How to setup Firewall so it does not block Samba shares

I am an amateur Linux user, so maybe I should be using a more generic one for all system.

I set up a home server years ago using OpenSuse 11.0 and later 12.0 and Swerdna’s excellent guide at the time. Eventually the openSuse version became outdated, and I could not update the system, so I had to install openSuse 15.0 Leap. I found Swerdna’s guide for setting up a home network server for Leap. The guide is much the same as the previous one, and as far as setting up Samba is excellent. However the firewall instructions make no sense, in that they do not really correspond with the appearance and set up of the current firewall in Leap which uses firewall-config 05.5.

If I turn the firewall off in the YAST Services Manager ( firewalld ), I can access the Samba Shares perfectly. If I then it on, they disappear (In case a newbie like me is reading this, you can only edit the firewall in YAST if the firewall is turned on in the Services Manager). As a result I assume my Samba Shares in smb.conf is fine. Is that a correct assumption?

However anything I have tried to alter guessing Swerda’s instructions for changing the Firewall in YAST results in the shares not working. Swerdna’s instructions are fairly simple and clear -

Configure the Firewall for Samba

Use Yast to configure the Firewall:

Set your network interface: Go To Yast ==> Security & users ==> Firewall ==> Interfaces ==> set network Device to External.

Set your network services: Go To Yast ==> Security & users ==> Firewall ==> Allowed Services ==> set these allowed services: Netbios server, Samba client, Samba server.

So, trying to follow the first instruction I navigated to Yast ==> Security & users ==> Firewall ==> in Active Bindings on the left I can see Connections, Interfaces and Sources, but I can only access Connections. Interfaces is not acessible, so I selected “Wired connection 1 eth0” and changed the zone (using Change Zone at the bottom) from “Public” to “External” zone. I hope this has the same effect.

(I would like to add a screenshot, so that you can see the window and choices, but I cannot in this forum.)

Then, I tried to implement the second instruction navigating to Yast ==> Security & users ==> Firewall ==>, but where are the Allowed Services? I can add views in the top menu, but none give me Allowed Services. The only similar area is Services. If I select Services I get a menu choice as 5 tabs - Ports, Protocols, Source Port, Modules and Destination. It says below that “Services can only be changed in permanent configuration view”. There is an option to add or edit the service.

If I scroll down there I can find samba (=Samba-server?) and Samba client, but not Netbios Server. There are several tabs for each service. Under Ports Samba shows various ports (139,445,137,138) and samba-client shows two ports (137,138), and if I select the Modules tab both show netbios-ns.

How do I make samba and samba-client “allowed”? Am I meant to be able to access Interfaces, and if so why is that tab only read only (does not link)?

I decided to go back one tab from “Services” to “Zones” and put samba and samba-client in the External zone. Is that correct?

Nevertheless I cannot access the Samba shares, unless I switch the firewall off, so something must be wrong. Here are results from firewall-cmd -

~> sudo firewall-cmd --zone=public --list-all
[sudo] password for root:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

~> sudo firewall-cmd --zone=external --list-all
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh samba samba-client
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Maybe I need more knowledge to try this, but with openSuse 10, 11 and 12 it was so easy. It would be great to have such clear instructions for the Firewall setup that corresponded with openSuSE 15.0

Can anyone help?

Thanks.

I always use Yast to setup a Samba server. And Yast seems to take care of the firewall settings for me.

So, yes, I originally setup Samba in an earlier version of openSUSE (probably 13.1). And I copied over the Samba configuration file to Leap 15.0. And when I ran the Yast Samba setup, it used that configuration. But I’m pretty sure that it setup the firewall (there was probably an option there).

In any case, you can use the “firewalld” configuration too. I open that from Yast. The first time that I tried that, Yast told me that I needed to first install the “firewalld” GUI interface, and offered to install that for me.

Looking at it now, the is a box for “samba” and another box for “samba-client”. I have the “samba” box checked on my server.

When setting that, you need to make sure that you are setting the “Permanent” configuration rather than the “Runtime” configuration (look toward top of the window). Otherwise you will lose the setting on reboot. (You might need to separately to both, so that it does work for the current boot).

In firewalld I had checked toggled both the “samba” and the “samba-client” in the external zones while in permanent configuration, which didn’t work. Since you had only “samba” box checked (I assume that is also when the external zone service is selected), so I de-selected “samba-client” there, but it still does not work.
I see that there is a full guide to Masquerading and Firewalls but I hope I don’t have to read through it all and learn about this in order to make this work! I have to go back to work, and will check back later, in case there are any more suggestions, and if not I have some reading to do!

I’m not seeing anything else in my configuration that is likely to be related to samba.

Did you try restarting “firewalld” to make sure that it picks up the configuration changes?

Yes, I did. It has the change, but I still can only connect if I disable firewalld.

The interfaces are missing from your firewall output, so I wonder which zone they are really assigned to, and that would likely explain why the samba service is not available with your current firewall configuration.

Run the following command to get the applicable info

firewall-cmd --list-all

or

firewall-cmd --list-interfaces

That will identify which zone the relevant network interface is actually assigned to.

More info

Further to the above this command can get the current active zones and the interfaces assigned to them…

sudo firewall-cmd --get-active-zones

This is how you would change eth0 to the external zone (with immediate effect)

sudo firewall-cmd --zone=external --change-interface=eth0

To make it persistent…

firewall-cmd --runtime-to-permanent

More info:
https://firewalld.org/documentation/configuration/runtime-versus-permanent.html

Hi

Here is the readout from list-all

sudo firewall-cmd --list-all
You’re performing an operation over default zone (‘public’),
but your connections/interfaces are in zone ‘external’ (see --get-active-zones)
You most likely need to use --zone=external option.

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

And the result from active zone -

sudo firewall-cmd --get-active-zones
external
interfaces: eth0

Do you have any suggestions, as it seems the eth0 is okay, correct?

Yes, that confirms eth0 is assigned to the ‘external’ zone. It’s strange that eth0 wasn’t explicitly listed in your initial output.

It should be shown here as well

firewall-cmd --list-all --zone=external

For a more comprehensive picture, what does your LAN topology look like? Is the server configured with just a single interface?

ip a

I suddenly remembered that connection tracking may be another potential issue here. It can be be enabled via the firewall-config utility if necessary.

https://forums.opensuse.org/showthread.php/531702-Configure-Samba-for-a-Workgroup-in-the-local-LAN-Leap-15-firewall-blocks-outgoing-samba?p=2870091#post2870091

and as I also wrote here

Security changes implemented in kernel 4.7.x onwards include disabling connection tracking helpers by default. This can be enabled via /etc/sysctl.conf

sysctl net.netfilter.nf_conntrack_helper=1

or if using firewalld, then it can be enabled there as well

Hi Deano,

Thank you so much. :slight_smile:

I followed the instructions from the link to the other post and it worked!

justin@tacens2012:~> cat /proc/sys/net/netfilter/nf_conntrack_helper 
0                                                                                                       
justin@tacens2012:~> sudo firewall-cmd --set-automatic-helpers=yes                                       
[sudo] password for root:                                                                                   
success
justin@tacens2012:~> cat /proc/sys/net/netfilter/nf_conntrack_helper 
1

I am not sure why I didn’t find that post when searching. Anyway, thanks again.

Glad to have been of assistance. :slight_smile: