firewall is blocking samba--what am I missing?

Maresuke · November 23, 2011, 11:12pm

I have 2 machines running 11.4 and one running 12.1 on my LAN. The firewall prevents browsing both to and from the two machines running 11.4 (including the preferred master) but none of the 3 firewalls interferes with the 12.1 machine.

Here is smb.conf for the preferred master:

bay@linux-enod:~> cat /etc/samba/smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2010-09-15
[global]
	workgroup = JADEWORKGROUP
	netbios name = linux-enod
	name resolve order = bcast host lmhosts wins
	local master = yes
	preferred master = yes
	os level = 65
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	load printers = yes
	use client driver = yes
	map to guest = Bad User
	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:
	usershare allow guests = Yes
	usershare owner only = False
	wins support = No
	usershare max shares = 100

[homes]
	comment = Home Directories
	browseable = Yes
	read only = No
	inherit acls = Yes
	valid users = %S, %D%w%S

## Share disabled by YaST
# [profiles]
#	comment = Network Profiles Service
#	path = %H
#	read only = No
#	store dos attributes = Yes
#	create mask = 0600
#	directory mask = 0700

[users]
	comment = All users
	path = /home
	read only = no
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
	
## Share disabled by YaST
# [groups]
#	comment = All groups
#	path = /home/groups
#	read only = No
#	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0700
	guest ok = Yes
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

rcnmb and rcsmb are running

bay@linux-enod:~> su -c "rcnmb status; rcsmb status"
Password: 
Checking for Samba NMB daemon                                                             running
Checking for Samba SMB daemon                                                             running

I think I have the firewall configured correctly

bay@linux-enod:~> cat /etc/sysconfig/SuSEfirewall2 | egrep "DEV_EXT=|FW_CONFIGURATIONS_EXT="
FW_DEV_EXT="any eth0"
FW_CONFIGURATIONS_EXT="hplip netbios-server samba-client samba-server"

I have toggled usr.sbin.smbd and usr.sbin.nmbd to complain in apparmor

But here is the difference for smbtree when the firewall is off:

bay@linux-enod:~> smbtree -N
JADEWORKGROUP
	\\LINUX-J8SR     		Samba 3.6.1-34.3.1-2691-SUSE-SL12.1-i386
		\\LINUX-J8SR\homes          	Home Directories
		\\LINUX-J8SR\users          	All users
		\\LINUX-J8SR\print$         	Printer Drivers
		\\LINUX-J8SR\IPC$           	IPC Service (Samba 3.6.1-34.3.1-2691-SUSE-SL12.1-i386)
	\\LINUX-ENOD     		Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-i386
		\\LINUX-ENOD\music          	
		\\LINUX-ENOD\CUPS-PDF       	CUPS-PDF
		\\LINUX-ENOD\HP-LaserJet-P1006	Hewlett-Packard HP LaserJet P1006
		\\LINUX-ENOD\HP_Laserjet_3200	HP_Laserjet_3200
		\\LINUX-ENOD\HP_Laserjet_3200_fax	HP_Laserjet_3200_fax
		\\LINUX-ENOD\homes          	Home Directories
		\\LINUX-ENOD\users          	All users
		\\LINUX-ENOD\print$         	Printer Drivers
		\\LINUX-ENOD\IPC$           	IPC Service (Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-i386)
	\\LINUX-CPLD     		Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-i386
		\\LINUX-CPLD\CUPS-PDF       	CUPS-PDF
		\\LINUX-CPLD\HP-LaserJet-P1006	Hewlett-Packard HP LaserJet P1006
		\\LINUX-CPLD\HP_Laserjet_3200	HP_Laserjet_3200
		\\LINUX-CPLD\HP_Laserjet_3200_fax	HP_Laserjet_3200_fax
		\\LINUX-CPLD\hplaserjet3200 	HP LaserJet 3200m Postscript (recommended)
		\\LINUX-CPLD\homes          	Home Directories
		\\LINUX-CPLD\users          	All users
		\\LINUX-CPLD\print$         	Printer Drivers
		\\LINUX-CPLD\IPC$           	IPC Service (Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-i386)

