Bug 2836 - drakfirewall is missing option for "SMB client"
Summary: drakfirewall is missing option for "SMB client"
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: x86_64 Linux
Priority: Normal enhancement
Target Milestone: ---
Assignee: Mageia tools maintainers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-25 12:08 CEST by Hartmut Goebel
Modified: 2020-12-28 11:16 CET (History)
9 users (show)

See Also:
Source RPM: drakx-net-2.52-1.mga8.src.rpm
CVE:
Status comment:


Attachments
patch to show SMB port also (446 bytes, patch)
2015-03-11 16:40 CET, Angelo Naselli
Details | Diff
patch to enable SMB client and server ports (769 bytes, patch)
2015-03-11 23:22 CET, Angelo Naselli
Details | Diff
patch to show SMB port also and correct port-list (507 bytes, patch)
2015-03-13 13:40 CET, Hartmut Goebel
Details | Diff

Description Hartmut Goebel 2011-09-25 12:08:20 CEST
Description of problem:

mcc/drakfirewall has quite some useful predefined options like "SSH Server", "Mail-Server", etc. but there is no option for "SMB/Windows client". Thus one can not configure a SMB client via mcc/drakfirewall.



Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Set up shorewall using mcc/drakfirewall.
2. Try to browser "samba shares" in Dolphin
3. -> Dolphin say: ".. not workgroup found ... This can be caused by an active firewall"
4. try to configure a "SMB client" in mcc/drakefirewall
-> there si not option for this
Comment 1 Samuel Verschelde 2011-10-01 17:58:28 CEST
AFAIK those options concern incoming network traffing, not outgoing traffic. Are you sure that such an option is needed when your machine is just a client?

CC: (none) => stormi

Comment 2 Hartmut Goebel 2011-10-04 10:21:22 CEST
SMB client did not find any other SMB hosts if the firewall is running, but does if the firewall is shut down.

SMB works with broadcasts a lot, even on the client side. Thus there are rules necessary in the firewall.

Perhabs the SAMBA guys could answer best :-)

shorewall already includes
/usr/share/shorewall/macro.SMB
/usr/share/shorewall/macro.SMBBI
Comment 3 Manuel Hiebel 2011-10-04 12:44:05 CEST
Buchan, any idea ?

CC: (none) => bgmilne, bgmilne

Comment 4 Marja Van Waes 2011-12-05 17:02:37 CET
(In reply to comment #2)
> SMB client did not find any other SMB hosts if the firewall is running, but
> does if the firewall is shut down.
> 
> SMB works with broadcasts a lot, even on the client side. Thus there are rules
> necessary in the firewall.
> 
> Perhabs the SAMBA guys could answer best :-)
> 
> shorewall already includes
> /usr/share/shorewall/macro.SMB
> /usr/share/shorewall/macro.SMBBI

(In reply to comment #3)
> Buchan, any idea ?

@ Buchan

assigning to you, for you to say whether this is needed or not and if it is, to reassign to blino

Assignee: bugsquad => bgmilne
CC: (none) => marja11

Comment 5 Marja Van Waes 2012-03-14 21:51:55 CET
Pinging, because nothing has happened with this report for more than 3 months, it still has the status NEW or REOPENED

@ Buchan

Please comment!
Comment 6 Marja Van Waes 2012-07-06 15:04:33 CEST
Please look at the bottom of this mail to see whether you're the assignee of this  bug, if you don't already know whether you are.


If you're the assignee:

We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead.

If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard.

Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why.

Thanks :)

**************************** 

@ the reporter and persons in the cc of this bug:

If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us.

@ the reporter of this bug

If you didn't reply yet to a request for more information, please do so within two weeks from now.

Thanks all :-D
Comment 7 Manuel Hiebel 2012-11-05 16:52:20 CET
This message is a reminder that Mageia 1 is nearing its end of life. 
In approximately 25 days from now, Mageia will stop maintaining and issuing 
updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it 
remains open with a Mageia 'version' of '1'.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version prior to Mageia 1's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not 
be able to fix it before Mageia 1 is end of life.  If you would still like to see 
this bug fixed and are able to reproduce it against a later version of Mageia, 
you are encouraged to click on "Version" and change it against that version 
of Mageia.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

--
Mageia Bugsquad
Comment 8 Hartmut Goebel 2012-11-07 20:46:49 CET
This is still valid for Mageia 2.

