[Samba] Mini Samba-SuSE Firewall2 HOWTO

L. Mark Stone lmstone at rnome.com
Thu Jan 6 18:44:41 GMT 2005 

(Please forgive the cross posting; I know many SuSE users subscribe to 
both the Samba and SuSE-e discussion groups and will get this message 
twice.)

I had always been frustrated trying to get SuSE's Firewall2 to play 
nicely with Samba and support seamless network browsing.  After much 
experimentation and a lot of Googling, I was finally able to get this 
working.  By "working", I mean that the Network Browsing desktop icon 
in SuSE 9.2 functions perfectly.

I am documenting it here hoping it will save others some time and the 
temptation to just turn off the SuSE firewall.

This setup is on a SuSE 9.2 Pro system with all SuSE patches as of the 
date of this writing (including the sometimes problematic -10 kernel) 
and SuSE-supplied Samba 3.0.9 from the install DVD and as updated by 
YaST.

After Samba is installed and configured, run YaST > Security and Users > 
Firewall and on the Configuration:Services screen, put a check mark in 
the tick box next to "Samba Server" under the "File Services" heading. 
This will be the second or third screen you see, depending upon whether 
your firewall is not running or is already running, respectively.  

Upon finishing the firewall wizard, go to the System panel in YaST and 
choose the /etc/sysconfig Editor module. In the Network > Firewall > 
SuSEfirewall2 section, make sure the following items have the values 
set below (likely there will be additional entries for some items, but 
I am showing only the Samba-specific values here).

The settings below are for a workstation with one NIC that is used to 
share files and a printer with other boxes on the LAN.  If you have a 
server with multiple NICS, choose the interfaces (INT, EXT, DMZ) as 
appropriate for your situation.

Here are the /etc/sysconfig settings from YaST:

FW_S	ERVICES_EXT_TCP = microsoft-ds netbios-dgm netbios-ns netbios-ssn
FW_S	ERVICES_EXT_UDP = netbios-dgm netbios-ns
FW_ALLOW_INCOMING_HIGHPORTS_TCP = netbios-ns microsoft-ds
FW_ALLOW_INCOMING_HIGHPORTS_UDP = netbios-ns microsoft-ds
FW_ALLOW_FW_BROADCAST = yes

Note that the FW_ALLOW_FW_BROADCAST setting can take an interface as a 
value, so instead of setting it to "yes" as I did, you can set it to 
"int",  "ext",  etc. to limit the effect to specific NICs.

You can also use port numbers instead of the service names 
from /etc/services; the table below will give you the conversions:

Service Name	Port Number
microsoft-ds 	445
netbios-dgm 	138
netbios-ns 	137
netbios-ssn	139


I hope this is helpful... Perhaps the Samba team would consider 
including this info in the S3BE documentation?

With best regards to all,
Mark

-- 
___________________________________________________________
A Message From...  L. Mark Stone

Reliable Networks of Maine LLC

"We manage your network so you can manage your business."

477 Congress Street
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.rnome.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20050106/d11efc3b/attachment.bin

More information about the samba mailing list