Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: Firewall blocked for samba

  1. #21
    Join Date
    Mar 2006
    Location
    Kitakyushu Japan
    Beans
    9,362
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: Firewall blocked for samba

    Humm, just for clarification ...

    Quote Originally Posted by swerdna View Post
    These "inbound" rules (next) allow the shares to be seen from the server but not from the client:
    sudo ufw allow proto udp from 192.168.1.0/24 port 137 to any
    plus three more, one each for 138, 139,445

    Finally, these "outbound" rules allow the shares to be seen from the server but not from the client:
    sudo ufw allow proto udp to 192.168.1.0/24 port 137 from any
    plus three more, one each for 138, 139,445
    Do you mean that neither of the rules I gave earlier allow the server to be seen from any clients?

  2. #22
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    Quote Originally Posted by dmizer View Post
    Even though you've configured your firewall with UFW, you can still see the iptables version by looking at the output of:
    Code:
    sudo iptables -L
    @uncle-c: here are some lines I've extracted from iptables -L:
    Code:
    Chain ufw-user-input (1 references)
    target     prot opt source               destination         
    ACCEPT     udp  --  192.168.1.0/24       anywhere            udp dpt:netbios-dgm 
    ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:netbios-ssn 
    ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:microsoft-ds 
    ACCEPT     udp  --  192.168.1.0/24       anywhere            udp dpt:netbios-ns
    Edit: FWIW I spotted these too:
    Code:
    Chain ufw-after-input (1 references)
    target     prot opt source               destination         
    RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-ns 
    RETURN     udp  --  anywhere             anywhere            udp dpt:netbios-dgm 
    RETURN     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
    RETURN     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
    Last edited by swerdna; September 15th, 2009 at 11:57 AM.

  3. #23
    Join Date
    Aug 2007
    Beans
    Hidden!
    Distro
    Lubuntu

    Re: Firewall blocked for samba

    Thanks. The first table is identical to my iptables firewall rules. So can you see your Samba shares from the "Network Browser" on your samba client machine ?

    c

  4. #24
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    Quote Originally Posted by dmizer View Post
    Humm, just for clarification ...



    Do you mean that neither of the rules I gave earlier allow the server to be seen from any clients?
    I can't remember any more. It was quick, no resetting of Samba and so on. So I'll do this controlled test and then report back:

    your "outbound" rules
    your "inbound" rules
    my blue rules

    After each removal of old rules and setting of the next set of rules I will reboot before testing the visibility of the server from Nautilus in the server and from Nautilus in the client.

  5. #25
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    Quote Originally Posted by uncle-c View Post
    Thanks. The first table is identical to my iptables firewall rules. So can you see your Samba shares from the "Network Browser" on your samba client machine ?

    c
    Yes

  6. #26
    Join Date
    Jun 2007
    Location
    Oz
    Beans
    501
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Firewall blocked for samba

    OK I've finished that test, this time with booting to re-zero everything. Results are:


    Your outbound rules
    sudo ufw allow proto udp to 192.168.1.0/24 port 137 from any
    sudo ufw allow proto udp to 192.168.1.0/24 port 138 from any
    sudo ufw allow proto tcp to 192.168.1.0/24 port 139 from any
    sudo ufw allow proto tcp to 192.168.1.0/24 port 445 from any

    sudo ufw status gives
    To Action From
    -- ------ ----
    192.168.1.0/24 137/udp ALLOW Anywhere
    192.168.1.0/24 138/udp ALLOW Anywhere
    192.168.1.0/24 139/tcp ALLOW Anywhere
    192.168.1.0/24 445/tcp ALLOW Anywhere

    server is visible and shares can be opened from Nautilus in the Ubuntu server
    server is visible and shares can be opened from Nautilus in the openSUSE client

