I finally managed to fully enable the firewall (Input+Output DROP) on all of my VMs, including a Samba AD DC and a Samba File Server.
Since the firewall macro "SMB" is not sufficient in this case, and because I didn't find an answer in the forums, here are the necessary directives:
Samba AD DC
Samba Fileserver
Used groups
Used IP-Sets
Hopefully someone can profit of the work!
Best regards
Marco
Since the firewall macro "SMB" is not sufficient in this case, and because I didn't find an answer in the forums, here are the necessary directives:
Samba AD DC
Code:
OUT NTP(ACCEPT) -log nolog # External NTP sync
OUT ACCEPT -dest +domain_members -p udp -sport 137:138 -log nolog # NetBIOS Broadcast
OUT ACCEPT -dest +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Answer
GROUP dns_apt_ssh_ntp # My standard VM firewall group: DNS out, Web (Apt-Mirror) out, NTP out, SSH in
IN ACCEPT -source +user_networks -p udp -dport 53 -log nolog # DNS
IN ACCEPT -source +user_networks -p tcp -dport 53 -log nolog # DNS
IN ACCEPT -source +domain_members -p udp -dport 88 -log nolog # Kerberos
IN ACCEPT -source +domain_members -p tcp -dport 88 -log nolog # Kerberos
IN ACCEPT -source +user_networks -p udp -dport 123 -log nolog # NTP
IN ACCEPT -source +domain_members -p tcp -dport 135 -log nolog # RPC Locator
IN ACCEPT -source +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Request
IN ACCEPT -source +domain_members -p tcp -dport 139 -log nolog # NetBIOS Session
IN ACCEPT -source +user_networks -p udp -dport 389 -log nolog # LDAP
IN ACCEPT -source +user_networks -p tcp -dport 389 -log nolog # LDAP
IN ACCEPT -source +domain_members -p tcp -dport 445 -log nolog # SMB over TCP
IN ACCEPT -source +domain_members -p udp -dport 464 -log nolog # Kerberos password
IN ACCEPT -source +domain_members -p tcp -dport 464 -log nolog # Kerberos password
IN ACCEPT -source +user_networks -p tcp -dport 636 -log nolog # LDAPS
IN ACCEPT -source +domain_members -p tcp -dport 3268 -log nolog # Global Catalog
IN ACCEPT -source +domain_members -p tcp -dport 3269 -log nolog # Global Catalog SSL
IN ACCEPT -source +domain_members -p udp -dport 49152:65535 -sport 137 -log nolog # Dynamic RPCSamba Fileserver
Code:
GROUP dns_apt_ssh_ntp -i net0 # My standard VM firewall group: DNS out, Web (Apt-Mirror) out, NTP out, SSH in
GROUP domain_members -i net0 # Necessary rules for all domain members, plus the following:
IN ACCEPT -i net0 -source +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Request
IN ACCEPT -i net0 -source +domain_members -p tcp -dport 139 -log nolog # NetBIOS Session
IN ACCEPT -i net0 -source +domain_members -p tcp -dport 445 -log nolog # SMB over TCP
IN ACCEPT -i net0 -source +domain_members -p tcp -dport 49152:65535 -sport 137 -log nolog # Dynamic RPC
IN Ceph(ACCEPT) -i net1 -source +vlan_ceph_p -log nolog # Samba shares are hosted on CephFS, therefore these last two rules
OUT Ceph(ACCEPT) -i net1 -dest +vlan_ceph_p -log nologUsed groups
Code:
[group domain_members] # Traffic for Samba Domain Members
IN ACCEPT -source +domain_members -p udp -sport 137:138 -log nolog # NetBIOS Request
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 53 -log nolog # DNS
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 53 -log nolog # DNS
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 88 -log nolog # Kerberos
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 88 -log nolog # Kerberos
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 123 -log nolog # NTP
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 135 -log nolog # RPC Locator
OUT ACCEPT -dest +domain_members -p udp -dport 137:138 -log nolog # NetBIOS Answer
OUT ACCEPT -dest +domain_members -p udp -sport 137:138 -log nolog # NetBIOS Broadcast
OUT ACCEPT -dest +domain_members -p tcp -dport 139 -log nolog # NetBIOS Session
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 389 -log nolog # LDAP
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 389 -log nolog # LDAP
OUT ACCEPT -dest +domain_members -p tcp -dport 445 -log nolog # SMB over TCP
OUT ACCEPT -dest +samba_ad_dc -p udp -dport 464 -log nolog # Kerberos password
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 464 -log nolog # Kerberos password
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 636 -log nolog # LDAPS
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 3268 -log nolog # Global Catalog
OUT ACCEPT -dest +samba_ad_dc -p tcp -dport 3269 -log nolog # Global Catalog SSL
OUT ACCEPT -dest +domain_members -p tcp -dport 49152:65535 -sport 137 -log nolog # Dynamic RPC
[group dns_apt_ssh_ntp] # Standard management tasks
OUT NTP(ACCEPT) -dest +ntp_servers -log nolog
OUT DNS(ACCEPT) -dest +dns_servers -log nolog
OUT Web(ACCEPT) -dest +apt_mirror -log nolog
IN SSH(ACCEPT) -source +admin_devices -log nologUsed IP-Sets
Code:
[IPSET domain_members] # Members of the Samba Windows domain
172.16.10.xx # Machine 1
172.16.10.xy # Machine 2
172.16.10.yz # Host 3
172.16.10.255 # Broadcast VLAN 10, this is relevant for NetBIOS lookups
172.16.20.xx # Host 4
172.16.20.xy # Host 5
172.16.20.xz # Machine 6
172.16.20.255 # Broadcast VLAN 20, see above
172.16.20.yy # DC1
172.16.20.yz # Samba-Server
[IPSET user_networks] # VLANs with potential subscribers (LDAP, LDAPS, NTP, DNS)
172.16.10.0/24 # VLAN 10
172.16.20.0/24 # VLAN 20
[IPSET samba_ad_dc] # Domain Controller
172.16.20.yy # DC1
[IPSET dns_servers] # DNS servers
172.16.10.1 # Router
172.16.20.1 # Router
172.16.20.yy # DC1
[IPSET apt_mirror] # APT-Mirror
172.16.20.ab
[IPSET admin_devices] # Hosts with administrative tasks
172.16.10.abc # Desktop
172.16.10.def # Laptop
172.16.10.ghi # Ansible-VMHopefully someone can profit of the work!
Best regards
Marco