and on

bay@linux-enod:~> smbtree -N
JADEWORKGROUP
	\\LINUX-J8SR     		Samba 3.6.1-34.3.1-2691-SUSE-SL12.1-i386
cli_start_connection: failed to connect to LINUX-J8SR<20> (0.0.0.0). Error NT_STATUS_BAD_NETWORK_NAME
	\\LINUX-ENOD     		Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-i386
		\\LINUX-ENOD\music          	
		\\LINUX-ENOD\CUPS-PDF       	CUPS-PDF
		\\LINUX-ENOD\HP-LaserJet-P1006	Hewlett-Packard HP LaserJet P1006
		\\LINUX-ENOD\HP_Laserjet_3200	HP_Laserjet_3200
		\\LINUX-ENOD\HP_Laserjet_3200_fax	HP_Laserjet_3200_fax
		\\LINUX-ENOD\homes          	Home Directories
		\\LINUX-ENOD\users          	All users
		\\LINUX-ENOD\print$         	Printer Drivers
		\\LINUX-ENOD\IPC$           	IPC Service (Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-i386)
	\\LINUX-CPLD     		Samba 3.5.7-3.5.1-2573-SUSE-SL11.4-i386
cli_start_connection: failed to connect to LINUX-CPLD<20> (0.0.0.0). Error NT_STATUS_BAD_NETWORK_NAME

I’ve enabled messages in the firewall and here’s what happens after running the last command.

bay@linux-enod:~> cat /var/log/messages
Nov 23 14:45:02 linux-enod rsyslogd: [origin software="rsyslogd" swVersion="5.6.5" x-pid="3784" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Nov 23 14:45:25 linux-enod dhclient: send_packet6: Network is unreachable
Nov 23 14:45:25 linux-enod dhclient: dhc6: send_packet6() sent -1 of 54 bytes
Nov 23 14:47:13 linux-enod dhclient: send_packet6: Network is unreachable
Nov 23 14:47:13 linux-enod dhclient: dhc6: send_packet6() sent -1 of 54 bytes
Nov 23 14:48:49 linux-enod su: The gnome keyring socket is not owned with the same credentials as the user login: /tmp/keyring-1JSK2b/control
Nov 23 14:48:49 linux-enod su: gkr-pam: couldn't unlock the login keyring.
Nov 23 14:48:49 linux-enod su: (to root) bay on /dev/pts/1
Nov 23 14:49:23 linux-enod dhclient: send_packet6: Network is unreachable
Nov 23 14:49:23 linux-enod dhclient: dhc6: send_packet6() sent -1 of 54 bytes
Nov 23 14:51:21 linux-enod dhclient: send_packet6: Network is unreachable
Nov 23 14:51:21 linux-enod dhclient: dhc6: send_packet6() sent -1 of 54 bytes
Nov 23 14:53:21 linux-enod dhclient: send_packet6: Network is unreachable
Nov 23 14:53:21 linux-enod dhclient: dhc6: send_packet6() sent -1 of 54 bytes
Nov 23 14:55:01 linux-enod SuSEfirewall2: Firewall rules unloaded.
Nov 23 14:55:19 linux-enod dhclient: send_packet6: Network is unreachable
Nov 23 14:55:19 linux-enod dhclient: dhc6: send_packet6() sent -1 of 54 bytes
Nov 23 14:57:17 linux-enod SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Nov 23 14:57:17 linux-enod SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Nov 23 14:57:17 linux-enod SuSEfirewall2: Error: ip6tables-batch failed, re-running using ip6tables
Nov 23 14:57:18 linux-enod SuSEfirewall2: Firewall rules successfully set
Nov 23 14:57:22 linux-enod SuSEfirewall2: Firewall rules unloaded.
Nov 23 14:57:23 linux-enod SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Nov 23 14:57:23 linux-enod SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Nov 23 14:57:23 linux-enod SuSEfirewall2: Error: ip6tables-batch failed, re-running using ip6tables
Nov 23 14:57:23 linux-enod SuSEfirewall2: Firewall rules successfully set
Nov 23 14:57:27 linux-enod dhclient: send_packet6: Network is unreachable
Nov 23 14:57:27 linux-enod dhclient: dhc6: send_packet6() sent -1 of 54 bytes

