Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Opening Samba ports in the Firewall in openSUSE 11.1

  1. #1
    Join Date
    Mar 2008
    Location
    Oz
    Posts
    11,727
    Blog Entries
    2

    Default Opening Samba ports in the Firewall in openSUSE 11.1

    A new Service (netbios-server) has been added to the modules available for configuring SuSEfirewall2 via Yast. The netbios-server module commenced in openSUSE 11.0. This subtly changes the way we now open the firewall for Samba communications. Here's a quick HowTo for the 11.x series (do not use it for the 10.x series):

    You change settings in two locations in Yast.

    One location:
    Go to Yast --> Security and Users --> Firewall --> Allowed Services. In the right hand panel, set the Selected Zone to External. Below that, make sure that Samba Server and Netbios Server are added to the enabled list under Allowed Service.

    Other location:
    Go to Yast --> Security and Users --> Firewall --> Broadcast. Add your network intothe panel on the right. For example, if your network interface has the IP 10.1.33.4 then add the following range -- 10.1.33.0/24. For more info check pics on this link. That's how to allow your local LAN. If that stumps you then use this range: 0/0. That's the unsecured option, the whole world (so try the secure one first).
    Last edited by swerdna; 09-Jan-2009 at 14:43.
    Leap 42.3 & 15.1(Beta) &KDE
    FYIs from the days of yore

  2. #2
    Join Date
    Jun 2008
    Location
    Stuttgart, Germany
    Posts
    21

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    aha, ok.
    thanks, was looking for this
    danger! brain at work... what brain?

  3. #3
    Join Date
    Dec 2008
    Location
    Switzerland
    Posts
    39

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    You saved my day! Thanks a lot for this solution. I am trying to move from Windows to Opensuse 11.1 but a newby like me needs easy to follow instructions of this kind - preferrably with step-by-step pictures.I am still at the very bottom of the learning curve. I was fiddling around for hours with Samba to get access to my Win 2000, without success. Your help made it work within 10 minutes.

    It would be great if more experienced users would accept that "we" newbies are often overpowered by more technical solutions and need some easy handholding.

    Like your solution. So thanks again and have a great 2009!

  4. #4

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    I finally got this to work in a limited way. My network has ip addresses in the 150-160 range which I was not able to address.

    I gave the network ip range as 192.168.1.0/153 and when I restarted the firewall after restarting samba and I got the following errors.


    Code:
    rcSuSEfirewall2 restart
    Starting Firewall Initialization (phase 2 of 2) iptables-batch v1.4.2-rc1: invalid mask `153' specified
    Try `iptables-batch -h' or 'iptables-batch --help' for more information.
    SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
    iptables v1.4.2-rc1: invalid mask `153' specified
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.2-rc1: invalid mask `153' specified
    Try `iptables -h' or 'iptables --help' for more information.
    I finally gave up on the addresses in that range which are hard coded and just tried to see if 192.168.1.0/24 would work. It did and I was able to access the 2 machines which at that time.

    I tried specifying the range from within FW_TRUSTED_NETS on /etc/sysconfig with no better luck than with the gui. I also looked at iptables but I couldn't get any more information about what mask would be acceptable for a 151-156 address. In fact, I was using the /etc/sysconfig when I tried the 192.168.1.0/24 settings.

    Do you have any idea how to get my 151-156 addresses to work without reconfiguring those machines?

    Leslie

  5. #5
    Join Date
    Mar 2008
    Location
    Oz
    Posts
    11,727
    Blog Entries
    2

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    Quote Originally Posted by TexasDayLily View Post
    Do you have any idea how to get my 151-156 addresses to work without reconfiguring those machines?

    Leslie
    I'm pretty hazy on this but:
    the "/24" is not a decimal code. I think it's "bits" and that it means the 0 to 254 on 255.255.255.0; whatever, it means the entire subnet. You can't easily specify the range decimal 151-156. The full complexity of these shorthands are seen on e.g. this page (look for the word shorthand there):
    TCP/IP Addressing

    The short answer to your question is "no" I don't have an idea how to restrict to 151-156, except of course to list them individually.
    Leap 42.3 & 15.1(Beta) &KDE
    FYIs from the days of yore

  6. #6
    ab@novell.com NNTP User

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    swerdna,

    You're exactly right... the maximum number of bits possible, in this
    ccase, would be 32 as that's the number of bits in an entire IP address
    (four octets). For more info on this notation Google for 'CIDR notation'.

    Also while it's tricky to get non-base-2 numbers of networks to match a
    given notation it's not impossible.... usually just easier to use
    multiple statements to match the various networks. For example the
    following matches four "networks" of 256 boxes:

    192.168.0.0/22

    192.168.0.x-192.168.3.x would all match in this case. Note that when
    using this notation you can only, afaik, match a set of consecutive
    bits. This won't work for something weird like six boxes because six is
    not a multiple of only two but the other notation of
    192.168.0.0/255/255/252.0 should substitute just fine for the above
    notation example and can maybe be used in this case. Trying to match
    192.168.1.150 to .156 is probably beyond my ability to safely mangle
    bits but you could move all your IP addresses up two numerals at the end
    and use the following:

    192.68.1.152/29

    This will match .152-.159 . I'm pretty sure my calculations are right
    here (and you get two new IPs too) and I found a website to back me up
    you may find useful: http://www.subnet-calculator.com/cidr.php . If you
    really need these specific IPs you can match them with two statements...
    192.168.1.150/31
    192.168.1.152/30

    Good luck.





