Allowing Broadcast Replies in Samba for releases 10.x

In SuSEfirewall2 it’s normal to open UDP 137 &138 annd TCP 139 & 445 to allow Samba communications. These are done in versions 10.x, 11.0 on the following lines in the file /etc/sysconfig/SuSEfirewall2:
FW_ALLOW_FW_BROADCASTS_EXT (udp), FW_SERVICES_EXT_UDP (udp) and FW_SERVICES_EXT_TCP (tcp). But provision must also be made for Broadcast replies.

There’s a connection tracking engine for openSUSE 11.x which is used to permit Samba Broadcast replies through the firewall.

That doesn’t exist for all the 10.x releases so Broadcast replies are done another way. Some simply open incoming Highports (all 64000+ of them) which seems to be a bad security risk. Other open a “Trusted Network” for the LAN like e.g. That’s about as bad a security risk as opening Highports.

In 10.x Suse the firewall simply won’t perform unless some provision is made for Broadcast Replies. I do it by way of a variation on the “Trusted Network” theme. I enter a network range, service (UDP) and port range from the Highports.

I do this in Yast → System → /etc/sysconfig Editor → Network → Firewall → SuseFirewall2 → + (expand). Then I locate the line FW_TRUSTED_NETS and make an entry like this for UDP in the Highports on IP addresses for my LAN. Then Samba works for me. Not many use this (if any) and I wonder what they do use.
Her are some examples of entries that work for me, there are in fact unlimited options:,udp,1024,udp,56981,udp,44000:44010

Here’s a screenshot example:

This is pretty good security, all things considered, compared to other options for allowing samba. And it works when I pick one port anywhere in the Highports or a port range of any size.

I become puzzled at this point, CPU overloaded, storage full, wondering what this all means physically, bewildered. That leads to these two questions: Q1: do I need a range of ports or will one do for all Samba connections? Q2: Can I just pick any place in the highports as I have been doing? (so far my computer hasn’t imploded).