    ================================================== ==========

    Your inbound rules
    sudo ufw allow proto udp from 192.168.1.0/24 port 137 to any
    sudo ufw allow proto udp from 192.168.1.0/24 port 138 to any
    sudo ufw allow proto tcp from 192.168.1.0/24 port 139 to any
    sudo ufw allow proto tcp from 192.168.1.0/24 port 445 to any

    sudo ufw status gives
    To Action From
    -- ------ ----
    Anywhere ALLOW 192.168.1.0/24 137/udp
    Anywhere ALLOW 192.168.1.0/24 138/udp
    Anywhere ALLOW 192.168.1.0/24 139/tcp
    Anywhere ALLOW 192.168.1.0/24 445/tcp

    server is not visible from Nautilus in the Ubuntu server
    server is not visible from Nautilus in the openSUSE client

    ================================================== ==========

    My blue rules
    sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
    sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
    sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
    sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24


    sudo ufw status gives
    To Action From
    -- ------ ----
    137/udp ALLOW 192.168.1.0/24
    138/udp ALLOW 192.168.1.0/24
    139/tcp ALLOW 192.168.1.0/24
    445/tcp ALLOW 192.168.1.0/24

    server is visible and shares can be opened from Nautilus in the Ubuntu server
    server is visible and shares can be opened from Nautilus in the openSUSE client

    ================================================== ==========

    The two sets of rules that work are dmizer's outbound rules and my blue rules.

    BUT dmizer's "outbound" rules appear to allow from "anywhere" which to me means all IP networks, whereas the "blue" rules restrict to one "trusted" subnet. (maybe -- I'm really confused by all of this now).

  7. #27
    Join Date
    Jun 2010
    Beans
    11

    Re: Firewall blocked for samba

    Hi,

    I had same issue - can not browse windows network from Ubuntu 10.04 with ufw/gufw enabled. I have added this to /etc/default/ufw:

    # The nf_contrack_netbios_ns has been added
    IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"
    and restart IPTABLES.

    I do not have any other rules for samba. Everything seams to work now.

    PS. Tip source:
    http://ubuntuforums.org/showpost.php...91&postcount=4

    Cheers all

  8. #28
    Join Date
    Nov 2009
    Location
    Oklahoma (USA) and India
    Beans
    110
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Firewall blocked for samba

    I followed GrzesiekC's post and it worked, without any rules being made for ufw. I'm ignorant though. What did it do?

  9. #29
    Join Date
    Dec 2010
    Beans
    19

    Re: Firewall blocked for samba

    Hi, I'm also having problems with the firewall blocking netbios. I've read through the thread and set up my firewall as recommended. Here is the output of "ufw status verbose":

    Code:
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    137/udp                    ALLOW IN    10.0.0.0/24
    138/udp                    ALLOW IN    10.0.0.0/24
    139/tcp                    ALLOW IN    10.0.0.0/24
    445/tcp                    ALLOW IN    10.0.0.0/24
    I use "mount -t cifs" to mount my windows share and if the firewall is off it works fine and I can ping the netbios name too. With the firewall active the mount fails unless I include "ip=10.0.0.3" in the mount options and ping returns with "unknown host".

    I took a look at my UFW log file and it appears every time there is an attempt to resolve the windows netbios name, Windows sends its reply to a different, random port:

    Code:
    [UFW BLOCK] IN=eth0 OUT= MAC=00:07:95:da:8e:81:00:26:f2:56:a0:fc:08:00 SRC=10.0.0.3 DST=10.0.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=19692 PROTO=UDP SPT=137 DPT=56352 LEN=70 
    [UFW BLOCK] IN=eth0 OUT= MAC=00:07:95:da:8e:81:00:26:f2:56:a0:fc:08:00 SRC=10.0.0.3 DST=10.0.0.2 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=23091 PROTO=UDP SPT=137 DPT=57116 LEN=70
    I'd rather not open up the firewall to accept any UDP connection from 10.0.0.0/24 so how do I tell windows to always use the correct port?

Page 3 of 3 FirstFirst 123

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •