OpenWRT Samba Scare on WAN

Revision as of 08:44, 23 March 2021 by Root (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Using the nmblookup utility to check the WAN IP Address of an OpenWRT router, discovered that it reported Samba ports as "filtered". Filtered means it won't respond, but the very fact it even detected it was a bit disconcerting. Especially given that this particular router had the Samba4 service configured such that it would only respond on a single internal LAN IP Address.

So as an extra safety measure added the following to the /etc/config/firewall file (and as usual, substitute the appropriate WAN IP Address(es) for W.X.Y.Z);

config rule
	option dest_port '135'
	option src 'wan'
	option name 'Samba_ALL_135'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option dest_port '138'
	option src 'wan'
	option name 'Samba_ALL_138'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option dest_port '139'
	option src 'wan'
	option name 'Samba_ALL_139'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option dest_port '445'
	option src 'wan'
	option name 'Samba_ALL_445'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

SPECIAL NOTE: When inserting the above rules, it was noticed that attempting to use the following directive it BROKE all rules that followed (as if it were a syntax error): list proto 'all' (proto 'all' was attempted to and also caused issues). It's as if list proto 'all' and proto 'all' is a syntax error, with the emphasis on 'all'. Changing it to specific protocols like 'tcp' and 'udp' (as shown in the above example) worked great. Lesson? Do NOT use 'all', instead use specific protocol names.