I sincerely hope that this is not a duplicate. I used the forum search with “samba firewall” but I wasn’t able to solve my problem.
I have a Windows 7 virtual machine configured using libvirt (through virt-manager). I intend to share files using Samba between host and guest OS through an isolated virtual network (device is virbr1 at 192.168.100.1). I have followed the instructions from swerdna to set up the firewall but I am not able to connect to my samba server from within the guest with an active firewall. If I turn the firewall of everything works fine. I think I have tried almost every possible configuration, but I can’t get it to work. If anyone has an idea, please let me know.
These settings actually worked before using gnome-boxes but now with virt-manager it’s kinda messed up.
firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client samba ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
smb.conf:
[global]
workgroup = SAMBA
dns proxy = no
lanman auth = yes
ntlm auth = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n
*Retype\snew\s*\spassword:* %n
*password\supdated\ssuccessfully* .
pam password change = yes
[Downloads]
comment = Download Folder
read only = no
locking = no
path = /home/sascha/Downloads
guest ok = no
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
Öffentlich]
comment =
inherit acls = Yes
path = /home/sascha/Öffentlich
read only = No
vfs objects =
Thank you. You are absolutely right. Since I try to use the virtual adapter “virbr1” I assume that this needs to be listed in the public zone. Therefore I added it to the public zone using
Can you ping the guest IP address from the host OS successfully? If not, please show us the complete IP details on the guest
ip a
ip r
and on the host OS…
route print -4
Sounds like it isn’t able to add rules libvirt tries to introduce for virbr1. But I have basically not experience with firewalld so far.
From reading a similar report redhat thread, I note that a RH employee mentioned that they can be ignored with the following explanation given
Ignore these, these are not errors. Firewallds design makes it impossible
for it to distinguish real errors from failures that the caller expects
to happen. Libvirt is running these commands to ensure the rules in
question do not exist, and it expects them to give errors most of the
time. There is no way for libvirt to stop these errors getting into
firewallds logs.
I am not able to ping the guest. See the following output:
user@machine:~> ping 169.254.215.250
PING 169.254.215.250 (169.254.215.250) 56(84) bytes of data.
From 188.1.245.13 icmp_seq=15 Packet filtered
From 188.1.245.13 icmp_seq=28 Packet filtered
From 188.1.245.13 icmp_seq=47 Packet filtered
^C
--- 169.254.215.250 ping statistics ---
47 packets transmitted, 0 received, +3 errors, 100% packet loss, time 47017ms
I am not able to to execute “ip a” or “ip r” on the guest, since it is a Windows machine. All I can give you is the following (I hope you are ok with German, if not I will translate it):
Actually it appears that the guest isn’t able to connect to the virtual network. Since virbr1 's DHCP range is 192.168.100.128 - 192.168.100.254. And I cannot run “route print -4”, even after installing “net-tools-deprecated” because it doesn’t know the argument “print”:
user@machine:~> route print -4
Benutzung: route -nNvee] -FC] <AF>] Kernelroutentabelle anzeigen
route -v] -FC] {add|del|flush} ... Routentabelle für AF ändern.
route {-h|--help} <AF>] Genaue Syntax für AF anzeigen.
route {-V|--version} Version/Autor anzeigen und Ende.
-v, --verbose Ausführliche Ausgaben
-n, --numeric don't resolve names
-e, --extend display other/more information
-F, --fib display Forwarding Information Base (default)
-C, --cache Routencache statt FIB anzeigen
<AF>=Use -4, -6, '-A <af>' or '--<af>'; default: inet
Liste möglicher Adressfamilien, die Routen unterstützen:
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
Ok, it appears that I got it running.
After the guest didn’t seem to be able to connect to the network device I rechecked
ip a
on my host and discovered that virbr1 was DOWN (although I could swear I checked this before and at that time it was UP). But this does of course explain why the guest isn’t able to connect to it. So I ran
ifconfig virbr1 up
and rebooted and now I can reach the SAMBA server with \192.168.100.1.
I will try to reproduce this on another machine to see if it really just was the deactivated module or the combination with adding it to the public zone of the firewall.
But so far, thank you both very much for your help and pointing me into the right direction. I appreciated it very much.