OpenWRT Samba Scare on WAN

Wiki.TerraBase.info
Revision as of 20:00, 22 March 2021 by Root (talk | contribs) (Created page with "Using the nmblookup utility to check the WAN IP Address of an OpenWRT router, discovered that it reported Samba ports as "filtered". Filtered means it won't respond, but the...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Using the nmblookup utility to check the WAN IP Address of an OpenWRT router, discovered that it reported Samba ports as "filtered". Filtered means it won't respond, but the very fact it even detected it was a bit disconcerting. Especially given that this particular router had the Samba4 service configured such that it would only respond on a single internal LAN IP Address.

So as an extra safety measure added the following to the /etc/config/firewall file (and as usual, substitute the appropriate WAN IP Address(es) for W.X.Y.Z);

config rule
	option dest_port '135'
	option src 'wan'
	option name 'Samba_ALL_135'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'all'

config rule
	option dest_port '138'
	option src 'wan'
	option name 'Samba_ALL_138'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'all'

config rule
	option dest_port '139'
	option src 'wan'
	option name 'Samba_ALL_139'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'all'

config rule
	option dest_port '445'
	option src 'wan'
	option name 'Samba_ALL_445'
	list dest_ip 'W.X.Y.Z'
	option target 'DROP'
	option family 'ipv4'
	list proto 'all'


Retrieved from "https://wiki.terrabase.info/index.php?title=OpenWRT_Samba_Scare_on_WAN&oldid=1370"