Osmc / smb and ufw firewall

Sandbird · 28 July 2017 16:44

I’ve installed ufw because recently i saw some activity on my pi that i didnt like.
I’ve set it up correctly and did my best to open smb ports, the way they should be…but when ufw is activated i cant get the pi to browse my PC’s shared folders. I have to disable it, grab what i want and then enable it again.
Has anyone here managed to get smb working with ufw enabled ?
My rules are:

To                         Action      From
--                         ------      ----

137/tcp                    ALLOW IN    192.168.1.0/24
138/tcp                    ALLOW IN    192.168.1.0/24
139/tcp                    ALLOW IN    192.168.1.0/24
445/tcp                    ALLOW IN    192.168.1.0/24
137/udp                    ALLOW IN    192.168.1.0/24
138/udp                    ALLOW IN    192.168.1.0/24
139/udp                    ALLOW IN    192.168.1.0/24
464/tcp                    ALLOW IN    192.168.1.0/24
636/tcp                    ALLOW IN    192.168.1.0/24
1024/tcp                   ALLOW IN    192.168.1.0/24
5000/tcp                   ALLOW IN    192.168.1.0/24
3268/tcp                   ALLOW IN    192.168.1.0/24
3269/tcp                   ALLOW IN    192.168.1.0/24
5353/tcp                   ALLOW IN    192.168.1.0/24
137,138/udp (CIFS)         ALLOW IN    Anywhere
139,445/tcp (CIFS)         ALLOW IN    Anywhere
137,138/udp (CIFS (v6))    ALLOW IN    Anywhere (v6)
139,445/tcp (CIFS (v6))    ALLOW IN    Anywhere (v6)

My PC is located within 192.168.1.0/24 and ofc has a static ip

Error in logs:

ERROR: SMBDirectory->GetDirectory: Unable to open directory : 'smb://USERNAME:PASSWORD@SANDBIRD/Files'
                       unix_err:'16' error : 'Invalid argument'
ERROR: GetDirectory - Error getting smb://SANDBIRD/Files/
ERROR: CGUIDialogFileBrowser::GetDirectory(smb://SANDBIRD/Files/) failed

where it says USERNAME:PASSWORD, i didnt replace the info…it actually says username:password

dillthedog · 28 July 2017 19:03

Perhaps I’ve misread, but it seems like the PC is acting as the SMB server and the Pi is the client. However your UFW configuration appears to be for a server, ie it restricts incoming traffic to certain ports. So is this configuration for the Pi or for the PC?

sam_nazarko · 28 July 2017 20:35

Keep in mind most people use iptables.
You might find few responses re UFW here. Best ask on a forum that can better serve these queries

Sandbird · 28 July 2017 20:40

I set up ufw on the pi, to protect the pi, but i share music, movies, etc from my PC to the local network.
When ufw is enabled on the pi, i cant read the mapped folder i have from my shared folder on my PC. (File explorer)
If i disable the the ufw, i can read it. I copy/pasted my settings just to show how i setup my ufw.
Vice versa it works fine…from my pc i can access the smb files on the pi when ufw is active

Sandbird · 28 July 2017 20:41

I did find a forum post, with exactly the same problem (but from an Ubuntu setup <–> pi with osmc) but the fix he did didnt work for me. So i thought i give it a try here…maybe someone else had ufw installed and it was working fine.

dillthedog · 28 July 2017 21:00

Could you be a bit more specific? Do you simply want to disable all incoming traffic, excluding port 22 (SSH), going to the Pi?

So it seems that the PC (unspecified OS) is the server, in which case allowing the SMB-related ports are not applicable to the Pi and shouldn’t be in the UFW configuration.

Have you also set a default rule for incoming and outgoing traffic? That information wasn’t included in your first post.

