vampire: Allow SMB from the untrusted network.

This lets the Wii get to the media library, which is nice.

diff --git a/numbers.m4 b/numbers.m4
index da3ee59517dd1250db52203633cb6097cd328fa0..8092e72f634cca978f8954e9d9e8bd749f54320a 100644 (file)
--- a/numbers.m4
+++ b/numbers.m4
@@ -35,7 +35,11 @@ defport bootpc 68
 defport finger 79
 defport http 80
 defport ident 113
 defport finger 79
 defport http 80
 defport ident 113

+defport netbios_ns 137
+defport netbios_dgm 138
+defport netbios_ssn 139

 defport https 443
 defport https 443

+defport microsoft_ds 445

 defport syslog 514                     # UDP only!
 defport rsync 873
 defport squid 3128
 defport syslog 514                     # UDP only!
 defport rsync 873
 defport squid 3128

diff --git a/vampire.m4 b/vampire.m4
index d25bf4923a12fc60b63fd8a4ed76be151fcbb1a2..18365bed29600032a411bcdbe144e50fe4560d55 100644 (file)
--- a/vampire.m4
+++ b/vampire.m4
@@ -64,6 +64,16 @@ for p in tcp udp; do
          -p $p --destination-port $port_dns
 done
 
          -p $p --destination-port $port_dns
 done
 

+## Allow smb and nmb to untrusted hosts.  This is a bit experimental.
+run iptables -A inbound -j ACCEPT \
+       -s 172.29.198.0/24 \
+       -p udp -m multiport --destination-ports \
+               $port_netbios_ns,$port_netbios_dgm
+run iptables -A inbound -j ACCEPT \
+       -s 172.29.198.0/24 \
+       -p tcp -m multiport --destination-ports \
+               $port_netbios_ssn,$port_microsoft_ds
+

 ## Provide syslog for evolution.
 run iptables -A inbound -j ACCEPT \
        -s 172.29.198.2 \
 ## Provide syslog for evolution.
 run iptables -A inbound -j ACCEPT \
        -s 172.29.198.2 \