How does one configure ipfilter for Samba?

Thank you for that. I'd not openend 445 at all, which probably explains why it does not work for me.

That should be easy to fix.

Thanks, after adding the following rules (and removing those I posted earlier), Samba now works with ipfilter.

# Allow Samba connections pass in quick on eri0 proto tcp from 192.168.0.0/24 to 192.168.0.9/32 port = 135 keep state pass in quick on eri0 proto udp from 192.168.0.0/24 to 192.168.0.9/32 port = 137 keep state pass in quick on eri0 proto udp from 192.168.0.0/24 to 192.168.0.9/32 port = 138 keep state pass in quick on eri0 proto tcp from 192.168.0.0/24 to 192.168.0.9/32 port = 139 keep state pass in quick on eri0 proto tcp from 192.168.0.0/24 to 192.168.0.9/32 port = 445 keep state

Do you really need 135/TCP? Microsoft uses that for many things including Exchange mail, RPC, and WINS management. But I don't think Samba uses it?

-Wayne

Just check which ports are used with "netstat". "netstat -a" shows you all the ports which are open. If 135 is not listed it is not used. I think Solaris does not have a netstat option to show you the PID of the server. To check which process uses the port you have to use "lsof" instead (which is not part of the Solaris distribution I think).

For general filter debugging I would also recommend to look into the log option. Instead of using the (silent) default drop use a drop log. I don't know how it is done exactly with ipfilter. With the log option the filter logs a message for every packet dropped. That way you should quickly see that packets for 445 have been dropped before.

Gerald

Hi,

Thank you for your post.

Checking with netstat -a only shows 139 and 445 in use

TCP: IPv4 Local Address Remote Address Swind Send-Q Rwind Recv-Q State

-------------------- -------------------- ----- ------ ----- ------

----------- *.* *.* 0 0 49152 0 IDLE *.445 *.* 0 0 49152 0 LISTEN *.netbios-ssn *.* 0 0 49152 0 LISTEN

(netbios-ssn is port 139)

So I changed the rules to

# Allow Samba connections pass in quick on eri0 proto tcp from 192.168.0.0/24 to 192.168.0.9/32 port = 139 keep state pass in quick on eri0 proto tcp from 192.168.0.0/24 to 192.168.0.9/32 port = 445 keep state

So far, the log shows no rejections and it seems to work.

It would be nice if these ports were clearly documented in the samba docs. I'm not the first to ask this question, and I see other posters question on this issue remain unanswered. I believe the ports used have changed over the years - I'm using Samba 3.0.23b

PS, I did find these documented, but it looks like it might be incorrectly documented. Or perhaps some of the ports are not used all the time.

Port 135/TCP - used by smbd Port 137/UDP - used by nmbd Port 138/UDP - used by nmbd Port 139/TCP - used by smbd Port 445/TCP - used by smbd

Mine now appears to work with only 139 and 445, suggesting that not all ports are open for smbd and none for nmbd. I'm starting nmbd, but not sure if I'm using its functionality.

Either way, it looks to me the docs might be wrong.

The UDP ports 137 and 138 are used to browse, so you won't see them in use all the time. IIRC depending on the age of the various Windows clients on your network, you may or may not see TCP 139 or 445 used; older clients use 139, newer ones use 445. I still have no idea what Samba uses TCP/135 for! The only related documentation I ran across was on the MS website, where they say TCP/135 is used for "WINS management". Maybe Samba uses that under some circumstances?

In any case, Dave is right, this does need better documentation on the Samba site.

-Wayne