    TexasDayLily wrote:
    > I finally got this to work in a limited way. My network has ip
    > addresses in the 150-160 range which I was not able to address.
    >
    > I gave the network ip range as 192.168.1.0/153 and when I restarted the
    > firewall after restarting samba and I got the following errors.
    >
    >
    >
    > Code:
    > --------------------
    >
    > rcSuSEfirewall2 restart
    > Starting Firewall Initialization (phase 2 of 2) iptables-batch v1.4.2-rc1: invalid mask `153' specified
    > Try `iptables-batch -h' or 'iptables-batch --help' for more information.
    > SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
    > iptables v1.4.2-rc1: invalid mask `153' specified
    > Try `iptables -h' or 'iptables --help' for more information.
    > iptables v1.4.2-rc1: invalid mask `153' specified
    > Try `iptables -h' or 'iptables --help' for more information.
    >
    > --------------------
    >
    >
    > I finally gave up on the addresses in that range which are hard coded
    > and just tried to see if 192.168.1.0/24 would work. It did and I was
    > able to access the 2 machines which at that time.
    >
    > I tried specifying the range from within FW_TRUSTED_NETS on
    > /etc/sysconfig with no better luck than with the gui. I also looked at
    > iptables but I couldn't get any more information about what mask would
    > be acceptable for a 151-156 address. In fact, I was using the
    > /etc/sysconfig when I tried the 192.168.1.0/24 settings.
    >
    > Do you have any idea how to get my 151-156 addresses to work without
    > reconfiguring those machines?
    >
    > Leslie
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFJXOqM3s42bA80+9kRAvirAJ9XzO48Yota84xPwSuinTXMaJ15pwCfe1Qj
    vTW4X+9Q0aPaE0Z6ybquU1s=
    =eAGh
    -----END PGP SIGNATURE-----

  7. #7

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    I thought that /24 worked because most of my addresses were in the range of 0-24, and only one right now outside that range at 151. That 151 host does not have any shared network shares since it is a printer. But I totally misunderstood how the /24 was being used. It actually would have allowed any address in the form of 192.x.x.x. It looks like /24 implies a network mask of 255.0.0.0, but I typically use a network mask of 255.255.255.0. The network address shared with all the computers on my network is 192.168.1.x. If I understand that material properly I should have used 192.168.1.0/8 as the network mask code.

    If I had used the 192.168.2 subnet as well as the 192.168.1 then I could use 192.168.1.0/16, but perhaps 192.168.1.0/10 which would allow only 2 bits in the subnet area would also do.

    Thanks for the clarification,
    Leslie

  8. #8

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    After reading the above post I found WhatisCIDRNotation which clarified something I had missed from the link swerdna had sent. The /24 indicated the number of significant bits not the number of least significant bits.

    I found that I stilll had it wrong. Here's the correction. It looks like /24 implies a network mask of 255.255.255.0, which is what I typically use. Therefore 192.168.1.0/24 was the correct setting for me.

    If I had used the 192.168.2 subnet as well as the 192.168.1 then I could use 192.168.1.0/16, but perhaps 192.168.1.0/22 which would allow only the 2 least significant bits in the subnet area would also do.

    I wish I had known about CIDR notation and that the mask setting was in that notation.

    Leslie

  9. #9
    Join Date
    Mar 2008
    Location
    Oz
    Posts
    11,727
    Blog Entries
    2

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    Quote Originally Posted by ab@novell.com View Post
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    swerdna,

    You're exactly right... the maximum number of bits possible, in this
    ccase, would be 32 as that's the number of bits in an entire IP address
    (four octets). For more info on this notation Google for 'CIDR notation'.

    .........
    Thanks ab@novell.com, so what do I recommend when advising a mask to let the local LAN through that works always? Is this correct: ip1.ip2.ip3.0/24?

    And while I'm at it: I see this as an alternative setting in SuSEfirewalls for the Samba connection tracker: 0/0. I took that to mean "the whole world" is that correct?

    Too many new tricks so early in the year!
    Leap 42.3 & 15.1(Beta) &KDE
    FYIs from the days of yore

  10. #10
    ab@novell.com NNTP User

    Default Re: Opening Samba ports in the Firewall in openSUSE 11.1

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Yes, and yes. For a 192.168.1.0 network you can allow things in with
    192.168.1.0/24 which is the same as a network of 192.168.1.0 and a
    subnet mask of 255.255.255.0 (as you already stated). 0/0 means
    0.0.0.0/0 and everything matches that. Conversely 192.168.1.23/32
    matches a single system.

    Good luck.





    swerdna wrote:
    > ab@novell.com;1919648 Wrote:
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> Hash: SHA1
    >>
    >> swerdna,
    >>
    >> You're exactly right... the maximum number of bits possible, in this
    >> ccase, would be 32 as that's the number of bits in an entire IP
    >> address
    >> (four octets). For more info on this notation Google for 'CIDR
    >> notation'.
    >>
    >> .........

    > Thanks ab@novell.com, so what do I recommend when advising a mask to
    > let the local LAN through that works always? Is this correct:
    > ip1.ip2.ip3.0/24?
    >
    > And while I'm at it: I see this as an alternative setting in
    > SuSEfirewalls for the Samba connection tracker: 0/0. I took that to mean
    > "the whole world" is that correct?
    >
    > Too many new tricks so early in the year!
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFJXTGx3s42bA80+9kRAvdpAJ42dfFb9t2+fKZTDsWEi9FKCcMDlgCcDaYo
    8awWAPBQaxqYT8vM9pQqXWg=
    =WEVF
    -----END PGP SIGNATURE-----

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •