Firewall blocked for samba

**swerdna** · July 28th, 2009

Hi I have Ubuntu 9.04 installed and a healthy Samba installation.

If I have the firewall, UFW, activated I cannot see my network and get this error message in Nautilus when I click "Windows Network"

failed to retrieve share list from server

.

I have enabled samba by running this UFW command:

Code:

sudo ufw allow samba

. In the GUI GUFW I then see that these rules have been added:

137,138/udp (samba) ALLOW anywhere
139,445/tcp (samba) ALLOW anywhere

I have edited the file /etc/default/ufw, in particular I added nf_conntrack_netbios_ns so the relevant line becomes like so:

Code:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"

Despite all that, Samba only works if I turn UFW off.

What have I missed?

Thanks
swerdna

**ericab** · July 28th, 2009

did you set workgroup to "WORKGROUP" ?

install this for setting up samba options.

http://gadmintools.flippedweb.com/in...d=16&Itemid=30

if you dont know how to compile from source or dont want to, you can install 'alien' and use the rpm package for install.

**swerdna** · July 29th, 2009

Originally Posted by ericab

did you set workgroup to "WORKGROUP" ?

I set workgroup = SWERDNA to match the other four workstations on the LAN

install this for setting up samba options.

http://gadmintools.flippedweb.com/in...d=16&Itemid=30

But I don't need to adjust samba, it works great when UFW is disabled. I configure Samba from the CLI and am an expert at it. The problem is with UFW which I have enabled for samba by using

Code:

sudo ufw allow  samba

as recommended variously elsewhere. But that advice seems to be erroneous. Can you give me the correct method for configuring for Samba the UFW firewall? (The problem is that UFW is effectively the default recommended firewall and the advice out there isn't working)

if you dont know how to compile from source or dont want to, you can install 'alien' and use the rpm package for install.

No thanks, I'm good for configuring samba.

**Iowan** · July 29th, 2009

I doubt it's as simple as restarting "something"...

**swerdna** · July 29th, 2009

OK here's the answer:

Remove the much vaunted service-based rule for Samba with this command:

Code:

sudo ufw delete samba

Replace it with port-based rules for the trusted network:

Code:

sudo ufw allow proto udp to any port 137 from 192.168.29.0/24
sudo ufw allow proto udp to any port 138 from 192.168.29.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.29.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.29.0/24

Adjusting the IP mask for individual LANs.

Sadly, the UFW fails on a service-based rule, which is probably a bug. I suppose that UFW is fairly new and is mostly left turned off, so this problem will take some time to be noticed by the bug-fixers. All will come good in time

**Iowan** · July 29th, 2009

Well, at least there is now a workaround... Thanks for posting (hope I can remember it if/when another thread mentions a similar problem.)

**dmizer** · July 29th, 2009

Originally Posted by swerdna

Sadly, the UFW fails on a service-based rule, which is probably a bug. I suppose that UFW is fairly new and is mostly left turned off, so this problem will take some time to be noticed by the bug-fixers. All will come good in time

Please file a bug report

I've added your findings to my Fix Windows share browsing howto (6th link in my sig).

**swerdna** · July 29th, 2009

Originally Posted by dmizer

Please file a bug report

I've added your findings to my Fix Windows share browsing howto (6th link in my sig).

Terrific.

I've also got a write up of my Samba experiences and have included the findings there too.

**dmizer** · August 19th, 2009

Per this post: http://ubuntuforums.org/showpost.php...&postcount=133 the rules posted above are reversed. They should read:

Code:

sudo ufw allow proto udp from 192.168.1.0/24 to any port 137
sudo ufw allow proto udp from 192.168.1.0/24 to any port 138
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445

Confirmed here: http://ubuntuforums.org/showthread.php?t=806000

**swerdna** · August 19th, 2009

Originally Posted by dmizer

Per this post: http://ubuntuforums.org/showpost.php...&postcount=133 the rules posted above are reversed. They should read:

Code:

sudo ufw allow proto udp from 192.168.1.0/24 to any port 137
sudo ufw allow proto udp from 192.168.1.0/24 to any port 138
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 139
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 445

Confirmed here: http://ubuntuforums.org/showthread.php?t=806000

Thank you very much -- this stuff is so confusing.

Don't hese two mean exactly the same thing: