smb browsing broken by firewall

Casey Price linuxproject at aws-sj.com
Mon Jan 19 20:58:25 UTC 2004 

Just a quick question here...what ever happened to the old faithful
'//ipaddress' option for accessing a samba share, as in windows? Also, how
difficult would it be to get a plugin for something say mozilla to support
samba? The through any file manager or browser you could access a samba
server.

-- 
Casey Price

> On Mon, 19 Jan 2004, Charles R. Anderson wrote:
>
>> Unfortunately, even specifying the correct options manually in
>> smb.conf does not seem to affect SMB clients, such as Nautilus,
>> although I have not investigated this thoroughly yet.  Nautilus always
>> attempted broadcast to find the master browser, which won't work with
>> the default firewall configuration (unless the netfilter code is
>> enhanced, perhaps trivially).
>>
>> Besides that, there are legitimate uses of B-nodes.  Home networks
>> will almost never have a WINS server, so they must broadcast.
>
> The problem I see with modifying netfilter to behave in this manner is
> that "stateful" communication requires src-ip/src-protocol/src-port ->
> dst-ip/dst-protocol/dst-port to be stateful, at least thats my
> understanding.  If iptables does not know who to expect a response back
> from then at best it can allow anyone to respond back within a given
> period of time without any real ability to verify the person responding
> is related to the original request.  Worse yet it seems to me that
> iptables would not have a good way to determine how long to keep the port
> open, since the first response might not be the correct one.
>
> In short even if you got the above working, I don't see how its any more
> secure than just opening the netbios port in question. The end result
> seems to be the same, in fact I would argue it is more secure, as we are
> not
> assuming security where there is none.
>
> Shane
>
> --
> "Given enough time, all legal battles in the tech industry will invoke the
> DMCA. This generally means that all constructive arguments have ended."
> 					-NialScorva (slashdot poster)
>
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list
>

More information about the devel mailing list