Difference between revisions of "OpenWRT Samba Scare on WAN"

Wiki.TerraBase.info
Jump to navigation Jump to search
(Created page with "Using the nmblookup utility to check the WAN IP Address of an OpenWRT router, discovered that it reported Samba ports as "filtered". Filtered means it won't respond, but the...")
 
m
 
Line 9: Line 9:
option target 'DROP'
option target 'DROP'
option family 'ipv4'
option family 'ipv4'
list proto 'all'
list proto 'tcp'
list proto 'udp'


config rule
config rule
Line 18: Line 19:
option target 'DROP'
option target 'DROP'
option family 'ipv4'
option family 'ipv4'
list proto 'all'
list proto 'tcp'
list proto 'udp'


config rule
config rule
Line 27: Line 29:
option target 'DROP'
option target 'DROP'
option family 'ipv4'
option family 'ipv4'
list proto 'all'
list proto 'tcp'
list proto 'udp'


config rule
config rule
Line 36: Line 39:
option target 'DROP'
option target 'DROP'
option family 'ipv4'
option family 'ipv4'
list proto 'all'
list proto 'tcp'
</syntaxhighlight><br />
list proto 'udp'
</syntaxhighlight>'''SPECIAL NOTE:''' When inserting the above rules, it was noticed that attempting to use the following directive it BROKE all rules that followed (as if it were a syntax error): list proto 'all'  (proto 'all' was attempted to and also caused issues).  It's as if ''list proto 'all'<nowiki/>'' and ''proto 'all'<nowiki/>'' is a syntax error, with the emphasis on ''<nowiki/>'all'<nowiki/>''.  Changing it to specific protocols like ''<nowiki/>'tcp'<nowiki/>'' and ''<nowiki/>'udp'<nowiki/>'' (as shown in the above example) worked great.  Lesson?  Do NOT use 'all', instead use specific protocol names.<br />

Latest revision as of 08:44, 23 March 2021

Using the nmblookup utility to check the WAN IP Address of an OpenWRT router, discovered that it reported Samba ports as "filtered". Filtered means it won't respond, but the very fact it even detected it was a bit disconcerting. Especially given that this particular router had the Samba4 service configured such that it would only respond on a single internal LAN IP Address.

So as an extra safety measure added the following to the /etc/config/firewall file (and as usual, substitute the appropriate WAN IP Address(es) for W.X.Y.Z);

config rule
	option dest_port '135'
	option src 'wan'
	option name 'Samba_ALL_135'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option dest_port '138'
	option src 'wan'
	option name 'Samba_ALL_138'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option dest_port '139'
	option src 'wan'
	option name 'Samba_ALL_139'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option dest_port '445'
	option src 'wan'
	option name 'Samba_ALL_445'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

SPECIAL NOTE: When inserting the above rules, it was noticed that attempting to use the following directive it BROKE all rules that followed (as if it were a syntax error): list proto 'all' (proto 'all' was attempted to and also caused issues). It's as if list proto 'all' and proto 'all' is a syntax error, with the emphasis on 'all'. Changing it to specific protocols like 'tcp' and 'udp' (as shown in the above example) worked great. Lesson? Do NOT use 'all', instead use specific protocol names.