Sunday February 28th 2021 - Update issue with packman inode mirror
There are issues with the inode mirror, please configure an alternative mirror. See http://packman.links2linux.org/mirrors
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
 Originally Posted by crmrhm
Yes, machines are within LAN. Switching the interface device on this to home zone in the firewall made no difference. Turning off the firewall is the only way for samba to go out.
Howard
Yes, that won't make a difference if you've allowed the requisite services (as your previous output showed). I can't replicate your issue even with the firewall active (zone public or otherwise). I have no problem resolving netbios names.
openSUSE Leap 15.2; KDE Plasma 5
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
Hi Howard. I stand corrected. After thinking this through further, I realised my router's DNS server function was helping with the name resolution. When I killed DNS on my openSUSE host (by removing /etc/resolv.conf), I then rely only on NetBIOS name resolution, I could no longer ping by name.
I can confirm the same behaviour as you get reflected by attempted lookups....
Code:
# systemctl start firewalld
# nmblookup LINUX-N8NK
name_query failed to find name LINUX-N8NK
# systemctl stop firewalld
# nmblookup LINUX-N8NK
192.168.1.12 LINUX-N8NK<00>
#
I'll need to dig into this further.
Last edited by deano_ferrari; 16-Jun-2018 at 22:11.
openSUSE Leap 15.2; KDE Plasma 5
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
The following Archwiki reference helps...
"Browsing" network fails with "Failed to retrieve share list from server" And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
https://wiki.archlinux.org/index.php...from_server.22
If I do this on the fly (with firewall active)...
Code:
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
then suddenly,
Code:
~> nmblookup linux-n8nk
192.168.1.12 linux-n8nk<00>
and similarly 'smb://linux-n8nk' works with Dolphin.
openSUSE Leap 15.2; KDE Plasma 5
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
Next, to incorporate this in firewalld.
openSUSE Leap 15.2; KDE Plasma 5
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
The issue described in this thread was also the subject of this Red Hat bug report. Comment #c26 onwards discusses the idea of opening source port 137, but discouraged in favour of connection tracking helpers (as the suggested iptables rule does)....
To allow the source port for samba is a work around that opens a big hole in the firewall.
Because of a kernel change it is needed since kernel 4.7 to use the netfilter conntrack helpers in a different way than before. This also applies to the netbios-ns helper that is used for samba. The support for the now required handling of conntrack helpers has been introduced with firewalld version 0.4.4, but there has been an issue with SELinux as firewalld needs to be able to search for kernel modules and to analyse them.
openSUSE Leap 15.2; KDE Plasma 5
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
Ok, I've found some useful info in 'man firewall-cmd'
Code:
Automatic Helpers Options
--get-automatic-helpers
Print the automatic helpers setting.
--set-automatic-helpers=value
For the secure use of iptables and connection tracking helpers it is recommended to turn AutomaticHelpers off. But this might have side effects on other
services using the netfilter helpers as the sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will be changed. With the system setting, the
default value set in the kernel or with sysctl will be used. Possible values are: yes, no and system. The default value is system.
This is a runtime and permanent change and will also reload the firewall to be able to make the helpers usable.
Initially, I got
Code:
# cat /proc/sys/net/netfilter/nf_conntrack_helper
0
After invoking
Code:
# firewall-cmd --set-automatic-helpers=yes
success
the following is reported
Code:
# cat /proc/sys/net/netfilter/nf_conntrack_helper
1
Now, it should be possible for NetBIOS name resolution to work. 
BTW, this can also be changed using the graphical 'firewalld-config' utility: Options > Configure Automatic Helper Assignment > Yes
openSUSE Leap 15.2; KDE Plasma 5
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
 Originally Posted by crmrhm
Yes, machines are within LAN. Switching the interface device on this to home zone in the firewall made no difference. Turning off the firewall is the only way for samba to go out.
Howard
Are you sure you followed all steps required when modifying firewalld?
And, for such a drastic change as changing zones, I'd even suspect that a reboot would be recommended if not required.
I'd also recommend trying the other 2 zones I suggested as well although I'd be surprised that the "home" zone wasn't sufficient.
TSU
Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
Solved a problem recently? Create a wiki page for future personal reference!
Learn something new?
Attended a computing event?
Post and Share!
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
 Originally Posted by deano_ferrari
BTW, this can also be changed using the graphical 'firewalld-config' utility: Options > Configure Automatic Helper Assignment > Yes
Outstanding. I had just found the Archwiki reference you mention above, but you went much further.
I made the change with the 'firewalld-config' utility, and Dolphin now navigates around the network correctly. I put the device back in the external zone since this laptop roams and connects to networks other than my home one. No reboot needed.
Thanks for all the research and guidance on this. Very helpful. Problem solved.
Best regards,
Howard
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
 Originally Posted by crmrhm
Outstanding. I had just found the Archwiki reference you mention above, but you went much further.
I made the change with the 'firewalld-config' utility, and Dolphin now navigates around the network correctly. I put the device back in the external zone since this laptop roams and connects to networks other than my home one. No reboot needed.
Thanks for all the research and guidance on this. Very helpful. Problem solved.
Best regards,
Howard
Glad to have been of help with this.
openSUSE Leap 15.2; KDE Plasma 5
-
Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba
Good job guys ^^
It works ^^
I really need to read documentation about firewalld...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|