Hiding Samba behind a firewall

Guillaume Lécroart dummy.goug@free.fr
Thu, 4 Oct 2001 16:13:46 +0200


This is a multi-part message in MIME format.

------=_NextPart_000_0572_01C14CEF.8BD26240
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,
=20
I'm trying to hide a samba server behind a netfilter firewall.
Hiding means that the "external" machines should reach the "internal"
samba server using the firewall's external address.
I'm using DNAT to forward packets to port 139 of the firewall to port
139 of samba server, as well as SNAT to make packets coming from the
samba server get the firewall's external source address. For SMB
traffic, it works fine.
=20
For nmbd it becomes a little harder: machines on network A are using a
wins server. I can't get control on the WINS server to add static
mapping nor change machines ins/LMHOST configuration. My only solution
is to have the samba server register against the external wins server.
=20
The problem is that even if the 137/udp packet is SNATed by the
firewall, the samba server appears with its private address in the WINS
server because the NBNS Ucast packet includes the registrar's address.
=20
As a workaround, I can decide to run nmb -n <samba_server_nb_name> only
on the firewall, and let him annouce itself with the correct address =
and
forward smb traffic to the other box.  But except sshd, I do not want
any listening service to run on the firewall (I guess any real
security-involved people can understand that).
=20
My question are the following :
=20
Is there a way to make nmbd use a specific address in the Addr: field =
of
the Registration Request it sends to a WINS server?
=20
Is there any project regarding a masquerading module for this kind of
traffic in the netfilter community?
=20
Thanks in advance and regards,
=20
Guillaume

------=_NextPart_000_0572_01C14CEF.8BD26240
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>

<META content=3D"MSHTML 5.00.3211.1700" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#d4d0c8>
<DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I'm trying to hide a samba server =
behind a=20
netfilter firewall.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Hiding means that the "external" =
machines should=20
reach the "internal" samba server using the firewall's external=20
address.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I'm using DNAT to forward packets to =
port 139 of=20
the firewall to port 139 of samba server, as well as SNAT to make =
packets coming=20
from the samba server get the firewall's external source address. For =
SMB=20
traffic, it works fine.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>For nmbd it becomes a little harder: =
machines on=20
network A are using a wins server. I can't get control on the WINS =
server to add=20
static mapping nor change machines ins/LMHOST configuration. My only =
solution is=20
to have the samba server register against the external wins =
server.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The problem is that even if the =
137/udp packet is=20
SNATed by the firewall, the samba server appears with its private =
address in the=20
WINS server because the NBNS Ucast packet includes the registrar's=20
address.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>As a workaround, I can decide to run =
nmb -n=20
&lt;samba_server_nb_name&gt; only on the firewall, and let him annouce =
itself=20
with the correct address and forward smb traffic to the other =
box.&nbsp; But=20
except sshd, I do not want any listening service to run on the firewall =
(I guess=20
any real security-involved people can understand that).</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>My question are the following =
:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Is there a way to make nmbd use a =
specific address=20
in the Addr: field of the Registration Request it sends to a WINS=20
server?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Is there any project regarding a =
masquerading=20
module for this kind of traffic in the netfilter =
community?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Thanks in advance and =
regards,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Guillaume</FONT></DIV></BODY></HTML>

------=_NextPart_000_0572_01C14CEF.8BD26240--