A new Service (netbios-server) has been added to the modules available for configuring SuSEfirewall2 via Yast. The netbios-server module commenced in openSUSE 11.0. This subtly changes the way we now open the firewall for Samba communications. Here’s a quick HowTo for the 11.x series (do not use it for the 10.x series):
You change settings in two locations in Yast.
One location:
Go to Yast → Security and Users → Firewall → Allowed Services. In the right hand panel, set the Selected Zone to External. Below that, make sure that Samba Server and Netbios Server are added to the enabled list under Allowed Service.
Other location:
Go to Yast → Security and Users → Firewall → Broadcast. Add your network intothe panel on the right. For example, if your network interface has the IP 10.1.33.4 then add the following range – 10.1.33.0/24. For more info check pics on this link. That’s how to allow your local LAN. If that stumps you then use this range: 0/0. That’s the unsecured option, the whole world (so try the secure one first).
You saved my day! Thanks a lot for this solution. I am trying to move from Windows to Opensuse 11.1 but a newby like me needs easy to follow instructions of this kind - preferrably with step-by-step pictures.I am still at the very bottom of the learning curve. I was fiddling around for hours with Samba to get access to my Win 2000, without success. Your help made it work within 10 minutes.
It would be great if more experienced users would accept that “we” newbies are often overpowered by more technical solutions and need some easy handholding.
Like your solution. So thanks again and have a great 2009!
I finally got this to work in a limited way. My network has ip addresses in the 150-160 range which I was not able to address.
I gave the network ip range as 192.168.1.0/153 and when I restarted the firewall after restarting samba and I got the following errors.
rcSuSEfirewall2 restart
Starting Firewall Initialization (phase 2 of 2) iptables-batch v1.4.2-rc1: invalid mask `153' specified
Try `iptables-batch -h' or 'iptables-batch --help' for more information.
SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
iptables v1.4.2-rc1: invalid mask `153' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.2-rc1: invalid mask `153' specified
Try `iptables -h' or 'iptables --help' for more information.
I finally gave up on the addresses in that range which are hard coded and just tried to see if 192.168.1.0/24 would work. It did and I was able to access the 2 machines which at that time.
I tried specifying the range from within FW_TRUSTED_NETS on /etc/sysconfig with no better luck than with the gui. I also looked at iptables but I couldn’t get any more information about what mask would be acceptable for a 151-156 address. In fact, I was using the /etc/sysconfig when I tried the 192.168.1.0/24 settings.
Do you have any idea how to get my 151-156 addresses to work without reconfiguring those machines?
I’m pretty hazy on this but:
the “/24” is not a decimal code. I think it’s “bits” and that it means the 0 to 254 on 255.255.255.0; whatever, it means the entire subnet. You can’t easily specify the range decimal 151-156. The full complexity of these shorthands are seen on e.g. this page (look for the word shorthand there): TCP/IP Addressing
The short answer to your question is “no” I don’t have an idea how to restrict to 151-156, except of course to list them individually.
You’re exactly right… the maximum number of bits possible, in this
ccase, would be 32 as that’s the number of bits in an entire IP address
(four octets). For more info on this notation Google for ‘CIDR notation’.
Also while it’s tricky to get non-base-2 numbers of networks to match a
given notation it’s not impossible… usually just easier to use
multiple statements to match the various networks. For example the
following matches four “networks” of 256 boxes:
192.168.0.0/22
192.168.0.x-192.168.3.x would all match in this case. Note that when
using this notation you can only, afaik, match a set of consecutive
bits. This won’t work for something weird like six boxes because six is
not a multiple of only two but the other notation of
192.168.0.0/255/255/252.0 should substitute just fine for the above
notation example and can maybe be used in this case. Trying to match
192.168.1.150 to .156 is probably beyond my ability to safely mangle
bits but you could move all your IP addresses up two numerals at the end
and use the following:
192.68.1.152/29
This will match .152-.159 . I’m pretty sure my calculations are right
here (and you get two new IPs too) and I found a website to back me up
you may find useful: http://www.subnet-calculator.com/cidr.php . If you
really need these specific IPs you can match them with two statements…
192.168.1.150/31
192.168.1.152/30
Good luck.
TexasDayLily wrote:
> I finally got this to work in a limited way. My network has ip
> addresses in the 150-160 range which I was not able to address.
>
> I gave the network ip range as 192.168.1.0/153 and when I restarted the
> firewall after restarting samba and I got the following errors.
>
>
>
> Code:
> --------------------
>
> rcSuSEfirewall2 restart
> Starting Firewall Initialization (phase 2 of 2) iptables-batch v1.4.2-rc1: invalid mask `153’ specified
Try iptables-batch -h' or 'iptables-batch --help' for more information. > SuSEfirewall2: Error: iptables-batch failed, re-running using iptables > iptables v1.4.2-rc1: invalid mask 153’ specified
Try iptables -h' or 'iptables --help' for more information. > iptables v1.4.2-rc1: invalid mask 153’ specified
Try `iptables -h’ or ‘iptables --help’ for more information.
>
> --------------------
>
>
> I finally gave up on the addresses in that range which are hard coded
> and just tried to see if 192.168.1.0/24 would work. It did and I was
> able to access the 2 machines which at that time.
>
> I tried specifying the range from within FW_TRUSTED_NETS on
> /etc/sysconfig with no better luck than with the gui. I also looked at
> iptables but I couldn’t get any more information about what mask would
> be acceptable for a 151-156 address. In fact, I was using the
> /etc/sysconfig when I tried the 192.168.1.0/24 settings.
>
> Do you have any idea how to get my 151-156 addresses to work without
> reconfiguring those machines?
>
> Leslie
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
I thought that /24 worked because most of my addresses were in the range of 0-24, and only one right now outside that range at 151. That 151 host does not have any shared network shares since it is a printer. But I totally misunderstood how the /24 was being used. It actually would have allowed any address in the form of 192.x.x.x. It looks like /24 implies a network mask of 255.0.0.0, but I typically use a network mask of 255.255.255.0. The network address shared with all the computers on my network is 192.168.1.x. If I understand that material properly I should have used 192.168.1.0/8 as the network mask code.
If I had used the 192.168.2 subnet as well as the 192.168.1 then I could use 192.168.1.0/16, but perhaps 192.168.1.0/10 which would allow only 2 bits in the subnet area would also do.
After reading the above post I found What is CIDR Notation which clarified something I had missed from the link swerdna had sent. The /24 indicated the number of significant bits not the number of least significant bits.
I found that I stilll had it wrong. Here’s the correction. It looks like /24 implies a network mask of 255.255.255.0, which is what I typically use. Therefore 192.168.1.0/24 was the correct setting for me.
If I had used the 192.168.2 subnet as well as the 192.168.1 then I could use 192.168.1.0/16, but perhaps 192.168.1.0/22 which would allow only the 2 least significant bits in the subnet area would also do.
I wish I had known about CIDR notation and that the mask setting was in that notation.
Thanks ab@novell.com, so what do I recommend when advising a mask to let the local LAN through that works always? Is this correct: ip1.ip2.ip3.0/24?
And while I’m at it: I see this as an alternative setting in SuSEfirewalls for the Samba connection tracker: 0/0. I took that to mean “the whole world” is that correct?
Yes, and yes. For a 192.168.1.0 network you can allow things in with
192.168.1.0/24 which is the same as a network of 192.168.1.0 and a
subnet mask of 255.255.255.0 (as you already stated). 0/0 means
0.0.0.0/0 and everything matches that. Conversely 192.168.1.23/32
matches a single system.
Good luck.
swerdna wrote:
> ab@novell.com;1919648 Wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> swerdna,
>>
>> You’re exactly right… the maximum number of bits possible, in this
>> ccase, would be 32 as that’s the number of bits in an entire IP
>> address
>> (four octets). For more info on this notation Google for ‘CIDR
>> notation’.
>>
>> …
> Thanks ab@novell.com, so what do I recommend when advising a mask to
> let the local LAN through that works always? Is this correct:
> ip1.ip2.ip3.0/24?
>
> And while I’m at it: I see this as an alternative setting in
> SuSEfirewalls for the Samba connection tracker: 0/0. I took that to mean
> “the whole world” is that correct?
>
> Too many new tricks so early in the year!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
I have revised the original post that starts this thread. I received news from Novell that the bug I reported was in fact not a bug. A new Service was introduced into the 11.x releases of openSUSE, called “Netbios Server”. I’ve adjusted the description of how to open the firewall to include the new service. The previous description works but is now redundant.
So I’ve cut the sticky adrift. If you see ppl with Samba + firewall problems in the Forums, please advise them of the new feature the devs have introduced and the way to use it (post #1 of this thread).
>
> I have revised the original post that starts this thread. I received
> news from Novell that the bug I reported was in fact not a bug. A new
> Service was introduced into the 11.x releases of openSUSE, called
> “Netbios Server”. I’ve adjusted the description of how to open the
> firewall to include the new service. The previous description works but
> is now redundant.
>
> So I’ve cut the sticky adrift. If you see ppl with Samba + firewall
> problems in the Forums, please advise them of the new feature the devs
> have introduced and the way to use it (post #1 of this thread).
>
>
Those using NNTP should be sure to read the sticky from the web interface.
Edited posts may not viewable via NNTP.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
i still have to do this in order to make samba works
in /etc/sysconfig/SuSEfirewall2.d/services/samba-server
Change the line UDP="" to UDP=“netbios-ns netbios-dgm”
Change the line BROADCAST="" to BROADCAST=“netbios-ns netbios-dgm”
It should be OK without that fix, provided you activate “Netbios Server” as an allowed service in Yast’s firewall module. Did you do that? And, what version of openSUSE is thie, 11.0 or 11.1? And, was it installed from the DVD media or the KDE live CD?
