Samba and/or firewall issue

I have been having an issue with samba and/or my firewall. I’m not sure where the issue is. I was wondering if anyone else has seen this and knows of a fix.

Once opensuse (kde) desktop shows up, it will sometimes take up to half an hour to be able to see the workgroup. I have my network set to the external zone. I have cups and samba setup to be allowed through the firewall (ports 661 and udp 137,138 tcp 135, 445, 139). The error I get states that the workgroup can’t be found, probably due to a firewall issue. I can get the internet just fine. I just can’t access my shares or my local network. If I leave it alone after about 30 minutes, I can go back have full access to my shares and local network.

I can set the card to the internal zone and have no problems. I know that I can leave it set to internal, but would like to find out why this is happening. My router has a firewall in it and it is set to run in stealth mode ( Home of Gibson Research Corporation ](http://www.grc.com) Shieldsup says running in total stealth mode).

I have checked the logs and do not see any errors. There is a statment in the startup log when susefirewall2 starts about no default zone and setting to ext. Could this be the issue?

I’m using opensuse 11 and KDE 4.1.1 (from factory)

cybertaz wrote:

>
> I have been having an issue with samba and/or my firewall. I’m not sure
> where the issue is. I was wondering if anyone else has seen this and
> knows of a fix.
>
> Once opensuse (kde) desktop shows up, it will sometimes take up to half
> an hour to be able to see the workgroup. I have my network set to the
> external zone. I have cups and samba setup to be allowed through the
> firewall (ports 661 and udp 137,138 tcp 135, 445, 139). The error I get
> states that the workgroup can’t be found, probably due to a firewall
> issue. I can get the internet just fine. I just can’t access my shares
> or my local network. If I leave it alone after about 30 minutes, I can
> go back have full access to my shares and local network.
>
> I can set the card to the internal zone and have no problems. I know
> that I can leave it set to internal, but would like to find out why
> this is happening. My router has a firewall in it and it is set to run
> in stealth mode (’ Home of Gibson Research Corporation ’
> (http://www.grc.com) Shieldsup says running in total stealth mode).
>
> I have checked the logs and do not see any errors. There is a statment
> in the startup log when susefirewall2 starts about no default zone and
> setting to ext. Could this be the issue?
>
> I’m using opensuse 11 and KDE 4.1.1 (from factory)
>
>

Not to belittle the SuSE firewall, but I’ve really only found it to be
useful if that machine is the only one on a network, it has two network
devices, or if other machines are ‘behind’ it (suse machine acting like
router/firewall/nat).

If you set your nic (eth0) to ‘external’, it appropriately protects you from
everything coming into that nic.

If you don’t have an internal zone to go along with the external zone, it
operates weirdly. Open ports may not act open, and so on. So I usually
disable the suse firewall when it’s on a network with other machines, which
are all behind another firewall. Great to see you’ve got a router/firewall
in place, good for you!

Windows machines don’t broadcast their samba information but every 11
minutes. And no, it not synchronized either. You could probably speed up
the discovery by requesting each desired share by name… smb://machine1,
smb://machine2, etc.

Maybe a typo, but cups server is on port 631, not 661.

Also, make sure ‘smb’ and ‘nmb’ services are enabled and running in
yast->system->runlevels, since smb controls the shares, and nmb controls
the broadcasting (and the reception) of share names and machines.

Hope this helps.


L R Nix
lornix@lornix.com

cybertaz wrote:

>
> I have been having an issue with samba and/or my firewall. I’m not sure
> where the issue is. I was wondering if anyone else has seen this and
> knows of a fix.
>
> Once opensuse (kde) desktop shows up, it will sometimes take up to half
> an hour to be able to see the workgroup. I have my network set to the
> external zone. I have cups and samba setup to be allowed through the
> firewall (ports 661 and udp 137,138 tcp 135, 445, 139). The error I get
> states that the workgroup can’t be found, probably due to a firewall
> issue. I can get the internet just fine. I just can’t access my shares
> or my local network. If I leave it alone after about 30 minutes, I can
> go back have full access to my shares and local network.
<snip>

Cybertaz;

Have you enabled broadcasts through the firewall? (Set
FW_ALLOW_FW_BROADCAST_XYZ to YES where XYZ is EXT and or INT). Also look at
trusted nets, if appropriate it can solve a lot of firewall problems,


P. V.
Only fools rush in where angels fear to tread.

@lornix - Yes those services are set and running. And for the ports, I’m sure you are correct, I was listing the ports by memory and, since i can print to my networked printer, I haven’t had to deal with it. I will probably just set the nic to internal zone anyway.