Version: 1 => 2

Manuel Hiebel 2013-10-12 00:10:22 CEST

Assignee: bgmilne => bugsquad
Severity: normal => enhancement
Version: 2 => Cauldron

Comment 9 Thierry Vignaud 2015-03-11 16:15:14 CET
Can anyone suggests a patch against http://gitweb.mageia.org/software/drakx-net/tree/lib/network/drakfirewall.pm ?

CC: (none) => thierry.vignaud

Comment 10 Angelo Naselli 2015-03-11 16:26:23 CET
According to https://wiki.samba.org/index.php/Samba_port_usage
and 
http://www.cyberciti.biz/faq/what-ports-need-to-be-open-for-samba-to-communicate-with-other-windowslinux-systems/
I think at least 137, 138, 139 and 445 tcp/udp

CC: (none) => anaselli, matteo.pasotti

Comment 11 Angelo Naselli 2015-03-11 16:30:05 CET
grep -i NETBIOS /etc/services 
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp
netbios-ssn     139/tcp                         # NETBIOS session service
grep -i microsoft /etc/services 
microsoft-ds    445/tcp                         # Microsoft Naked CIFS
microsoft-ds    445/udp

I removed MS SQL Server from this list
Comment 12 Angelo Naselli 2015-03-11 16:33:02 CET
ops they are in already. Sorry
Comment 13 Angelo Naselli 2015-03-11 16:40:41 CET
Created attachment 6036 [details]
patch to show SMB port also

Note that there are more ports than the one that should be used for the most.
I can say that removing the "hide" show that check-box, don't know if it works
also for settings, i suppose so.
Comment 14 Thierry Vignaud 2015-03-11 21:18:11 CET
That's for the server part.
Here it's about the client.
Comment 15 Angelo Naselli 2015-03-11 22:25:07 CET
Well i haven't ever configured the client alone if i want to reach a windows pc in the windows net they also want to know my windows name..., 
i wonder if the reporter has not also the server? And if not instead of open all the ports (disabling firewall) can try to open the netbios ones only?
Comment 16 Angelo Naselli 2015-03-11 23:00:02 CET
Suse has the samba client configuration on their firewall, but i cannot find
documentation on that by a quick search on google, although i found this
http://swerdna.dyndns.org/susefirewall.html

Samba client 		137 (UDP) related 	nf_conntrack_netbios_ns

Can we test this?
Comment 17 Hartmut Goebel 2015-03-11 23:04:49 CET
As of drakx-net-2.14-1.mga4.src.rpm does not have and SMB option to check, neiterh cleint nor server. That's the point.

(OF course, I am able to manually configure the firewall so SMB works for me. But this bug report is about missing pre-defined options for casual users.)
Comment 18 Angelo Naselli 2015-03-11 23:10:27 CET
samba server is in (but hidden), you asked for client, but if we we don't know
which ports we cannot add such a configuration
if for client the port 137 udp is enough we can split it from the server
firewall configuration and have two choices
[ ] samba server (all as they are now, but 137 udp)
[ ] samba client (137 udp)

But if nobody confirms that nobody will change the code.... ;)
Comment 19 Angelo Naselli 2015-03-11 23:22:04 CET
Created attachment 6040 [details]
patch to enable SMB client and server ports

I split client and server, now what we need is to better fix the ports

Attachment 6036 is obsolete: 0 => 1

Comment 20 Hartmut Goebel 2015-03-13 13:39:11 CET
@Angelo: Soory, I misunderstood you. Now I understand that you want to know which ports the SMB *client* requires.

Using only port 137 on the client (as written in the link you posted) does not match what I know. So I used wireshark, double checked and did some more recherche (just serach the internet for "firewall samba client").

My conclusion is: As Mageia is an end-user distribution, we should
1. use the same port-set for the client as we do for the server. 
2. *not* require any package

This means: Using your first patch <https://bugs.mageia.org/attachment.cgi?id=6036&action=diff>

Reasoning:

re 1.: In a typical somme-office/small-office szenario we have a peer-to-peer workgroup setup. So each "client" is a "server", too.

re 2.: Evertheless most liunx-users will not use peer-to-peer but dedicating a system to being a client or a server. So we should not force them to either pacakge.

BTW 1: Only half of the ports listed is used at all, see http://troy.jdmz.net/samba/fw/. And I can see not reason for 1024:1100. So I'm attaching an updated patch.


