For the past year, I just kind of hacked along with small things with firewalld. But now I am configuring a Samba AD and that means lots of rules. See:
https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
I am trying really hard to stay with firewalld services and only do ports where I have to.
So right away I see a few things:
Why is the ldap service tcp only?
# cat /usr/lib/firewalld/services/ldap.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>LDAP</short> <description>Lightweight Directory Access Protocol (LDAP) server</description> <port protocol="tcp" port="389"/> </service>
Seems this should also include udp.
Whereas mDNS is the flip. It has udp, but should also include tcp.
Both of these I CAN handle with add-port, but wonder if the service rule is really set up wrong. One would expect these two services to be open for both ucp and tcp. Not one or the other.
Finally I am suppose to enable "Dynamic RPC ports" which is 1024 - 5000 and I cannot find any guidance on setting that one up.
Otherwise, an interesting service and one I am slooooowly learning.
thanks
On 08/27/2015 10:28 AM, Robert Moskowitz wrote:
For the past year, I just kind of hacked along with small things with firewalld. But now I am configuring a Samba AD and that means lots of rules. See:
https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
I am trying really hard to stay with firewalld services and only do ports where I have to.
So right away I see a few things:
Why is the ldap service tcp only?
# cat /usr/lib/firewalld/services/ldap.xml
<?xml version="1.0" encoding="utf-8"?>
<service> <short>LDAP</short> <description>Lightweight Directory Access Protocol (LDAP) server</description> <port protocol="tcp" port="389"/> </service>
Seems this should also include udp.
Whereas mDNS is the flip. It has udp, but should also include tcp.
Further checking on mDNS shows Avahi only listening on udp, so that one is not so much a concern. Other than udp IS a defined protocol for mDNS.
Both of these I CAN handle with add-port, but wonder if the service rule is really set up wrong. One would expect these two services to be open for both ucp and tcp. Not one or the other.
Finally I am suppose to enable "Dynamic RPC ports" which is 1024 - 5000 and I cannot find any guidance on setting that one up.
Otherwise, an interesting service and one I am slooooowly learning.
thanks
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Hello Robert,
On 08/27/2015 04:44 PM, Robert Moskowitz wrote:
On 08/27/2015 10:28 AM, Robert Moskowitz wrote:
For the past year, I just kind of hacked along with small things with firewalld. But now I am configuring a Samba AD and that means lots of rules. See:
https://wiki.samba.org/index.php/Samba_AD_DC_port_usage
I am trying really hard to stay with firewalld services and only do ports where I have to.
So right away I see a few things:
Why is the ldap service tcp only?
# cat /usr/lib/firewalld/services/ldap.xml
<?xml version="1.0" encoding="utf-8"?>
<service> <short>LDAP</short> <description>Lightweight Directory Access Protocol (LDAP) server</description> <port protocol="tcp" port="389"/> </service>
Seems this should also include udp.
please have a look at http://www.openldap.org/doc/admin24/security.html#IP%20Firewall It lists 389/tcp for ldap and 636/tcp for ldaps.
I think I read something that Microsoft is using 389/udp, though. Are you using OpenLDAP?
It should be possible to enable 389/udp also in the service if this is needed.
Whereas mDNS is the flip. It has udp, but should also include tcp.
Further checking on mDNS shows Avahi only listening on udp, so that one is not so much a concern. Other than udp IS a defined protocol for mDNS.
Both of these I CAN handle with add-port, but wonder if the service rule is really set up wrong. One would expect these two services to be open for both ucp and tcp. Not one or the other.
Finally I am suppose to enable "Dynamic RPC ports" which is 1024 - 5000 and I cannot find any guidance on setting that one up.
Otherwise, an interesting service and one I am slooooowly learning.
thanks
Regards, Thomas
firewalld-users@lists.stg.fedorahosted.org