[Shorewall-users] Question on samba/nmbd

Paul Gear paulgear@bigfoot.com
Mon, 15 Apr 2002 22:28:11 +1000


Brian Fallik wrote:

> Is shorewall configured by default to drop/reject udp broadcasts?

Yes - see /etc/shorewall/common.def.  SMB is one of the services suppressed
there.

> I'm trying to setup samba and my windows machines can't see the samba server
> (which is also the firewall).

In case anyone hasn't told you yet, that's a bad idea.  :-)  If it can be
avoided, you really don't want to do it.

> I see the following errors in log.nmbd:
>
> [2002/04/14 20:55:32, 0] libsmb/nmblib.c:send_udp(777)
>   Packet send failed to 192.168.2.255(137) ERRNO=Operation not permitted
> [2002/04/14 20:55:32, 0] nmbd/nmbd_packets.c:send_netbios_packet(174)
>   send_netbios_packet: send_packet() to IP 192.168.2.255 port 137 failed
> [2002/04/14 20:55:32, 0] nmbd/nmbd_namequery.c:query_name(257)
>   query_name: Failed to send packet trying to query name OCTO<1d>
>
> My policies are setup as:
> #SOURCE         DESTINATION     POLICY          LOG LEVEL
> loc             fw              DROP            info
> loc             net             ACCEPT
> fw              net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info

Your inbound traffic is likely being denied by the loc -> fw policy, and
outbound by all -> all.

> Any help debugging would be appreciated.

John's tip on using a logging accept policy is a good one.

>  I'm pretty much out of ideas on
> how to take this further.

As a general rule, turning on logging on everything is a good approach.  You
need it to trace what is happening to each packet.  In this particular problem,
what you're going to need to do is specifically allow SMB traffic with a rule.
I use one like this:

ACCEPT          <server's zone>:$SMB  <client's zone>            udp
137:139

Where the items in <> are the zones you want to talk between and $SMB is the IP
address of the server, defined in your params file.  (If your zone is just one
host, you don't need the $SMB part.)
--
Paul
http://paulgear.webhop.net