Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: Firewall blocked for samba

  1. #11
    Join Date
    Mar 2006
    Location
    Kitakyushu Japan
    Beans
    9,361
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Firewall blocked for samba

    No, they are not the same.

    This:
    sudo ufw allow proto udp from 192.168.1.0/24 to any port 137
    is an inbound rule.

    This:
    sudo ufw allow proto udp to any port 137 from 192.168.29.0/24
    is an outbound rule.

    You can confirm this yourself by looking at the configuration in gufw.

  2. #12
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    AHA -- I see the difference, thank you

  3. #13
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    Quote Originally Posted by dmizer View Post
    No, they are not the same.

    This:
    sudo ufw allow proto udp from 192.168.1.0/24 to any port 137
    is an inbound rule.

    This:
    sudo ufw allow proto udp to any port 137 from 192.168.29.0/24
    is an outbound rule.

    You can confirm this yourself by looking at the configuration in gufw.
    I've been puzzling over this. Something seemed wrong to me.

    So, with respect:

    If I type your "outbound" version and take a screenshot in GUFW. Then delete the rule. Then type your "inbound" and take a screenshot. Then the two screenshots are identical.

    Further, if I start with no rules and type one of the variants I get a response "rule added". Then if I type the other variant I get the response "skipping adding existing rule".

    So one is not an outbound rule and the other an inbound rule. They are the same rule.

    What do you think, is that right?

  4. #14
    Join Date
    Mar 2006
    Location
    Kitakyushu Japan
    Beans
    9,361
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Firewall blocked for samba

    Quote Originally Posted by swerdna View Post
    I've been puzzling over this. Something seemed wrong to me.

    So, with respect:

    If I type your "outbound" version and take a screenshot in GUFW. Then delete the rule. Then type your "inbound" and take a screenshot. Then the two screenshots are identical.

    Further, if I start with no rules and type one of the variants I get a response "rule added". Then if I type the other variant I get the response "skipping adding existing rule".

    So one is not an outbound rule and the other an inbound rule. They are the same rule.

    What do you think, is that right?
    You're quite right. After quite a bit of fiddling, I think I've finally found it.

    This seems to be a correct outbound rule:
    Code:
    sudo ufw allow proto udp to 192.168.1.0/24 port 137 from any
    This seems to be a correct inbound rule:
    Code:
    sudo ufw allow proto udp from 192.168.1.0/24 port 137 to any
    Care to confirm with some testing?

  5. #15
    Join Date
    Aug 2009
    Location
    Québec, Canada
    Beans
    46
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Firewall blocked for samba

    Thanks Swerdna I was having the same problem! Now it works. I will follow the rest of the issue.

  6. #16
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    edit in progress -- and some more testing
    Last edited by swerdna; September 15th, 2009 at 09:01 AM.

  7. #17
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    Quote Originally Posted by dmizer View Post
    You're quite right. After quite a bit of fiddling, I think I've finally found it.

    This seems to be a correct outbound rule:
    Code:
    sudo ufw allow proto udp to 192.168.1.0/24 port 137 from any
    This seems to be a correct inbound rule:
    Code:
    sudo ufw allow proto udp from 192.168.1.0/24 port 137 to any
    Care to confirm with some testing?
    OK I've got some free time and checked somewhat extensively.
    For all of the following I had the connection tracking module enabled (important for other readers see this tutorial for that module).

    These rules below allow Samba shares on the Ubuntu server to be seen from the server itself and from a client on the LAN:
    sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
    sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
    sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
    sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24


    These "inbound" rules (next) allow the shares to be seen from the server but not from the client:
    sudo ufw allow proto udp from 192.168.1.0/24 port 137 to any
    plus three more, one each for 138, 139,445

    Finally, these "outbound" rules allow the shares to be seen from the server but not from the client:
    sudo ufw allow proto udp to 192.168.1.0/24 port 137 from any
    plus three more, one each for 138, 139,445

    So I conclude that the rules in blue are correct and that the rules labelled "inbound" and "outbound" are not. The blue rules are the only ones that I can get to work that include a "trusted" network (192.168.etc.etc).

    I've written them up here (for the time being, pending agreement from dmizer): Opening the UFW Firewall for Samba

    Do you agree dmizer?

  8. #18
    Join Date
    Aug 2007
    Beans
    Hidden!
    Distro
    Lubuntu

    Re: Firewall blocked for samba

    Quote Originally Posted by swerdna View Post

    These rules below allow Samba shares on the Ubuntu server to be seen from the server itself and from a client on the LAN:
    sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
    sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
    sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
    sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24
    So what do these four lines look in the "iptables" format ? Something like this :

    Code:
    ACCEPT     udp  --  192.168.1.0/24       anywhere            state NEW udp dpts:netbios-ns:netbios-dgm 
    ACCEPT     tcp  --  192.168.1.0/24       anywhere            state NEW tcp dpt:netbios-ssn 
    ACCEPT     tcp  --  windows              anywhere            state NEW tcp dpt:microsoft-ds

    I have Samba as a separate server but cannot view the share on my Ubuntu client's "Network Browser" even though I have no trouble accessing the share from the Ubuntu client. I have iptables on my Samba server.

    c
    Last edited by uncle-c; September 15th, 2009 at 10:27 AM.

  9. #19
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    Quote Originally Posted by uncle-c View Post
    So what do these four lines look in the "iptables" format ? Something like this :

    Code:
    ACCEPT     udp  --  192.168.1.0/24       anywhere            state NEW udp dpts:netbios-ns:netbios-dgm 
    ACCEPT     tcp  --  192.168.1.0/24       anywhere            state NEW tcp dpt:netbios-ssn 
    ACCEPT     tcp  --  windows              anywhere            state NEW tcp dpt:microsoft-ds

    I have Samba as a separate server but cannot view the share on my Ubuntu client's "Network Browser" even though I have no trouble accessing the share from the Ubuntu client. I have iptables on my Samba server.

    c
    I'm too much of a newbie to attempt to speak the lingo of iptables. I'm flat out getting the hang of the device they wrote to simplify the whole process (UFW).

  10. #20
    Join Date
    Mar 2006
    Location
    Kitakyushu Japan
    Beans
    9,361
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Firewall blocked for samba

    Quote Originally Posted by swerdna View Post
    I'm too much of a newbie to attempt to speak the lingo of iptables. I'm flat out getting the hang of the device they wrote to simplify the whole process (UFW).
    Even though you've configured your firewall with UFW, you can still see the iptables version by looking at the output of:
    Code:
    sudo iptables -L
    Your testing looks good to me. It will be a while before I'll be able to test this on my own, but I'm going to update my tutorial with your suggestions.

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •