[Shorewall-users] Question on samba/nmbd
Mon, 15 Apr 2002 22:28:11 +1000
Brian Fallik wrote:
> Is shorewall configured by default to drop/reject udp broadcasts?
Yes - see /etc/shorewall/common.def. SMB is one of the services suppressed
> I'm trying to setup samba and my windows machines can't see the samba server
> (which is also the firewall).
In case anyone hasn't told you yet, that's a bad idea. :-) If it can be
avoided, you really don't want to do it.
> I see the following errors in log.nmbd:
> [2002/04/14 20:55:32, 0] libsmb/nmblib.c:send_udp(777)
> Packet send failed to 192.168.2.255(137) ERRNO=Operation not permitted
> [2002/04/14 20:55:32, 0] nmbd/nmbd_packets.c:send_netbios_packet(174)
> send_netbios_packet: send_packet() to IP 192.168.2.255 port 137 failed
> [2002/04/14 20:55:32, 0] nmbd/nmbd_namequery.c:query_name(257)
> query_name: Failed to send packet trying to query name OCTO<1d>
> My policies are setup as:
> #SOURCE DESTINATION POLICY LOG LEVEL
> loc fw DROP info
> loc net ACCEPT
> fw net ACCEPT
> net all DROP info
> all all REJECT info
Your inbound traffic is likely being denied by the loc -> fw policy, and
outbound by all -> all.
> Any help debugging would be appreciated.
John's tip on using a logging accept policy is a good one.
> I'm pretty much out of ideas on
> how to take this further.
As a general rule, turning on logging on everything is a good approach. You
need it to trace what is happening to each packet. In this particular problem,
what you're going to need to do is specifically allow SMB traffic with a rule.
I use one like this:
ACCEPT <server's zone>:$SMB <client's zone> udp
Where the items in <> are the zones you want to talk between and $SMB is the IP
address of the server, defined in your params file. (If your zone is just one
host, you don't need the $SMB part.)