smb browsing broken by firewall

Charles R. Anderson cra at WPI.EDU
Mon Jan 19 20:27:05 UTC 2004 

On Mon, Jan 19, 2004 at 09:58:10AM -0800, shane at geeklords.org wrote:
> The problem I see with modifying netfilter to behave in this manner is 
> that "stateful" communication requires src-ip/src-protocol/src-port -> 
> dst-ip/dst-protocol/dst-port to be stateful, at least thats my 
> understanding.  If iptables does not know who to expect a response back 
> from then at best it can allow anyone to respond back within a given 
> period of time without any real ability to verify the person responding 
> is related to the original request.  Worse yet it seems to me that 
> iptables would not have a good way to determine how long to keep the port 
> open, since the first response might not be the correct one.  

You would have to open the port from all hosts within the subnet to
which the broadcast was originally sent.  That's the point of a
broadcast query.  The dst-ip/dst-protocol/dst-port/src-port would
still have to match the previous state.  The only thing that would
change is matching on any-src-ip-in-subnet, instead of just the src-ip
which matches the original dst-ip in a unicast stream.  I'm told that
Patrick McHardy has a patch to netfilter/conntrack that adds this
functionality.  I'm trying to get this patch to test it.

> In short even if you got the above working, I don't see how its any more 
> secure than just opening the netbios port in question. The end result 
> seems to be the same, in fact I would argue it is more secure, as we are not 
> assuming security where there is none.

It would be more secure to open the incoming port only in response to
an outbound broadcast query.  The incoming traffic would still only be
allowed from the local subnet.  As far as timing, a short timeout,
such as 10 seconds, should be sufficient.  If no response to a
broadcast has happened in 10 seconds, then you are not likely to get
any responses at all.

If you are running a Samba server, of course, you would need to open 
the port regardless.  I think this should be a separate 
configuration--client-only systems should not require their smb ports 
to be open all the time to anyone.

More information about the fedora-devel-list mailing list