After rewriting an ipchains firewall to iptables, I've got problems having M$ clients logon to an w2k server; that is, I do not administer that server, so it actually might not be my firewalling. The w2k server is on a dedicated internal serversegment, clients are on three other segments. Problem clients are winxp. It takes a looong tme to logon (I'm told upto nearly half an hour), other traffic no problem; it' only the login procedure. So far, I forward M$ related tcp/udp ports 137:139, 445, 135, ldap, kerberos in both directions between server and client segments. Tcpdump shows traffic on these ports in both directions, leading me to believe it should work. Port 135 is "DCE endpoint resolution", which is an rpc service, and AFAIK very basic for M$ networking. Googling for DCE endpoint resolution reveals that others have had problems here. What I found didn't really tell if those writing about it really understood what's going on, neither what kind of firewall were used. -- Kind regards / venlig hilsen, Mogens Valentin, Mr Dev IT Networking, Security, Server Setup www.danbbs.dk/~monz mrdev@xxxxxxxxx
