[clug] Samba Firewall Incoming port Browse Windows Network

George at Clug Clug at goproject.info
Sun Jul 23 04:47:09 UTC 2017


Firewall (ufw) and SMB Network discovery issue. There seems to be
something that the firewall is blocking that is stopping network
discovery, but not network access. Does anyone know what is causing
the issue?

When the firewall is disabled, the GUI (Thunar) and smbtree can browse
and display the computers on the network, but with the firewall is
enabled, they cannot browse, but can still access the shares if I
manually enter the server's name.

I have an issue where I am unable to browse windows network (e.g.
Windows computers and Samba share) using GUI (thunar) or smbtree, but
the command line using smb-client -L _smbsvr_ does show the server's

If I enter smb://_smbsrv_/ in Thunar, then I get to see the shares for
this samba server.

More detail
I am using ufw as a firewall to block incoming ports and allow all out
going traffic.

If I enable 137/UDP, 138/UDP, 139/TCP and 445/TCP then smbtree works
but the GUI still does not. However the GUI does work once smbtree has
worked (i.e. something gets cached).

I am using Debian Stretch, XFCE, have all the necessary gvfs
components installed, etc. 

I believe the issue is that exists is that some incoming port required
for NETBIOS to allow network discovery to work for smbtree, and

137/UDP, 138/UDP, 139/TCP and 445/TCP.

You need to use the following commands:
# firewall-cmd --permanent --zone=public --add-service=samba
# firewall-cmd --reload
# firewall-cmd --permanent --add-port=137/tcp
# firewall-cmd --permanent --add-port=138/tcp
# firewall-cmd --permanent --add-port=139/tcp
# firewall-cmd --permanent --add-port=445/tcp

As root, open /etc/default/ufw

Look for the line like this:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc" 
Add nf_conntrack_netbios_ns to the line so that it looks like this:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc
nf_conntrack_netbios_ns"  Now reload the firewall:

sudo ufw reload 
sudo ufw allow cifs



ufw does not allow specifying icmp rules via the command line
interface command. It does allow you to adjust your ruleset via its
rules files, which are iptables-restore style files.


Mike's sudo ufw allow Samba works like a charm.

I personally prefer restricting to my private subnet, so for others
who like the same, use:

$ sudo ufw allow from to any app Samba  Also, try
running sudo ufw app list for a list of other apps you can use as
short-hand to the required ports (eg. Postfix, OpenSSH, etc). Makes
your firewall rules list a lot easier to read and maintain.

With direct hosting, NetBIOS is not used for name resolution. DNS is
used for name resolution and the Microsoft networking communication is
sent directly over TCP without a NetBIOS header. Direct hosting over
TCP/IP uses TCP port 445 instead of the NetBIOS session TCP port 139. 

By default, both NetBIOS and direct hosting are enabled, and both are
tried in parallel when a new connection is established. The first to
succeed in connecting is used for any given attempt. NetBIOS over
TCP/IP support can be disabled to force all traffic to use TCP/IP
direct hosting.

 To disable NetBIOS over TCP/IP support 


>From the Network and Dial-up Connections icon in Control Panel ,
select Local Area Connection and right-click Properties .


On the General tab, click Internet Protocol (TCP/IP) in the list of
components, and click the Properties button.


Click the Advanced button.


Click the WINS tab. Click Disable NetBIOS over TCP/IP .

Applications and services that depend on NetBIOS over TCP/IP no longer
function once NetBIOS over TCP/IP is disabled. Therefore, verify that
any clients and applications no longer need NetBIOS over TCP/IP
support before you disable it.


Network Discovery And The Windows Firewall

The interaction between Network Discovery and the Windows Firewall is
relatively straightforward. The Windows Firewall has default rules
both inbound and outbound to block the Network Discovery protocols,
but by default the outbound rule is not enabled, thus allowing this

There are predefined rules for Network Discovery – or you can
manually block these ports:

	* TCP 2869 – UPNP 
	* TCP 5357 – WSDAPIEvents 
	* TCP 5358 – WSDEvents Secure 
	* UDP 5355 – LLMNR 
	* UPD 3702 – WSD publishing 
	* UDP 1900 – SSDP 
Note: You also need to block NetBIOS but that can affect more than
just Network Discovery.

	* UDP 138 – NetBIOS Datagram 
	* UDP 137 – NetBIOS Name 
Other options you may want to consider:

It may be enough to simply disable the Network Resource option in the

The following Ports are Required by Network Discovery: 

	* SNMP: 161 SNMP uses UDP, and the rest are defaulted at TCP. 

	*   HTTP: 80 


NetBT uses the following TCP and UDP ports:

	* UDP port 137 (name services)
	* UDP port 138 (datagram services)
	* TCP port 139 (session services)

More information about the linux mailing list