120719 – Default firewall rules block NMB traffic

Bug 120719 - Default firewall rules block NMB traffic

Summary: Default firewall rules block NMB traffic

Keywords:
Status:	CLOSED DUPLICATE of bug 58004
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	system-config-securitylevel
Sub Component:
Version:	1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Brent Fox
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-04-13 13:33 UTC by Mike Hearn
Modified:	2007-11-30 22:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-02-21 19:02:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
A "cannonball" approach: Enable all incoming traffic on UDP port 137. (666 bytes, patch) 2004-04-13 13:36 UTC, Miloslav Trmac	no flags	Details \| Diff
patch to lokkit to create an SMB checkbox (2.17 KB, patch) 2004-04-14 21:23 UTC, Brent Fox	no flags	Details \| Diff
View All

Description Mike Hearn 2004-04-13 13:33:34 UTC

The default firewall rules in this tool block NMB traffic, which
prevents Windows Network Neighbourhood browsing from working
correctly. The best fix is not the proposed patch, but this is the
best that can be done in the short term. Given that the most likely
effect of this problem is users disabling the firewall entirely, I
think it should be applied.

Comment 1 Miloslav Trmac 2004-04-13 13:36:52 UTC

Created attachment 99360 [details]
A "cannonball" approach: Enable all incoming traffic on UDP port 137.

Comment 2 Brent Fox 2004-04-13 16:31:06 UTC

notting: opinion?

Comment 3 Bill Nottingham 2004-04-13 16:37:19 UTC

Eek, a SMB/NMB checkbox is better.

Comment 4 Mike Hearn 2004-04-13 17:07:48 UTC

That's fine, as long as it's not blocked by default. I'd guess most
users could not link "nothing appears in windows network browsing" to
"NMB is checked in the firewall config program".

Comment 5 Brent Fox 2004-04-14 19:01:19 UTC

Mike: When you enable the firewall, all ports and services are blocked
by default.  The user has to intentionally select those checkboxes to
open those ports.  Being "secure by default" has its advantages even
if it means losing a bit of convenience out of the box.

Comment 6 Mike Hearn 2004-04-14 19:19:49 UTC

Alright, I understand that. In that case there needs to be some
ultra-clear way of letting the user know that the reason they are
seeing nothing in the NetHood is because of the firewall. At the
moment it silently fails, which is really bad. 

Unfortunately code which accesses the SMB network is all over the
place. For instance, in gnome-vfs, in system-config-printer, and so
on. So it's probably better to add a checkbox and warn the user inside
system-config-securitylevel that if this box is checked they won't be
able to browse windows networks.

Comment 7 Brent Fox 2004-04-14 21:23:01 UTC

Created attachment 99431 [details]
patch to lokkit to create an SMB checkbox

notting: This is a patch to add a SMB checkbox to lokkit.  Can you take a look
at it and see if it's sane?  If this is ok, I'll add a SMB checkbox to the
s-c-securitylevel GUI.

Comment 8 Bill Nottingham 2004-04-14 21:33:15 UTC

a) you probably need more than just TCP
b) ideally, the kernel's stateful firewall would catch this
c) this unintentionally opens up any local SMB server for general access.

Comment 9 Brent Fox 2004-04-15 19:04:00 UTC

notting: what would be a better way?

Comment 10 Bill Nottingham 2004-04-15 20:34:03 UTC

Technically, this is a dup of #58004, one way or another. The kernel
fix is the 'preferred' one, but that may take a while.

Comment 11 Brent Fox 2004-06-25 13:53:38 UTC


*** This bug has been marked as a duplicate of 58004 ***

Comment 12 Red Hat Bugzilla 2006-02-21 19:02:33 UTC

Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.