Starting with Swerdna’s tutorials, I’ve tried to read everything I could but have run out of ideas–any help on how to get this network sharing to work with the firewall enabled?

Many thanks.

jdmcdaniel3 · November 23, 2011, 11:27pm

I think I would comment out or remove the following entries

    use client driver = yes
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:

I would use this in the computer I want to be the browser master which is on the most:

    preferred master = Auto
    local master = Yes
    domain master = No

Put this in the other two:

    preferred master = Auto
    local master = No
    domain master = No

Make these changes, Restart the Master Browser first and after a minute or so, restart the other two. You can also just stop & start the smb/nmb service in YaST / System / Run Level or do the same if you use SWAT, but a PC restart is easy to do as well. After a few minutes, see what you get then with the Firewall on.

Thank You,

swerdna · November 24, 2011, 12:06am

@Maresuke

I recommend that you do not make the first set of changes suggested by James, except perhaps to comment out these lines, and only these lines:

	logon path = \\%L\profiles\.msprofile
	logon home = \\%L\%U\.9xprofile
	logon drive = P:

It is correctly configured as a preferred master.

But there can be only one preferred master in a LAN, so the others should be configured slightly differently as James said, and maybe like this:

preferred master = no
local master = yes

swerdna · November 24, 2011, 12:20am

I have found a problem for Samba related to the package systemd. Please run this command and return the results:

zypper se sysvinit-init systemd-sysvinit

venzkep · November 24, 2011, 12:29am

On 11/23/2011 4:36 PM, jdmcdaniel3 wrote:
>
<snip>
>
>
> Make these changes, Restart the Master Browser first and after a minute
> or so, restart the other two. You can also just stop& start the smb/nmb
> service in YaST / System / Run Level or do the same if you use SWAT, but
> a PC restart is easy to do as well. After a few minutes, see what you
> get then with the Firewall on.
>
> Thank You,
>
>

Just for the record to restart the services, open a terminal window and
enter:


su
rcsmb restart
rcnmb restart
exit

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

Maresuke · November 24, 2011, 3:53am

Thank you all for looking at this.

I commented out the three logon lines in all three smb.conf files and added “preferred master = no” to the applicable 2. I don’t think they are the issue, but for completeness the 12.1 machine’s smb.conf is:


# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2011-03-01
[global]
	workgroup = JADEWORKGROUP
	netbios name = linux-j8sr
	name resolve order = bcast host lmhosts wins
	local master = yes
	preferred master = no
	os level = 33
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	load printers = yes
	use client driver = yes
	map to guest = Bad User
#	logon path = \\%L\profiles\.msprofile
#	logon home = \\%L\%U\.9xprofile
#	logon drive = P:
	usershare allow guests = Yes
	usershare max shares = 100
	usershare owner only = False
	wins support = No
[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = Yes
	read only = No
	inherit acls = Yes

# [profiles]
#	comment = Network Profiles Service
#	path = %H
#	read only = No
#	store dos attributes = Yes
#	create mask = 0600
#	directory mask = 0700

[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
	
# [groups]
#	comment = All groups
#	path = /home/groups
#	read only = No
#	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

and the other 11.4 machine’s smb.conf is:

