On Fri, 15 Mar 2002, Matthew Sackman wrote:
> Firstly, is this likely? : Should you always have to have a rule to accept
> traffic sent to the broadcast address or should the tcp/ip stack just deal
> with it implicitly (Policy on the firewall is drop)? Network is switched
> 100Mbps ethernet.
Yes, the broadcast address is still a valid IP from a firewall POV so you
must have explicit PERMIT rules for it.
> Secondly rather than just blindly accept everything sent to broadcast, are
> specific ports used? I don't understand the whole broadcast thing in *too*
> much detail so any help here would be great.
Put very simply, you need to allow ports 135 137 138 and 139 at the very
least (TCP and UDP, ISTR) to allow basic Windows networking to work. You
might also need TCP port 1040, but that seems to vary depending on what
additional widgets are running (Exchange for example).
Run:
[root@server /root]# netstat -anp
<snip>
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 8609/smbd
udp 0 0 192.168.7.254:137 0.0.0.0:* 8618/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 8618/nmbd
udp 0 0 192.168.7.254:138 0.0.0.0:* 8618/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 8618/nmbd
and there you have it, but mine is a very basic setup. Thinking about it,
port 135 was Win9x specific, but I could be wrong. It might also be opened
as a PTP link at some point.
The broadcast address in Windows networking is extremely important, as
it's the way the different servers/workstations advertise their presence
into the 'Network Neighborhood'.
Of course, you did have a look in the Samba source code, right? ;-)
Graeme
--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------
This archive was generated by hypermail 2.1.3 : Sat 16 Mar 2002 - 10:08:34 GMT