Bug 447335
Summary: | Default configuration should not block smb/netbios browsing | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Simo Sorce <ssorce> |
Component: | anaconda | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 9 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-07-22 14:54:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Simo Sorce
2008-05-19 15:40:15 UTC
What is needed for browsing (client) and what is needed for a server? This is the current configuration for the samba service: 137/udp, 138/udp, 139/udp and 445/tcp helper: nf_conntrack_netbios_ns For browsing you need to be able to send and receive packets on 137/138 udp For accessing other servers you need to be able to connect to 139/445 tcp You do not need to give access to 139/445 tcp (the smbd server); that is necessary only if you want to share printers. 139/udp is wrong, it is not used, 139/tcp is correct Simo. I meant 139/tcp, it was a typo. So the configuration should be like this: Samba Client: 137,138/udp, ip_conntrack_netbios_ns (allows netbios broadcasts through the firewall) Samba Server: 139,445/tcp Is that correct? The server does not need the udp ports at all? No the server still need them to allow clients to find it, and announce itself of the netbios network. Please have a look at system-config-firewall-1.2.8 in testing. There is a new client service for Samba. Please test if this is working for you. The initial firewall configuration is done in anaconda, therefore this bug should be assigned to anaconda afterwards, it should enable the desktop defaults for the firewall. Is it in Fedora 9 testing already ? It seem I can't see it there. New system-config-firewall looks fine, now rerouting to anaconda for the install time fixes. Our general plan in anaconda is to make the default firewall/security setting as strict as possible, then have the user make whatever settings they want to afterwards with system-config-firewall. Right now, the most strict useful settings we can come up with are SELinux enforcing and the firewall with ssh open. People get pretty angry when new holes are opened by default in the installed firewall - in fact, we get occasional bug reports saying ssh shouldn't even be allowed. Please make sure you understand this is for use as a client, in theory you could just use contrack although I can't remember how good that is. Certainly you are not thinking of blocking ssh clients are you ? |