BTW 2: The information given at http://swerdna.dyndns.org/susefirewall.html is unprecise, becaus it does not tell about incoming or outgoing connections. Further I tries verifying this information from the source of yast-firewall (https://github.com/yast/yast-firewall): The number "445" does not occur in the source at all, neither does "netbios" or "samba server". So I'm missing evidence for this source.
Comment 21 Hartmut Goebel 2015-03-13 13:40:12 CET
Created attachment 6059 [details]
patch to show SMB port also and correct port-list
Comment 22 Thierry Vignaud 2015-03-13 13:48:28 CET
Hummm...
I would rather rename current hidden entry as "Windows Files Sharing Server (SMB)"
Then add a new entry:

  {
   name => N_("Windows Files Sharing Client (SMB)"),
   pkg => 'samba-client',
   ports => '137/udp 138/udp 139/tcp 445/tcp 445/udp',
  },

Does that work?
Comment 23 Hartmut Goebel 2015-03-13 14:01:14 CET
@Thierry: This would work, too. The decison is up to the "product manager" ;-)

Nevertheless I would reduce the port-list for the server, too.
Comment 24 Thierry Vignaud 2015-03-13 14:14:09 CET
You think they're not needed for the server?
Comment 25 Hartmut Goebel 2015-03-13 14:32:30 CET
They are not needed by the server (nor the client). These are the only ports the Samba server daemons listen on. See http://troy.jdmz.net/samba/fw/ just arround the second box.
Comment 26 Angelo Naselli 2015-03-13 14:40:46 CET
Thierry @comment 22 and the server? while the desktop configuration could be
seen by the client pow even if a local server is running, if you want to 
run a server only that configuration works with samba-client...
I'm confused
Comment 27 Angelo Naselli 2015-03-13 14:53:33 CET
I aksed for suse configuration and had this info
mvidner@mrakoplas:services$ grep . /etc/sysconfig/SuSEfirewall2.d/services/samba-{client,server}
/etc/sysconfig/SuSEfirewall2.d/services/samba-client:## Name: Samba Client
/etc/sysconfig/SuSEfirewall2.d/services/samba-client:## Description: Enables browsing of SMB shares
/etc/sysconfig/SuSEfirewall2.d/services/samba-client:RELATED="0/0,udp,137"
/etc/sysconfig/SuSEfirewall2.d/services/samba-client:MODULES="nf_conntrack_netbios_ns"
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:## Name: Samba Server
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:## Description: Opens ports for Samba Server.
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed TCP ports
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:TCP="netbios-ssn microsoft-ds"
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed UDP ports
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:UDP=""
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed RPC services
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:RPC=""
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed IP protocols
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:IP=""
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:# space separated list of allowed UDP broadcast ports
/etc/sysconfig/SuSEfirewall2.d/services/samba-server:BROADCAST=""
 
mvidner@mrakoplas:services$ rpm -qf /etc/sysconfig/SuSEfirewall2.d/services/samba-{client,server}
samba-client-4.1.17-5.1.x86_64
samba-4.1.17-5.1.x86_64

and that with a quick grep RELATED is a concept in the conntrack modules
Meg Skywalker 2015-09-03 15:39:59 CEST

CC: (none) => identity.mageia.org

Samuel Verschelde 2016-10-11 21:18:44 CEST

Assignee: bugsquad => mageiatools

Comment 28 Aurelien Oudelet 2020-12-28 11:16:26 CET
SMB share toggle is somewhat broken in default state.

Let's me explain:

1) Opening Drakfirewall settings in MCC. There is not any toggle "Windows Share (SMB)".

2) Add mentioned above ports: 137/udp 138/udp 139/tcp 445/tcp 445/udp
in Shorewall, with the "Advanced" button.

3) Close.

4) Reopen Drakfirewall settings: the toggle is HERE!

SBM shares are visible and browsable.

(The issue is complicated with SMBv1 share from Windows XP and earlier versions... but who are still this sort of running OS...).

So we definitely have this GUI toggle. It is somewhat hidden.

Need a fix here.

Source RPM: drakx-net-0.97-1.mga1.src.rpm => drakx-net-2.52-1.mga8.src.rpm
CC: (none) => ouaurelien


Note You need to log in before you can comment on or make changes to this bug.