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2010-09-15
[global]
	workgroup = JADEWORKGROUP
	netbios name = linux-cpld
	name resolve order = bcast host lmhosts wins
	local master = yes
	preferred master = no
	os level = 35
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	load printers = yes
	use client driver = yes
	map to guest = Bad User
#	logon path = \\%L\profiles\.msprofile
#	logon home = \\%L\%U\.9xprofile
#	logon drive = P:
	usershare allow guests = Yes
	usershare max shares = 100
	usershare owner only = False
	
[homes]
	comment = Home Directories
	browseable = Yes
	read only = No
	inherit acls = Yes
	valid users = %S, %D%w%S

## Share disabled by YaST
# [profiles]
#	comment = Network Profiles Service
#	path = %H
#	read only = No
#	store dos attributes = Yes
#	create mask = 0600
#	directory mask = 0700

[users]
	comment = All users
	path = /home/tamami
	read only = No
	force user = bay
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
	valid users = bay tamami
## Share disabled by YaST
# [groups]
#	comment = All groups
#	path = /home/groups
#	read only = No
#	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	guest ok = Yes
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775

After making those changes I restarted rcnmb and rcsmb on all 3 machines, enabled the firewall on the preferred master and then tried to browse from the preferred master to the others but could not do so. (I also got the same result as above for smbtree). I still can browse to the other two from the 12 machine.

Here’s the systemd command:

linux-enod:~ # zypper se sysvinit-init systemd-sysvinit
Loading repository data...
Reading installed packages...

S | Name             | Summary             | Type   
--+------------------+---------------------+--------
  | systemd-sysvinit | System V init tools | package

I notice that running this on the 12 machine gives a second line with sysvinit-init information–is this the problem?

I think it is likely irrelevant since the 12 machine, linux-j8sr, is the one that is working, but one anomaly I noticed is that in restarting rcnmb and rcsmb on this machine instead of getting messages about shutting down and starting up, as on the other two machines, I get “redirecting to systemctl”.

Thanks again.

swerdna · November 24, 2011, 10:27am

I notice that running this on the 12 machine gives a second line with sysvinit-init information–is this the problem?

I don’t think so, 12.1 is as you say, OK.

swerdna · November 26, 2011, 11:55am

I can’t think what might be wrong. However, just to be thorough, can you run this command and return the results:

cat /etc/sysconfig/SuSEfirewall2 | egrep "DEV_EXT=|FW_CONFIGURATIONS_EXT="

Probably a good idea to copy/paste it rather than try to type it.

Maresuke · November 26, 2011, 3:33pm

Swerdna,

Thank you very much. (For all of your work- without your tutorials, I would never have gotten samba working (before the upgrade), printing working, etc.)

Here is the result of that command on the 11.4 preferred master

bay@linux-enod:~> cat /etc/sysconfig/SuSEfirewall2 | egrep "DEV_EXT=|FW_CONFIGURATIONS_EXT="
FW_DEV_EXT="any eth0"
FW_CONFIGURATIONS_EXT="netbios-server samba-client samba-server hplip "

The result on the other 11.4 machine is similar

bay@linux-cpld:~> cat /etc/sysconfig/SuSEfirewall2 | egrep "DEV_EXT=|FW_CONFIGURATIONS_EXT="
FW_DEV_EXT="eth0"
FW_CONFIGURATIONS_EXT="netbios-server samba-client samba-server hplip"

And similar on the 12 machine

bay@linux-j8sr:~> cat /etc/sysconfig/SuSEfirewall2 | egrep "DEV_EXT=|FW_CONFIGURATIONS_EXT="
FW_DEV_EXT="eth0 eth1"
FW_CONFIGURATIONS_EXT=" hplip netbios-server samba-client samba-server"

One thing I tried was to go through /etc/sysconfig in Yast and try to make the settings on the 11.4 machines match those on the 12 machine, since that works, other than differences that I understood. There were not many differences, but one thing I noticed is that I have a double set of items under /network/firewall, one for susefirewall2 and one for /etc/sysconfig/SuSEfirewall2.rpmnew. If I run rcrpmconfigcheck on the preferred master 11.4 machine, I get

linux-enod:/home/bay # rcrpmconfigcheck
Searching for unresolved configuration files                         done
Please check the following files (see /var/adm/rpmconfigcheck):
    /etc/fonts/suse-hinting.conf.rpmsave
    /etc/pam.d/login.rpmnew
    /etc/papersize.rpmnew
    /etc/postfix/main.cf.rpmnew
    /etc/samba/smb.conf.rpmnew
    /etc/sane.d/dll.conf.rpmnew
    /etc/sudoers.rpmnew
    /etc/sysconfig/SuSEfirewall2.rpmnew
    /usr/share/fonts/encodings/encodings.dir.rpmsave
    /usr/share/fonts/truetype/fonts.dir.rpmorig
    /usr/share/fonts/truetype/fonts.scale.rpmorig
    /usr/share/kde4/config/kdm/kdmrc.rpmnew

Still, I guess this is irrelevant, since running rcrpmconfigcheck gives a message to check /etc/samba/smb.conf.rpmnew and /etc/sysconfig/SuSEfirewall2.rpmnew on the 12 machine (for which outbound samba browsing works) and gives a message to check /etc/samba/smb.conf.rpmnew but doesn’t give a message about /etc/sysconfig/SuSEfirewall2.rpmnew on the other 11.4 machine (for which outbound browsing doesn’t).

Since it is possible to browse between the machines if I turn off the firewalls, this may end up being something I can live with. I will consider doing a full reinstall instead of upgrading when I move to 12 on the 2 problematic machines.

swerdna · November 26, 2011, 8:14pm

This file (and the others like it) is concerning: /etc/sysconfig/SuSEfirewall2.rpmnew. It’s a text file located where it will be interpreted as instructions to configure the firewall. Try shifting it temporarily to a non-active location and see if the problem gets fixed. e.g.

sudo mv /etc/sysconfig/SuSEfirewall2.rpmnew      /home/SuSEfirewall2.rpmnew

venzkep · November 26, 2011, 10:26pm

On Sat November 26 2011 01:16 pm, swerdna wrote:
<snip>

Maresuke;
Before you added the 12.1 machine, do you know if the two 11.4 machines,
linux-clpd and linux-enod, were able to communicate via Samba?

Have you tried turning off the firewalls one at a time, i.e. clpd firewall off
enod firewall on, clpd firewall on enod firewall off? Does it make any
difference?

How are the three machines physically connected, i.e the geometry of your
network?

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Maresuke · November 27, 2011, 4:25am

I moved the .rpmnew files (other than those related to fonts or other irrelevant configurations) and restarted linux-enod, but this did not fix the problem.

The physical geometry is: a cable modem inputs into a router and the three machines (two 11.4 desktops and a 12.1 laptop) are connected by cables to the router output. The two desktops used to be able to connect through Samba, but it was a while ago, most likely before I updated them to 11.4 from 11.3. (Recently we have had more need to be able to use the resources jointly.)

The specific behavior is a little different than what I wrote in my first post in that the two 11.4 firewalls block only outbound browsing. When all 3 machines are connected with firewalls enabled, the 12.1 can browse both other machines using samba, but the other two machines can’t do outbound browsing. What I mean is that (1) running smbtree on either 11.4 machine yields messages like “failed to connect to LINUX-J8SR<20> (0.0.0.0). Error NT_STATUS_BAD_NETWORK_NAME” for the other two machines and (2) when I browse the network in nautilus I can click into the screen that shows the shared folders on the other machines, but then when I get to the point where I should get a password screen and access to the contents, I get “Unable to mount location Failed to mount windows share”. If I turn off the firewall on one of the 11.4 machines, then I can browse freely on the other two machines using nautilus and smbtree returns the complete LAN tree structure. Finally, if I establish a mount with the firewall off but then turn it on I can still use nautilus to browse in the mounted folder.

(In fact, now that I think of it, that might be a pretty good solution–we only need to turn off the firewall for a short period of time to establish the connection and can then turn it back on. I think we can live with that.)

venzkep · November 27, 2011, 5:48am

On Sat November 26 2011 09:26 pm, Maresuke wrote:

>
> I moved the .rpmnew files (other than those related to fonts or other
> irrelevant configurations) and restarted linux-enod, but this did not
> fix the problem.
>
>
> The physical geometry is: a cable modem inputs into a router and the
> three machines (two 11.4 desktops and a 12.1 laptop) are connected by
> cables to the router output. The two desktops used to be able to
> connect through Samba, but it was a while ago, most likely before I
> updated them to 11.4 from 11.3. (Recently we have had more need to be
> able to use the resources jointly.)
>
> The specific behavior is a little different than what I wrote in my
> first post in that the two 11.4 firewalls block only outbound browsing.
> When all 3 machines are connected with firewalls enabled, the 12.1 can
> browse both other machines using samba, but the other two machines can’t
> do outbound browsing. What I mean is that (1) running smbtree on either
> 11.4 machine yields messages like “failed to connect to LINUX-J8SR<20>
> (0.0.0.0). Error NT_STATUS_BAD_NETWORK_NAME” for the other two machines
> and (2) when I browse the network in nautilus I can click into the
> screen that shows the shared folders on the other machines, but then
> when I get to the point where I should get a password screen and access
> to the contents, I get “Unable to mount location Failed to mount windows
> share”. If I turn off the firewall on one of the 11.4 machines, then I
> can browse freely on the other two machines using nautilus and smbtree
> returns the complete LAN tree structure. Finally, if I establish a
> mount with the firewall off but then turn it on I can still use nautilus
> to browse in the mounted folder.
>
> (In fact, now that I think of it, that might be a pretty good
> solution–we only need to turn off the firewall for a short period of
> time to establish the connection and can then turn it back on. I think
> we can live with that.)
>
>
Maresuke;

Check that broadcasts are allowed through the firewall on your private net.
Go to: YaST>Security and Users>Firewall>Broadcast. Make sure that your
network is listed. (In my case I allow 192.168.0.0/24, however yours may vary
according to your private network.) It can also be set to “yes” which should
not be a problem behind a router.

It sounds like your machines cannot find one another when the firewall is up,
but once you drop the firewall they can find one another and that information
is cached. Thus, once they’ve found one another, reactivating the firewall
does not interfere with Samba.

Just a hunch, no guarantee. You might also try enabling logging of blocked
packets on the firewall, you can then look at /var/log/firewall to see what is
being blocked.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Maresuke · November 27, 2011, 4:42pm

Thanks, Venzkep.

On all three machines I had already tried making YaST>Security and Users>Firewall>Broadcast>Accepting the Broadcast reply include External zone; Samba browsing; all networks, based on Swerdna’s tutorial for 11.2.

I tried to follow your suggestion by adding first 192.168.0.0/105 and then yes to YaST>Security and Users>Firewall>Broadcast>External Zone and then restarting rcnmb and rcsmb, but the 11.4 machines still do not permit outbound browsing.

I have enabled firewall logging, but I don’t know how to interpret the results.

bay@linux-enod:~> tail /var/log/firewall
Nov 27 08:14:17 linux-enod kernel:  4218.521993] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=39968 LEN=70 
Nov 27 08:14:23 linux-enod kernel:  4223.702261] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:01:6c:cc:15:e5:08:00 SRC=192.168.1.101 DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=60076 LEN=70 
Nov 27 08:14:23 linux-enod kernel:  4223.972382] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:01:6c:cc:15:e5:08:00 SRC=192.168.1.101 DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=60076 LEN=70 
Nov 27 08:16:36 linux-enod kernel:  4357.033101] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45668 DF PROTO=TCP SPT=48026 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020402180402080A0012E56E0000000001030306) 
Nov 27 08:16:36 linux-enod kernel:  4357.041819] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18957 DF PROTO=TCP SPT=34702 DPT=139 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020402180402080A0012E5770000000001030306) 
Nov 27 08:16:38 linux-enod kernel:  4359.454500] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20205 DF PROTO=TCP SPT=34703 DPT=139 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020402180402080A0012EEE30000000001030306) 
Nov 27 08:16:43 linux-enod kernel:  4364.279180] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54767 DF PROTO=TCP SPT=34704 DPT=139 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020402180402080A001301BB0000000001030306) 
Nov 27 08:16:45 linux-enod kernel:  4366.530762] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7051 DF PROTO=TCP SPT=48030 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020402180402080A00130A870000000001030306) 
Nov 27 08:16:59 linux-enod kernel:  4380.239947] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16146 DF PROTO=TCP SPT=48031 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020402180402080A001340130000000001030306) 
Nov 27 08:17:05 linux-enod kernel:  4385.953984] SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3380 DF PROTO=TCP SPT=48032 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020402180402080A001356640000000001030306)
Nov 27 08:35:59 linux-enod kernel:  5520.329303] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=39386 LEN=70 
Nov 27 08:35:59 linux-enod kernel:  5520.599924] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=39386 LEN=70 
Nov 27 08:36:00 linux-enod kernel:  5520.870644] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102 DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=39386 LEN=70

venzkep · November 27, 2011, 9:45pm

On Sun November 27 2011 09:46 am, Maresuke wrote:

>
> Thanks, Venzkep.
>
> On all three machines I had already tried making YaST>Security and
> Users>Firewall>Broadcast>Accepting the Broadcast reply include External
> zone; Samba browsing; all networks, based on Swerdna’s tutorial for
> 11.2.
>
> I tried to follow your suggestion by adding first 192.168.0.0/105 and
> then yes to YaST>Security and Users>Firewall>Broadcast>External Zone and
> then restarting rcnmb and rcsmb, but the 11.4 machines still do not
> permit outbound browsing.
>
> I have enabled firewall logging, but I don’t know how to interpret the
> results.
>
>
> Code:
> --------------------
> bay@linux-enod:~> tail /var/log/firewall
> Nov 27 08:14:17 linux-enod kernel: 4218.521993] SFW2-INext-DROP-DEFLT
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=39968 LEN=70
> Nov 27 08:14:23 linux-enod kernel: 4223.702261] SFW2-INext-DROP-DEFLT
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:01:6c:cc:15:e5:08:00 SRC=192.168.1.101
DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=60076 LEN=70
> Nov 27 08:14:23 linux-enod kernel: 4223.972382] SFW2-INext-DROP-DEFLT
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:01:6c:cc:15:e5:08:00 SRC=192.168.1.101
DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=60076 LEN=70
> Nov 27 08:16:36 linux-enod kernel: 4357.033101] SFW2-INext-ACC-TCP
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45668 DF PROTO=TCP
SPT=48026 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT
(020402180402080A0012E56E0000000001030306)
> Nov 27 08:16:36 linux-enod kernel: 4357.041819] SFW2-INext-ACC-TCP
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18957 DF PROTO=TCP
SPT=34702 DPT=139 WINDOW=2144 RES=0x00 SYN URGP=0 OPT
(020402180402080A0012E5770000000001030306)
> Nov 27 08:16:38 linux-enod kernel: 4359.454500] SFW2-INext-ACC-TCP
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20205 DF PROTO=TCP
SPT=34703 DPT=139 WINDOW=2144 RES=0x00 SYN URGP=0 OPT
(020402180402080A0012EEE30000000001030306)
> Nov 27 08:16:43 linux-enod kernel: 4364.279180] SFW2-INext-ACC-TCP
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54767 DF PROTO=TCP
SPT=34704 DPT=139 WINDOW=2144 RES=0x00 SYN URGP=0 OPT
(020402180402080A001301BB0000000001030306)
> Nov 27 08:16:45 linux-enod kernel: 4366.530762] SFW2-INext-ACC-TCP
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=7051 DF PROTO=TCP
SPT=48030 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT
(020402180402080A00130A870000000001030306)
> Nov 27 08:16:59 linux-enod kernel: 4380.239947] SFW2-INext-ACC-TCP
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16146 DF PROTO=TCP
SPT=48031 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT
(020402180402080A001340130000000001030306)
> Nov 27 08:17:05 linux-enod kernel: 4385.953984] SFW2-INext-ACC-TCP
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3380 DF PROTO=TCP
SPT=48032 DPT=445 WINDOW=2144 RES=0x00 SYN URGP=0 OPT
(020402180402080A001356640000000001030306)
> Nov 27 08:35:59 linux-enod kernel: 5520.329303] SFW2-INext-DROP-DEFLT
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=39386 LEN=70
> Nov 27 08:35:59 linux-enod kernel: 5520.599924] SFW2-INext-DROP-DEFLT
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=39386 LEN=70
> Nov 27 08:36:00 linux-enod kernel: 5520.870644] SFW2-INext-DROP-DEFLT
IN=eth0 OUT= MAC=00:11:d8:1c:77:6e:00:04:61:a8:40:2e:08:00 SRC=192.168.1.102
DST=192.168.1.100 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137
DPT=39386 LEN=70
>
> --------------------
>
Maresuke;

