Description of problem: mcc/drakfirewall has quite some useful predefined options like "SSH Server", "Mail-Server", etc. but there is no option for "SMB/Windows client". Thus one can not configure a SMB client via mcc/drakfirewall. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Set up shorewall using mcc/drakfirewall. 2. Try to browser "samba shares" in Dolphin 3. -> Dolphin say: ".. not workgroup found ... This can be caused by an active firewall" 4. try to configure a "SMB client" in mcc/drakefirewall -> there si not option for this
AFAIK those options concern incoming network traffing, not outgoing traffic. Are you sure that such an option is needed when your machine is just a client?
CC: (none) => stormi
SMB client did not find any other SMB hosts if the firewall is running, but does if the firewall is shut down. SMB works with broadcasts a lot, even on the client side. Thus there are rules necessary in the firewall. Perhabs the SAMBA guys could answer best :-) shorewall already includes /usr/share/shorewall/macro.SMB /usr/share/shorewall/macro.SMBBI
Buchan, any idea ?
CC: (none) => bgmilne, bgmilne
(In reply to comment #2) > SMB client did not find any other SMB hosts if the firewall is running, but > does if the firewall is shut down. > > SMB works with broadcasts a lot, even on the client side. Thus there are rules > necessary in the firewall. > > Perhabs the SAMBA guys could answer best :-) > > shorewall already includes > /usr/share/shorewall/macro.SMB > /usr/share/shorewall/macro.SMBBI (In reply to comment #3) > Buchan, any idea ? @ Buchan assigning to you, for you to say whether this is needed or not and if it is, to reassign to blino
Assignee: bugsquad => bgmilneCC: (none) => marja11
Pinging, because nothing has happened with this report for more than 3 months, it still has the status NEW or REOPENED @ Buchan Please comment!
Please look at the bottom of this mail to see whether you're the assignee of this bug, if you don't already know whether you are. If you're the assignee: We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead. If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard. Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why. Thanks :) **************************** @ the reporter and persons in the cc of this bug: If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us. @ the reporter of this bug If you didn't reply yet to a request for more information, please do so within two weeks from now. Thanks all :-D
This message is a reminder that Mageia 1 is nearing its end of life. In approximately 25 days from now, Mageia will stop maintaining and issuing updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it remains open with a Mageia 'version' of '1'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Mageia version prior to Mageia 1's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Mageia 1 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Mageia, you are encouraged to click on "Version" and change it against that version of Mageia. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Mageia release includes newer upstream software that fixes bugs or makes them obsolete. -- Mageia Bugsquad
This is still valid for Mageia 2.
Version: 1 => 2
Assignee: bgmilne => bugsquadSeverity: normal => enhancementVersion: 2 => Cauldron
Can anyone suggests a patch against http://gitweb.mageia.org/software/drakx-net/tree/lib/network/drakfirewall.pm ?
CC: (none) => thierry.vignaud
According to https://wiki.samba.org/index.php/Samba_port_usage and http://www.cyberciti.biz/faq/what-ports-need-to-be-open-for-samba-to-communicate-with-other-windowslinux-systems/ I think at least 137, 138, 139 and 445 tcp/udp
CC: (none) => anaselli, matteo.pasotti
grep -i NETBIOS /etc/services netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service grep -i microsoft /etc/services microsoft-ds 445/tcp # Microsoft Naked CIFS microsoft-ds 445/udp I removed MS SQL Server from this list
ops they are in already. Sorry
Created attachment 6036 [details] patch to show SMB port also Note that there are more ports than the one that should be used for the most. I can say that removing the "hide" show that check-box, don't know if it works also for settings, i suppose so.
That's for the server part. Here it's about the client.
Well i haven't ever configured the client alone if i want to reach a windows pc in the windows net they also want to know my windows name..., i wonder if the reporter has not also the server? And if not instead of open all the ports (disabling firewall) can try to open the netbios ones only?
Suse has the samba client configuration on their firewall, but i cannot find documentation on that by a quick search on google, although i found this http://swerdna.dyndns.org/susefirewall.html Samba client 137 (UDP) related nf_conntrack_netbios_ns Can we test this?