@PV - I have microsoft-ds and two or three (I don’t remember right now) netbios broadcasting (I think something like netbios-ds -dn -and one other) on EXT and netbios-ds -dn on INT.

cybertaz wrote:

>
> @lornix - Yes those services are set and running. And for the ports, I’m
> sure you are correct, I was listing the ports by memory and, since i can
> print to my networked printer, I haven’t had to deal with it. I will
> probably just set the nic to internal zone anyway.
>
> @PV - I have microsoft-ds and two or three (I don’t remember right now)
> netbios broadcasting (I think something like netbios-ds -dn -and one
> other) on EXT and netbios-ds -dn on INT.
>
>
Cybertaz;
It’s a separate flag in the firewall settings and needs to be set to “yes”.
(It’s near the end of the configuration file.) For testing purposes you might
try just turning off the firewall to make sure everything is OK without the
firewall. If the problem persists, you may have some other configuration
problem.

P. V.
Only fools rush in where angels fear to tread.

Here’s a link to a tutorial that contains a rundown on HowTo Configure SuSEfirewall2 for Samba. It says this:

  • Open the firewall configuration GUI at Yast -> System -> Sysconfig Editor -> Network -> Firewall -> SuSEfirewall2
  • Locate FW_SERVICES_EXT_TCP and allow additional ports 135, 139 and 445.
    You might see the terms microsoft-ds (synonym for 445) and netbios-ssn (synonym for 139). Use numeric values for consistency and use all three.
  • Locate FW_SERVICES_EXT_UDP and allow additional ports 137 and 138.
    You might see the terms microsoft-dgm (synonym for 138) and netbios-ns (synonym for 137). Use numeric values for consistency.
  • Locate FW_ALLOW_FW_BROADCAST_EXT and allow Samba Server to broadcast by naming the Samba UDP ports: 137 138.
    If you see the synonyms netbios-ns netbios-dgm, replace them with the numeric values.
  • Locate FW_TRUSTED_NETS and allow LAN traffic with e.g. 192.168.1.0/24 (NB: This is an example - discover and use your own IP range.)

Set the interface to the external zone. You can do that in Yast → Security and Users → Firewall → Interfaces → eth0 (or whatever you have). Leave the services and other things there alone and set them using the configurator I mentioned above (Sysconfig editor).

@Swerdna - That is the setup that I have. It wasn’t that it wouldn’t connect through the firewall, it just takes a really long time to see the network. After about 30 minutes I can see and navigate through all the network shares and computers without issue. I was just wondering if I was the only one that was seeing this and/or if anyone knew of a fix for it.

I’m not worried to much about having my computer behind a software firewall. I have a working hardware firewall, so this whole thing is kind of a mute point, but I was wanting to figure this out.

The firewall settings that you say you have looks good to me, except perhaps for the missing (possibly missing?) broadcasts from samba server (fixed if you set FW_ALLOW_FW_BROADCAST_EXT). I did see that you don’t really care about the firewall, just curious about it. So if you config the firewall as I said it will be as good as it can ever possibly get for Samba. Don’t forget to reboot both Suse and windows to force an election and a bit of chit chat between them. Don’t forget to reboot your router and modem too every few days (I’ve spent hours being tricked by a clogged router).

I’d be curious to know if after you’ve configured the firewall properly: if the 30 minute thing is fixed or if it is not then is it fixed if the firewall is switched off?

Then if the 30 minute stuff persists after the firewall is fixed and/or switched off, post the file smb.conf to look at tweaking the name resolution process.

Hope you understand all that.

@swerdna - Yea I understand. The 30 minute thing is totally gone if I switch my nic to internal zone or just turn it off all together. So that would tell me the problem is with the firewall or something similar. I can go through the firewall settings again and verify the settings.

I don’t know if I can get to it tonight though. Starting tomorrow I will be out of town, so I won’t be here for a few days. I’ll pick it up when I get back.

I went through and blanked out the settings and started over. I think things might be fixed. I’ll wait and see.

well, the time has been cut down to about 15 minutes. :stuck_out_tongue:

I’m at a loss :?

cybertaz wrote:

>
> well, the time has been cut down to about 15 minutes. :stuck_out_tongue:
>
> I’m at a loss :?
>
>
Just what do you have for your firewall settings now? Have you just tried
dropping the firewall for testing? Have you ruled out a bad switch and or
cable?

If this delay exists with no firewall then perhaps you need to post
your /etc/samba/smb.conf. You can use place holders for any information that
would compromise your network.

P. V.
Only fools rush in where angels fear to tread.

If I disable or put my nic in the internal zone, then none of this happens. I followed Swerdna’s post after I blanked the settings out. When I rebooted, it was 15 min before I could see the network.

I think I’ll just do some more research and see if I can find anything else on this. In the mean time I will just put my nic in the internal zone.

cybertaz wrote:

>
> If I disable or put my nic in the internal zone, then none of this
> happens. I followed Swerdna’s post after I blanked the settings out.
> When I rebooted, it was 15 min before I could see the network.
>
> I think I’ll just do some more research and see if I can find anything
> else on this. In the mean time I will just put my nic in the internal
> zone.
>
>
Did you allow broadcasts? Just opening the port does not allow broadcasts
unless they are specifically enabled in the Susefirewall. See my earlier post.
If you are concerned with security, they can be enabled on a per port basis.
See Swerdna’s web site for details: http://www.swerdna.net.au/linux.html

P. V.
Only fools rush in where angels fear to tread.