Samba - Firewall - Broadcast traffic

[jennyforme]

Hello.

Regarding firewall setup for Samba...

Samba Debian Testing amd64;
Port 445,139 TCP Allow In/Out to LAN 192.168.55.0/24
Port 137,138 UDP Allow In/Out to LAN 192.168.55.0/24

Questions;
1. Do I have to make separate rule(s) for broadcasts ?
*Allow 192.168.55.255 tcp in/out on port 137,
*Allow 127.0.0.255 tcp in/out on port 137
(netbios-dg, netbios-ns)

I'm having troubles getting the shares to display as available on the LAN for Linux and Windows Clients.

Thank you.

 

[Ijack]

You've already allowed broadcasts. 192.168.55.255 is in the range 192.168.55.0/24 (strictly speaking, it represents every address in that range). You shouldn't need to allow or disallow anything on the loopback address.

I suspect that your problem is more to do with NetBIOS and WINS if it's a question of browsing. Can you connect to the shares by IP address (e.g. \\192.168.55.2\sharename)?

 

[jennyforme]

ijack, thanks for the understanding.
The problem (always a curve ball) was... using the UFW firewall, it disallows broadcasts by default.

After editing and commenting out the section: /etc/ufw/before.rules
# if BROADCAST, RETURN
#-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

Then... the broadcasts were allowed.

I can find the shares on the LAN now with:
$ sudo findsmb
$ nmblookup \*

Thanks much.

 

[jennyforme]

The angry firewall beast has returned... can't browse samba shares on the LAN.

When I disable the 'Client' firewall, I can discover samba shares (on server & client) with: findsmb

Result:
*=DMB
+=LMB
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
---------------------------------------------------------------------
192.168.55.14 SAMBA01 [WORKGROUP] [Unix] [Samba 3.5.8]

The Client wont' see it at all...

I looked at the traffic via iptraf;

Firewall ON;

UDP (78 bytes) from 127.0.0.1:50410 to 127.255.255.255:netbios-ns on lo
UDP (78 bytes) from 192.168.55.11:50410 to 192.168.55.255:netbios-ns on eth0

Firewall OFF;
UDP (78 bytes) from 127.0.0.1:51974 to 127.255.255.255:netbios-ns on lo
UDP (78 bytes) from 192.168.55.11:51974 to 192.168.55.255:netbios-ns on eth0


UFW Firewall rules (Client);
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing)
New profiles: skip

To Action From
-- ------ ----
192.168.55.11 22/tcp on eth0 ALLOW IN 192.168.55.0/24
192.168.55.11 137/udp on eth0 ALLOW IN 192.168.55.0/24
192.168.55.11 138/udp on eth0 ALLOW IN 192.168.55.0/24
192.168.55.11 139/tcp on eth0 ALLOW IN 192.168.55.0/24
192.168.55.11 445/tcp on eth0 ALLOW IN 192.168.55.0/24

192.168.55.0/24 22/tcp ALLOW OUT 192.168.55.11 on eth0
192.168.55.0/24 137/udp ALLOW OUT 192.168.55.11 on eth0
192.168.55.0/24 138/udp ALLOW OUT 192.168.55.11 on eth0
192.168.55.0/24 139/tcp ALLOW OUT 192.168.55.11 on eth0
192.168.55.0/24 445/tcp ALLOW OUT 192.168.55.11 on eth0

Samba: allow interfaces; 192.168.55.14 127.0.0.1

Do I have to deal with the 127.255.255.255 address in the firewall ?

I can't trace this down why 'findsmb' won't complete.

Thank you.

 

[jennyforme]

Bump... anyone ?

How about this for samba broadcasts ?

iptables -A INPUT -p udp --sport 137 -m addrtype --dst-type broadcast -j ACCEPT
iptables -A INPUT -p udp --dport 137 -m addrtype --dst-type broadcast -j ACCEPT
iptables -A OUTPUT -p udp --dport 137 -m addrtype --dst-type broadcast -j ACCEPT
iptables -A OUTPUT -p udp --sport 137 -m addrtype --dst-type broadcast -j ACCEPT