Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

[deano_ferrari]

Yes, machines are within LAN. Switching the interface device on this to home zone in the firewall made no difference. Turning off the firewall is the only way for samba to go out.
Howard

Yes, that won't make a difference if you've allowed the requisite services (as your previous output showed). I can't replicate your issue even with the firewall active (zone public or otherwise). I have no problem resolving netbios names.

[deano_ferrari]

Hi Howard. I stand corrected. After thinking this through further, I realised my router's DNS server function was helping with the name resolution. When I killed DNS on my openSUSE host (by removing /etc/resolv.conf), I then rely only on NetBIOS name resolution, I could no longer ping by name.

I can confirm the same behaviour as you get reflected by attempted lookups....

Code:

# systemctl start firewalld
# nmblookup LINUX-N8NK
name_query failed to find name LINUX-N8NK
# systemctl stop firewalld
# nmblookup LINUX-N8NK
192.168.1.12 LINUX-N8NK<00>
#

I'll need to dig into this further.

[deano_ferrari]

The following Archwiki reference helps...

"Browsing" network fails with "Failed to retrieve share list from server"

And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

https://wiki.archlinux.org/index.php...from_server.22

If I do this on the fly (with firewall active)...

Code:

iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

then suddenly,

Code:

~> nmblookup linux-n8nk
192.168.1.12 linux-n8nk<00>

and similarly 'smb://linux-n8nk' works with Dolphin.

[deano_ferrari]

Next, to incorporate this in firewalld.

[deano_ferrari]

The issue described in this thread was also the subject of this Red Hat bug report. Comment #c26 onwards discusses the idea of opening source port 137, but discouraged in favour of connection tracking helpers (as the suggested iptables rule does)....

To allow the source port for samba is a work around that opens a big hole in the firewall.

Because of a kernel change it is needed since kernel 4.7 to use the netfilter conntrack helpers in a different way than before. This also applies to the netbios-ns helper that is used for samba. The support for the now required handling of conntrack helpers has been introduced with firewalld version 0.4.4, but there has been an issue with SELinux as firewalld needs to be able to search for kernel modules and to analyse them.

[deano_ferrari]

Ok, I've found some useful info in 'man firewall-cmd'

Code:

 Automatic Helpers Options
       --get-automatic-helpers
           Print the automatic helpers setting.

       --set-automatic-helpers=value
           For the secure use of iptables and connection tracking helpers it is recommended to turn AutomaticHelpers off. But this might have side effects on other
           services using the netfilter helpers as the sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will be changed. With the system setting, the
           default value set in the kernel or with sysctl will be used. Possible values are: yes, no and system. The default value is system.

           This is a runtime and permanent change and will also reload the firewall to be able to make the helpers usable.

Initially, I got

Code:

# cat /proc/sys/net/netfilter/nf_conntrack_helper       
0

After invoking

Code:

# firewall-cmd --set-automatic-helpers=yes
success

the following is reported

Code:

# cat /proc/sys/net/netfilter/nf_conntrack_helper
1

Now, it should be possible for NetBIOS name resolution to work.

BTW, this can also be changed using the graphical 'firewalld-config' utility: Options > Configure Automatic Helper Assignment > Yes

[tsu2]

Yes, machines are within LAN. Switching the interface device on this to home zone in the firewall made no difference. Turning off the firewall is the only way for samba to go out.
Howard

Are you sure you followed all steps required when modifying firewalld?
And, for such a drastic change as changing zones, I'd even suspect that a reboot would be recommended if not required.
I'd also recommend trying the other 2 zones I suggested as well although I'd be surprised that the "home" zone wasn't sufficient.

TSU

[crmrhm]

BTW, this can also be changed using the graphical 'firewalld-config' utility: Options > Configure Automatic Helper Assignment > Yes

Outstanding. I had just found the Archwiki reference you mention above, but you went much further.

I made the change with the 'firewalld-config' utility, and Dolphin now navigates around the network correctly. I put the device back in the external zone since this laptop roams and connects to networks other than my home one. No reboot needed.

Thanks for all the research and guidance on this. Very helpful. Problem solved.

Best regards,
Howard

[deano_ferrari]

Outstanding. I had just found the Archwiki reference you mention above, but you went much further.

I made the change with the 'firewalld-config' utility, and Dolphin now navigates around the network correctly. I put the device back in the external zone since this laptop roams and connects to networks other than my home one. No reboot needed.

Thanks for all the research and guidance on this. Very helpful. Problem solved.

Best regards,
Howard

Glad to have been of help with this.

[soundlord]

Good job guys ^^

It works ^^

I really need to read documentation about firewalld...