Sandbird · 28 July 2017 21:21

Yeah i want to disable everything incoming besides port 80 and one port for Transmission that i need open ‘to the world’… and allow just a set of rules for incoming connections from within my LAN. I opened the smb ports on the pi because it has an external HD on it that i need to access from other PCs within my LAN.
I havent set up anything else besides these ports and a tweak i did to the /etc/default/ufw file, enabling the netbios parameter to it:
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"

My PC is a win10 64bit.

The problem is that with ufw enabled my Pi cant connect to shared folders from PCs in the LAN network. Addons work fine…everything else can ‘get through’.

dillthedog · 28 July 2017 22:10

I’m all for keeping things simple, where possible. If you really do have something nasty lurking on the LAN side of your gateway/router then it’s pretty much game over, TBH.

I can’t answer your specific problem but I can offer a method for troubleshooting the issue - which is start small and make incremental changes. At each stage test and either proceed to the next stage or rollback and figure out what went wrong.

I’d personally just start out with something like:

default allow outgoing
default deny incoming
allow from 192.168.1.0/24

UFW also allows logging (ufw logging on), so you should be able to have a better idea of what is (or isn’t) happening.

Edit: Removed incorrect info re. incoming IP address.

Sandbird · 28 July 2017 22:35

I had port 22 open, cause i like to have a linux system available when i am outside , but one day i noticed some weird logs in my Event Viewer in windows coming from the Pi. My root and osmc user passwords are uncrackable, so i guess they managed to get through via an addon(?) or god knows what. Once they gained access to the pi, they started poking around the LAN.
So i installed ufw, allowed only port 80 cause i run some php scripts…but thats about it…I am only port forwarding port 80 to the pi. I keep regular checks on my apache logs, and so far it seems things are looking good there. My only problem was that the pi didnt have access now to the LAN PCs.
But…
default allow outgoing and
allow from 192.168.1.0/24 seems to have done the trick.
Now i can access my shared folders.
Thanks!!

ps: I had logging on, and i can see attacks getting blocked by ufw. I dont know how they are reaching my pi, since everything is blocked from my router, upnp disabled and all that, not to mention that i also have a dynamic IP, but what can i say…i am a popular guy

fzinken · 29 July 2017 00:11

I guess default allow outgoing solved your problem and allow from 192.168.1.0/24 is not actually needed. While you would need a rule to allow DHCP from router unless you use static IP on the Pi

What is the source IP and target Port?
I guess it would be the dynamic ports for transmission

dillthedog · 29 July 2017 07:33

What you describe doesn’t look good. As @fzinken has said, what’s the source of these attacks since, AFAICT, the only port that’s being forwarded to the Pi from your router is 80?

Also remember, that the UFW configuration I suggested was just a starting point.

Sandbird · 29 July 2017 09:09

They could be all for port 80. I am using the pi for its crontab, to do various things (cloudflare, ping servers to see if they are online, etc). Maybe these servers are trying to see ‘who i am’ requesting things every 2 minutes.
Some ips that i traced link back to speedguide, hosters in the States etc, and most of the logs appear after a crontab was executed…so i wouldnt worry too much about them.
Worst case scenario i’ll install fail2ban and firewall-cmd, although i am pretty sure ufw gets the job done so far

MarkusLange · 29 July 2017 09:29

Hi Sandbird,

I use this configuration on a different system to allow Apache-Server from anywhere and SMB only intern

# SSH from Local
ufw allow from $HOST_SUFFIX to any port ssh

# VNC from Local
ufw allow from $HOST_SUFFIX to any port 5900

# SAMBA from Local
ufw allow proto udp from $HOST_SUFFIX to any port 137,138
ufw allow proto tcp from $HOST_SUFFIX to any port 135,139,445

# WEBSERVER from Anywhere
ufw allow 'WWW Full'

ufw default deny incoming

$HOST_SUFFIX is like this 192.168.1.0/24 and SSH and VNC also internal.

Sandbird · 29 July 2017 09:36

Yeah, thats what i did, but i did all the ports one by one. And just used the port 80 for the www.
Didn’t want to risk it.