Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

  1. #11
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,592
    Blog Entries
    1

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Quote Originally Posted by crmrhm View Post
    Yes, machines are within LAN. Switching the interface device on this to home zone in the firewall made no difference. Turning off the firewall is the only way for samba to go out.
    Howard
    Yes, that won't make a difference if you've allowed the requisite services (as your previous output showed). I can't replicate your issue even with the firewall active (zone public or otherwise). I have no problem resolving netbios names.
    openSUSE Leap 15.1; KDE Plasma 5

  2. #12
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,592
    Blog Entries
    1

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Hi Howard. I stand corrected. After thinking this through further, I realised my router's DNS server function was helping with the name resolution. When I killed DNS on my openSUSE host (by removing /etc/resolv.conf), I then rely only on NetBIOS name resolution, I could no longer ping by name.

    I can confirm the same behaviour as you get reflected by attempted lookups....

    Code:
    # systemctl start firewalld
    # nmblookup LINUX-N8NK
    name_query failed to find name LINUX-N8NK
    # systemctl stop firewalld
    # nmblookup LINUX-N8NK
    192.168.1.12 LINUX-N8NK<00>
    #
    I'll need to dig into this further.
    Last edited by deano_ferrari; 16-Jun-2018 at 22:11.
    openSUSE Leap 15.1; KDE Plasma 5

  3. #13
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,592
    Blog Entries
    1

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    The following Archwiki reference helps...

    "Browsing" network fails with "Failed to retrieve share list from server"

    And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:
    iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
    https://wiki.archlinux.org/index.php...from_server.22

    If I do this on the fly (with firewall active)...
    Code:
    iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
    then suddenly,
    Code:
    ~> nmblookup linux-n8nk
    192.168.1.12 linux-n8nk<00>
    and similarly 'smb://linux-n8nk' works with Dolphin.
    openSUSE Leap 15.1; KDE Plasma 5

  4. #14
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,592
    Blog Entries
    1

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Next, to incorporate this in firewalld.
    openSUSE Leap 15.1; KDE Plasma 5

  5. #15
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,592
    Blog Entries
    1

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    The issue described in this thread was also the subject of this Red Hat bug report. Comment #c26 onwards discusses the idea of opening source port 137, but discouraged in favour of connection tracking helpers (as the suggested iptables rule does)....
    To allow the source port for samba is a work around that opens a big hole in the firewall.

    Because of a kernel change it is needed since kernel 4.7 to use the netfilter conntrack helpers in a different way than before. This also applies to the netbios-ns helper that is used for samba. The support for the now required handling of conntrack helpers has been introduced with firewalld version 0.4.4, but there has been an issue with SELinux as firewalld needs to be able to search for kernel modules and to analyse them.
    openSUSE Leap 15.1; KDE Plasma 5

  6. #16
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,592
    Blog Entries
    1

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Ok, I've found some useful info in 'man firewall-cmd'
    Code:
     Automatic Helpers Options
           --get-automatic-helpers
               Print the automatic helpers setting.
    
           --set-automatic-helpers=value
               For the secure use of iptables and connection tracking helpers it is recommended to turn AutomaticHelpers off. But this might have side effects on other
               services using the netfilter helpers as the sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will be changed. With the system setting, the
               default value set in the kernel or with sysctl will be used. Possible values are: yes, no and system. The default value is system.
    
               This is a runtime and permanent change and will also reload the firewall to be able to make the helpers usable.
    Initially, I got
    Code:
    # cat /proc/sys/net/netfilter/nf_conntrack_helper       
    0
    After invoking
    Code:
    # firewall-cmd --set-automatic-helpers=yes
    success
    the following is reported
    Code:
    # cat /proc/sys/net/netfilter/nf_conntrack_helper
    1
    Now, it should be possible for NetBIOS name resolution to work.

    BTW, this can also be changed using the graphical 'firewalld-config' utility: Options > Configure Automatic Helper Assignment > Yes
    openSUSE Leap 15.1; KDE Plasma 5

  7. #17
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,411
    Blog Entries
    2

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Quote Originally Posted by crmrhm View Post
    Yes, machines are within LAN. Switching the interface device on this to home zone in the firewall made no difference. Turning off the firewall is the only way for samba to go out.
    Howard
    Are you sure you followed all steps required when modifying firewalld?
    And, for such a drastic change as changing zones, I'd even suspect that a reboot would be recommended if not required.
    I'd also recommend trying the other 2 zones I suggested as well although I'd be surprised that the "home" zone wasn't sufficient.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #18
    Join Date
    Aug 2008
    Location
    San Francisco
    Posts
    400

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Quote Originally Posted by deano_ferrari View Post
    BTW, this can also be changed using the graphical 'firewalld-config' utility: Options > Configure Automatic Helper Assignment > Yes
    Outstanding. I had just found the Archwiki reference you mention above, but you went much further.

    I made the change with the 'firewalld-config' utility, and Dolphin now navigates around the network correctly. I put the device back in the external zone since this laptop roams and connects to networks other than my home one. No reboot needed.

    Thanks for all the research and guidance on this. Very helpful. Problem solved.

    Best regards,
    Howard

  9. #19
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,592
    Blog Entries
    1

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Quote Originally Posted by crmrhm View Post
    Outstanding. I had just found the Archwiki reference you mention above, but you went much further.

    I made the change with the 'firewalld-config' utility, and Dolphin now navigates around the network correctly. I put the device back in the external zone since this laptop roams and connects to networks other than my home one. No reboot needed.

    Thanks for all the research and guidance on this. Very helpful. Problem solved.

    Best regards,
    Howard
    Glad to have been of help with this.
    openSUSE Leap 15.1; KDE Plasma 5

  10. #20
    Join Date
    May 2009
    Location
    Liège Walifornia
    Posts
    393

    Default Re: Configure Samba for a Workgroup in the local LAN - Leap 15 firewall blocks outgoing samba

    Good job guys ^^

    It works ^^

    I really need to read documentation about firewalld...

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •