Posted by: reformedmusings | May 22, 2010

Firestarter firewall settings with Samba and Ubuntu Lucid 10.04 LTS

In my previous post, I talked about how to setup up network sharing with Samba and Ubuntu Lucid 10.04 LTS. That post got too long, so I didn’t get to the accompanying firewall setup. The default firewall in Linux is iptables, which by default is managed by Uncomplicated Firewall – or ufw. Despite the name, ufw is anything but uncomplicated. There’s a GUI to manage it in Gnome called gufw, but I am not impressed with it. Instead, I chose Firestarter, which truly makes it easy to setup the ufw. I talked a little about Firestarter in this post on printer sharing. I’ve learned a lot more about its options when working with network file sharing.

Firestarter may be installed from Synaptic or the terminal:

sudo aptitude install firestarter

Firestarter runs as a system daemon. That means that when you close the GUI that allows you to setup the firewall, the firewall keeps running. That’s what you’d hope and expect.

When you execute firestarter, the GUI comes up:

It turned out that supporting network file sharing had more to it than just opening the Samba ports. But Firestarter helps by providing your active connections at the bottom of the Status window, plus the Events log tab. Also, the Events section near the top of the Status window warns when Serious events occur. Two show in red in the screenshot below.

After attempting a number of connections, the Events tab provided some useful leads:

I have no idea why SNMP showed up, as I don’t explicitly use it. The laptop apparently wanted to use SNMP though, so I put it on the list to enable. The other addresses all show up in a range that didn’t mean a thing to me or most web sources. But in researching the ports, I came across a great list on Wikipedia. There I found that these high ports are used by Linux distros, and one can check their own distro’s use of these ports from the terminal:

cat /proc/sys/net/ipv4/ip_local_port_range

This returned the range 32768 to 61000 for Lucid. So, I added this range to the Policy tab because the event log showed Lucid makes frequent use of the range. That helped, but still didn’t solve the problem of finding the network shares with the firewall active. At this point I had the Samba range of 137-139 and 445, the SNMP ports 161-162, the CUPS port of 631, the Activesync ports, plus the upper private range of Ubuntu enabled. I was running out of ports to choose, although I tried ones that made sense for hours. After deciding that there must be more to this situation, I moved to the Firestarter Preferences from the Status tab. I found the Firestarter online documentation very helpful.

First the Firewall:

I have it set to start and restart automatically. That seemed prudent. Next the Network Settings:

I’m not using Internet connection sharing and don’t need DHCP locally. The router takes care of the latter detail and the laptop has its own Internet connection through the router. Next ICMP:

I tried turning off the ICMP filtering, but it didn’t make any difference. So, I enabled it because I don’t need it and it’s always best to disable whatever you don’t need. If I need to ping something or trace a route on the web, I’ll have to enable those packet types.

I don’t need ToS Filtering, so left that off. The Advanced Options:

Error packets should be dropped silently to facilitate stealth on the network. This helps one’s invisibility to potential intruders. I initially had all Broadcast traffic blocked, both external and internal. The last change that I made was to enable one, then both. That solved the network sharing issues! After enabling both broadcasts, the laptop and smartphone were able to find and connect to the network shares.

So, the screens above represent my final, successful settings along with my policy list:

So now I have network file sharing with Samba, print sharing with CUPS, Activesync in a WinXP virtual machine, and Ubuntu with its high, private ports all purring along with the firewall active. I’m a very happy camper indeed.

Advertisements

Responses

  1. wow thank you!
    Available smb (Snmp 116-162)


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: