Firewalld issues on Samba server

duise · September 12, 2023, 2:46pm

Hi, I’ve setup a Samba server for my home LAN which is behind a router and not reachable from the Internet. It’s working fine with firewalld service disabled. Now I want to enable and configure the firewalld. What I did so far:

$ sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      715/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1418/sshd: /usr/sbi
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1643/master
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1526/smbd
tcp        0      0 0.0.0.0:3551            0.0.0.0:*               LISTEN      15644/apcupsd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1526/smbd
tcp6       0      0 :::22                   :::*                    LISTEN      1418/sshd: /usr/sbi
tcp6       0      0 ::1:25                  :::*                    LISTEN      1643/master
tcp6       0      0 :::445                  :::*                    LISTEN      1526/smbd
tcp6       0      0 :::139                  :::*                    LISTEN      1526/smbd

$ grep 445 /etc/services
microsoft-ds       445/tcp      # Microsoft-DS  [Pradeep_Bahl]
microsoft-ds       445/udp      # Microsoft-DS  [Pradeep_Bahl]
...

$ grep 3551 /etc/services
apcupsd            3551/tcp     # Apcupsd Information Port  [Riccardo_Facchetti]
apcupsd            3551/udp     # Apcupsd Information Port  [Riccardo_Facchetti]

$ grep 139 /etc/services
netbios-ssn        139/tcp      # NETBIOS Session Service  [Jon_Postel]
netbios-ssn        139/udp      # NETBIOS Session Service  [Jon_Postel]
...

$ sudo firewall-cmd --zone=home --list-services
apcupsd mdns samba-client ssh

$ grep mdns /etc/services
mdns               5353/tcp     # Multicast DNS  [IESG] [IETF_Chair] [RFC6762]
mdns               5353/udp     # Multicast DNS  [IESG] [IETF_Chair] [RFC6762]
...

$ grep samba-client /etc/services
$ grep samba /etc/services
$

The mdns and samba-client services must have been added by some installation scripts because I didn’t add them. However, there’s no listener for the former and no entry in /etc/services for the latter.

Also, trying to enable the existing services in /etc/services (see above) throws errors:

$ sudo firewall-cmd --zone=home --add-service=microsoft-ds --permanent
Error: INVALID_SERVICE: 'microsoft-ds' not among existing services

$ sudo firewall-cmd --zone=home --add-service=netbios-ssn --permanent
Error: INVALID_SERVICE: 'netbios-ssn' not among existing services

Frankly, I don’t understand what’s going on–why does firewalld-cmd not recognize the service names? I didn’t change the file /etc/services in any way. Could someone please shed some light?

arvidjaar · September 12, 2023, 2:54pm

firewalld service is not (directly) related to /etc/services. It may include multiple port numbers and other information. You can get the list of known services with

firewall-cmd --get-services

duise · September 12, 2023, 3:02pm

OIC. Thank you, arvidjaar.

The services for firewalld are defined in /usr/lib/firewalld/services, one XML file per service.

Enabling service samba instead of samba-client will give me what I want. i.e. this will open ports 139/tcp and 445/tcp.

$ sudo firewall-cmd --zone=home --remove-service=samba-client --permanent
success
$ sudo firewall-cmd --zone=home --add-service=samba --permanent
success
$ sudo firewall-cmd --reload
success