcp from any to any 53 out

# RNDC / BIND:
$IPF 180 allow udp from any to any 953 in
$IPF 182 allow tcp from any to any 953 in
$IPF 184 allow udp from any to any 953 out
$IPF 186 allow tcp from any to any 953 out

# APACHE / HTTPD:
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

# NETBIOS:
$IPF 211 allow tcp from any to any 81 in
$IPF 212 allow tcp from any to any 81 out
$IPF 213 allow udp from any to any 81 in
$IPF 214 allow udp from any to any 81 out

# POP3:
$IPF 220 allow tcp from any to any 110 in
$IPF 230 allow tcp from any to any 110 out

# NMBD: [SAMBA]
$IPF 400 allow tcp from any to any 137 in
$IPF 402 allow tcp from any to any 137 out
$IPF 404 allow udp from any to any 137 in
$IPF 406 allow udp from any to any 137 out

# NMBD: [SAMBA]
$IPF 408 allow tcp from any to any 138 in     
$IPF 410 allow tcp from any to any 138 out    
$IPF 412 allow udp from any to any 138 in     
$IPF 414 allow udp from any to any 138 out  

# SMBD: [SAMBA]
$IPF 416 allow tcp from any to any 139 in     
$IPF 418 allow tcp from any to any 139 out    
$IPF 420 allow udp from any to any 139 in     
$IPF 422 allow udp from any to any 139 out  

# IMAP: [MAIL]
$IPF 145 allow tcp from any to any 143 in
$IPF 146 allow tcp from any to any 143 out
$IPF 147 allow udp from any to any 143 in
$IPF 148 allow udp from any to any 143 out

# HTTP: TLS/SSL:
$IPF 424 allow tcp from any to any 443 in
$IPF 426 allow tcp from any to any 443 out
$IPF 428 allow udp from any to any 443 in
$IPF 430 allow udp from any to any 443 out

# SMBD: [SAMBA]
$IPF 432 allow tcp from any to any 445 in
$IPF 434 allow tcp from any to any 445 out
$IPF 436 allow udp from any to any 445 in
$IPF 438 allow udp from any to any 445 out

# SMTPS: [SECURE SMTP]
$IPF 465 allow tcp from any to any 465 in     
$IPF 466 allow tcp from any to any 465 out    
$IPF 467 allow udp from any to any 465 in     
$IPF 468 allow udp from any to any 465 out  

# IMAPS: [IMAP4 - SSL]
$IPF 485 allow tcp from any to any 585 in
$IPF 486 allow tcp from any to any 585 out
$IPF 487 allow udp from any to any 585 in
$IPF 488 allow udp from any to any 585 out

# IMAPS: [IMAPS-SSL]
$IPF 9930 allow tcp from any to any 993 in
$IPF 9931 allow tcp from any to any 993 out
$IPF 9932 allow udp from any to any 993 in
$IPF 9933 allow udp from any to any 993 out

# SECURE MAIL [SSL-POP / POP3S]
$IPF 9950 allow tcp from any to any 995 in
$IPF 9951 allow tcp from any to any 995 out
$IPF 9952 allow udp from any to any 995 in
$IPF 9953 allow udp from any to any 995 out

# mySQL
$IPF 3306 allow tcp from any to any 3306 in
$IPF 3307 allow tcp from any to any 3306 out
$IPF 3308 allow udp from any to any 3306 in
$IPF 3309 allow udp from any to any 3306 out

#SUBVERSION [SVNSERVE]
$IPF 3690 allow tcp from any to any 3690 in
$IPF 3691 allow tcp from any to any 3690 out
$IPF 3692 allow udp from any to any 3690 in
$IPF 3693 allow udp from any to any 3690 out

# POSTGRESQL:
$IPF 5432 allow tcp from any to any 5432 in
$IPF 5433 allow tcp from any to any 5432 out
$IPF 5434 allow udp from any to any 5432 in
$IPF 5435 allow udp from any to any 5432 out

# TELNETD
$IPF 23000 allow tcp from any to any 23032 in
$IPF 23001 allow tcp from any to any 23032 out
$IPF 23002 allow udp from any to any 23032 in
$IPF 23003 allow udp from any to any 23032 out

# WEBMIN:
$IPF 32000 allow tcp from any to any 32000 in
$IPF 32001 allow tcp from any to any 32000 out

# WEBMIN:
$IPF 32768 allow tcp from any to any 32768 in
$IPF 32769 allow tcp from any to any 32768 out

# OPENWEBMAIL:
$IPF 40004 allow tcp from any to any 40004 in
$IPF 40005 allow tcp from any to any 40004 out
$IPF 40006 allow udp from any to any 40004 in
$IPF 40007 allow udp from any to any 40004 out

# DEJA.Technology Platform:
$IPF 300 allow tcp from any to any 59095 in
$IPF 310 allow tcp from any to any 59095 out

# deny and log everything
$IPF 65000 deny log all from any to any
```


----------



## jasonhirsh (Jan 8, 2011)

I didn't see the responses
1) My SAMBA server is located on a leased host.. none of the clients are on the same net

2)  I am relatively certain that I have all the suggested rules for ports other then 81 could that be the issue??


----------



## jasonhirsh (Jan 9, 2011)

*Ipfw samba ports - solved*

Port 81 did it !!!  Thanks alot   i am completely lost in the IPFW documentation


----------

