From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 7 Mar 2011 11:01:43 +0000 (+0000)
Subject: vampire: Allow SMB from the untrusted network.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/42e91fdf0e690e2e3869b597a1d50f8f6cb4c5f9

vampire: Allow SMB from the untrusted network.

This lets the Wii get to the media library, which is nice.
---

diff --git a/numbers.m4 b/numbers.m4
index da3ee59..8092e72 100644
--- a/numbers.m4
+++ b/numbers.m4
@@ -35,7 +35,11 @@ defport bootpc 68
 defport finger 79
 defport http 80
 defport ident 113
+defport netbios_ns 137
+defport netbios_dgm 138
+defport netbios_ssn 139
 defport https 443
+defport microsoft_ds 445
 defport syslog 514			# UDP only!
 defport rsync 873
 defport squid 3128
diff --git a/vampire.m4 b/vampire.m4
index d25bf49..18365be 100644
--- a/vampire.m4
+++ b/vampire.m4
@@ -64,6 +64,16 @@ for p in tcp udp; do
 	  -p $p --destination-port $port_dns
 done
 
+## Allow smb and nmb to untrusted hosts.  This is a bit experimental.
+run iptables -A inbound -j ACCEPT \
+	-s 172.29.198.0/24 \
+	-p udp -m multiport --destination-ports \
+		$port_netbios_ns,$port_netbios_dgm
+run iptables -A inbound -j ACCEPT \
+	-s 172.29.198.0/24 \
+	-p tcp -m multiport --destination-ports \
+		$port_netbios_ssn,$port_microsoft_ds
+
 ## Provide syslog for evolution.
 run iptables -A inbound -j ACCEPT \
 	-s 172.29.198.2 \