Ok, I've added a separate entry for Samba Client in firewall_ng.
I just tested this pfix=ram on xslacko-4b1
here are the rules that get written.
Code: Select all
# allow netbios name resolution for Samba client
$IPT -A udp_inbound -p UDP -s 192.168.1.0/24 --source-port 137 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A udp_inbound -p UDP -s 192.168.1.0/24 --source-port 138 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 192.168.1.0/24 --source-port 139 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 192.168.1.0/24 --source-port 445 -m state --state NEW,ESTABLISHED -j ACCEPT
The subnet is worked out programatically with a
ip and
route routine that should work if you are on a large network, even if it has been subnetted, but only for that subnet. I can't test that right now but if the busybox programs work as expected then there shouldn't be a problem.
Here is a small script demonstrating:
Code: Select all
#!/bin/bash
#uses bashisms
while read -r dest gateway genmask flags metric ref use face;do
case $dest in
default)iface=$face
;;
esac
case $face in
$iface)
case $dest in
[0-9]*.[0-9]*.[0-9]*.[0-9]*)host=$dest # very lazy regex
break;;
esac
;;
esac
done < <(busybox route)
while read -r inet subnet rest;do
case $inet in
inet)sub=${subnet#*/} && break;;
esac
done < <(busybox ip addr show $iface)
echo ${host}/${sub}
echo $iface
There is no checking just yet for not being connected so the variables will have null values if there is no connection. When I figure out the best way to handle this I'll upload it to woof-ce.
EDIT - fixed by way of a popup explaining that the firewall will need to be reconfigured after establishing a network connection.
Attached is the latest firewall_ng script with above improvements. This one also has the button for adding custom rules.
Thanks for your help rg66.
----
gcmartin wrote:My subnet is 23, NOT 24 on a ipv4 network.
Well you are a prime candidate to test the new script then.
Should pick up whatever subnet and host address. (which for the benefit of others, isn't always xxx.xxx.xxx.0).