[Wylug-help] LAN/samba problems

Anne Wilson cannewilson at googlemail.com
Sat Feb 9 19:38:31 GMT 2008 

On Saturday 09 February 2008 18:50, Andrew J Cole wrote:
> Anne,
>
> Pleased to hear that you are now running ok after rebooting.
>
Sort of...

> As to the root cause(s) ...
>
> 1) clearly your iptables changes badly derranged your network services.
>
Fair enough

> 2) as long as IP is not affected Samba will function prefectly with
> existing connections (as long as the smbd is running) but you won't
> be able to make any new "samba" connection unless the nmbd is running.
> That should explain what you observed.
>
For some strange reason if there is no connection for more than a few seconds 
nmbd shuts down.  It happened again this evening.  I couldn't have been more 
than 3-4 minutes before I fired up the laptop, after going into the house, 
but I was too late.  Once more it said

[root at borg2 ~]# service smb status
smbd (pid 2970 2934) is running...
nmbd dead but pid file exists

and I've had to come out to re-start it.  I keep the server up all night, but 
workstations and laptops are shut down at night, so this is a major PITA.

> I am not clear what purpose your iptables are performing.  Are you
> protecting the server on the local network from other clients on the
> local net?  Are you using the server to route to the WAN (ie. to filter
> WAM traffic)?  Perhaps you are trying to protect the server from other
> wifi clients?  Other than in rather special circumstances its not
> necessary to use iptables on LAN servers.
>
> I had assumed that you had a NATing router between your LAN and the WAN.
> Its at that point that you should be restricting traffic flow onto
> your LAN.  Unless you are wanting to provide services to the WAN its
> normal to block all services incoming from the WAN at the router:
> any services that you do wish to expose are then opened and routed to
> specific internal IPs.  If you are concerned about alien wifi traffic
> again your (wifi) router should control access (both connection and later
> access to services) from wifi cliemts to your core LAN.
>
Maybe I'm being over-cautious.  I do have a NATing router - 2 in fact :-)  Due 
to difficult physical restraints I have a normal router, with a second router 
configured as a switch to extend the lan.  On both I port-forward only 
necessary services, disabling services when not required.  I have wifi access 
but it is wpa-psk protected.  I don't intend putting software firewalls on 
workstations, but it just seemed safer to have one on the server.   There's 
no wan access, so I probably don't need it - it's just my instinct to use 
belt, braces and a piece of string :-)

Being basically a server distro, CentOS enables firewall and SELinux by 
default.  I've yet to tackle SELinux.  Joys to come :-)

> ps. is swat working after the reboot?
>
No, neither by name nor IP.

> btw security-wise its not really a good idea to expose Samba to WAN
>     traffic (unless you are using VPNs) and I would really say the same
>     about exposing swat.

That makes sense, thanks.

Anne

More information about the Wylug-help mailing list