192.168.0.0/105 is incorrect. The value after slash corresponds to your
network mask. 105 would be about 16 octets of 1’s. Much too long for a mask.
From your firewall log I’m guessing you want:


192.168.1.0/24

This would allow computers with ip’s of the form 192.168.1.x with a mask of
255.255.255.0.

From the logs, linux-enod is blocking UDP port 137. UDP 137 is used by nmbd,
the netbios server. I also see TCP port 445 being blocked. TCP 445 is used
by smbd, the samba server. However I’m not too worried about this now. smbd
tries to connect on both 139 and 445, then uses the first to make the
connection and drops the other port.

Go to YaST>security and users>Allowed Services and verify that these three are
enabled. Samba Server, Netbios Server and Samba Client. If you see these are
listed as allowed services it may be time to reinstall the SuSEfirewall2.
Could you have tried writing custom IP rules?

In an earlier post you referred to: /etc/sysconfig/SuSEfirewall2.rpmnew. This
is a rpm file that will unwrap to /etc/sysconfig/SuSEfirewall2. It was left
around by an update and should be harmless. Unwrapping it with the rpm
command would likely bring your SuSEfirewall2 settings back to their defaults.

–
P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Maresuke · November 28, 2011, 4:19am

Thanks! That did it. I also appreciate the primer on interpreting the firewall log.

It is possible that at some point I tried custom IP rules. In any event, deleting and reinstalling SuSEfirewall2 on the 11.4 machines solved the problem. I can now browse normally.

Thanks again.

venzkep · November 28, 2011, 5:21am

On 11/27/2011 9:26 PM, Maresuke wrote:
>
> Thanks! That did it. I also appreciate the primer on interpreting the
> firewall log.
>
> It is possible that at some point I tried custom IP rules. In any
> event, deleting and reinstalling SuSEfirewall2 on the 11.4 machines
> solved the problem. I can now browse normally.
>
> Thanks again.
>
>
Maresuke;

That’s really good news. Glad to see it is working now, Congratulations. To be honest I found
myself scratching my head on this one.

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

firewall is blocking samba--what am I missing?

How are the three machines physically connected, i.e the geometry of your network?

Just a hunch, no guarantee. You might also try enabling logging of blocked packets on the firewall, you can then look at /var/log/firewall to see what is being blocked.

How are the three machines physically connected, i.e the geometry of your
network?

Just a hunch, no guarantee. You might also try enabling logging of blocked
packets on the firewall, you can then look at /var/log/firewall to see what is
being blocked.