As of drakx-net-2.14-1.mga4.src.rpm does not have and SMB option to check, neiterh cleint nor server. That's the point. (OF course, I am able to manually configure the firewall so SMB works for me. But this bug report is about missing pre-defined options for casual users.)
samba server is in (but hidden), you asked for client, but if we we don't know which ports we cannot add such a configuration if for client the port 137 udp is enough we can split it from the server firewall configuration and have two choices [ ] samba server (all as they are now, but 137 udp) [ ] samba client (137 udp) But if nobody confirms that nobody will change the code.... ;)
Created attachment 6040 [details] patch to enable SMB client and server ports I split client and server, now what we need is to better fix the ports
Attachment 6036 is obsolete: 0 => 1
@Angelo: Soory, I misunderstood you. Now I understand that you want to know which ports the SMB *client* requires. Using only port 137 on the client (as written in the link you posted) does not match what I know. So I used wireshark, double checked and did some more recherche (just serach the internet for "firewall samba client"). My conclusion is: As Mageia is an end-user distribution, we should 1. use the same port-set for the client as we do for the server. 2. *not* require any package This means: Using your first patch <https://bugs.mageia.org/attachment.cgi?id=6036&action=diff> Reasoning: re 1.: In a typical somme-office/small-office szenario we have a peer-to-peer workgroup setup. So each "client" is a "server", too. re 2.: Evertheless most liunx-users will not use peer-to-peer but dedicating a system to being a client or a server. So we should not force them to either pacakge. BTW 1: Only half of the ports listed is used at all, see http://troy.jdmz.net/samba/fw/. And I can see not reason for 1024:1100. So I'm attaching an updated patch. BTW 2: The information given at http://swerdna.dyndns.org/susefirewall.html is unprecise, becaus it does not tell about incoming or outgoing connections. Further I tries verifying this information from the source of yast-firewall (https://github.com/yast/yast-firewall): The number "445" does not occur in the source at all, neither does "netbios" or "samba server". So I'm missing evidence for this source.
Created attachment 6059 [details] patch to show SMB port also and correct port-list
Hummm... I would rather rename current hidden entry as "Windows Files Sharing Server (SMB)" Then add a new entry: { name => N_("Windows Files Sharing Client (SMB)"), pkg => 'samba-client', ports => '137/udp 138/udp 139/tcp 445/tcp 445/udp', }, Does that work?
@Thierry: This would work, too. The decison is up to the "product manager" ;-) Nevertheless I would reduce the port-list for the server, too.
You think they're not needed for the server?
They are not needed by the server (nor the client). These are the only ports the Samba server daemons listen on. See http://troy.jdmz.net/samba/fw/ just arround the second box.
Thierry @comment 22 and the server? while the desktop configuration could be seen by the client pow even if a local server is running, if you want to run a server only that configuration works with samba-client... I'm confused
I aksed for suse configuration and had this info mvidner@mrakoplas:services$ grep . /etc/sysconfig/SuSEfirewall2.d/services/samba-{client,server} /etc/sysconfig/SuSEfirewall2.d/services/samba-client:## Name: Samba Client /etc/sysconfig/SuSEfirewall2.d/services/samba-client:## Description: Enables browsing of SMB shares /etc/sysconfig/SuSEfirewall2.d/services/samba-client:RELATED="0/0,udp,137" /etc/sysconfig/SuSEfirewall2.d/services/samba-client:MODULES="nf_conntrack_netbios_ns" /etc/sysconfig/SuSEfirewall2.d/services/samba-server:## Name: Samba Server /etc/sysconfig/SuSEfirewall2.d/services/samba-server:## Description: Opens ports for Samba Server. /etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed TCP ports /etc/sysconfig/SuSEfirewall2.d/services/samba-server:TCP="netbios-ssn microsoft-ds" /etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed UDP ports /etc/sysconfig/SuSEfirewall2.d/services/samba-server:UDP="" /etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed RPC services /etc/sysconfig/SuSEfirewall2.d/services/samba-server:RPC="" /etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed IP protocols /etc/sysconfig/SuSEfirewall2.d/services/samba-server:IP="" /etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed UDP broadcast ports /etc/sysconfig/SuSEfirewall2.d/services/samba-server:BROADCAST="" mvidner@mrakoplas:services$ rpm -qf /etc/sysconfig/SuSEfirewall2.d/services/samba-{client,server} samba-client-4.1.17-5.1.x86_64 samba-4.1.17-5.1.x86_64 and that with a quick grep RELATED is a concept in the conntrack modules
CC: (none) => identity.mageia.org
Assignee: bugsquad => mageiatools
SMB share toggle is somewhat broken in default state. Let's me explain: 1) Opening Drakfirewall settings in MCC. There is not any toggle "Windows Share (SMB)". 2) Add mentioned above ports: 137/udp 138/udp 139/tcp 445/tcp 445/udp in Shorewall, with the "Advanced" button. 3) Close. 4) Reopen Drakfirewall settings: the toggle is HERE! SBM shares are visible and browsable. (The issue is complicated with SMBv1 share from Windows XP and earlier versions... but who are still this sort of running OS...). So we definitely have this GUI toggle. It is somewhat hidden. Need a fix here.
Source RPM: drakx-net-0.97-1.mga1.src.rpm => drakx-net-2.52-1.mga8.src.rpmCC: (none) => ouaurelien