I’m using this server as a gateway/proxy/firewall with some shared folders. No service is exposed to red interface. Only openvpn has permission to red.
I’m using an external mailserver of my ISP.
So, why are there samba-logs with external IPs??
To investigate I encreased log level to log level all in smb.conf temporarely.
I’ve checked some of the IPs and they were blacklisted for abuse (port scan, unauthorized connection attempt on Port 445(SMB)…)
It’s weird and wouldn’t expect this to work, but can you check if a log file is created on a failed connection attempt?
Do file creation dates match a firewall stop/restart?
No. File creation was random, but no firewall restart as far as I can say.
I’ll install samba audit. Maybe this modul will give us some information.
I had a problem with a grandstream analogue adapter. It took the IP of the red interface with in the green zone. Had some troubles to identify this. Maybe this leaded to some inconsistency with shorewall.
I think I found the reason for this issue. It was caused by 2 factors with in a powerfault.
the grandstream took the IP of the red interface and was connected to a switch
the switch lost it’s vlan-config with the powerloss and on that swith the ISP router is conected.
The result was, that the grandstream exposed it’s interface to the internet directly. It’s an analogue fax adaptor which can’t handle smb, only SIP.
Although I’ve no clue, how it got the external IP. Since I restored correct config on the devices no more external IPs are present in log files. I’ll close this as solved.
Thanks again @dnutan for your inputs.
