Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 120719 - Default firewall rules block NMB traffic
Default firewall rules block NMB traffic
Status: CLOSED DUPLICATE of bug 58004
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Brent Fox
Depends On:
  Show dependency treegraph
Reported: 2004-04-13 09:33 EDT by Mike Hearn
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 14:02:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
A "cannonball" approach: Enable all incoming traffic on UDP port 137. (666 bytes, patch)
2004-04-13 09:36 EDT, Miloslav Trmac
no flags Details | Diff
patch to lokkit to create an SMB checkbox (2.17 KB, patch)
2004-04-14 17:23 EDT, Brent Fox
no flags Details | Diff

  None (edit)
Description Mike Hearn 2004-04-13 09:33:34 EDT
The default firewall rules in this tool block NMB traffic, which
prevents Windows Network Neighbourhood browsing from working
correctly. The best fix is not the proposed patch, but this is the
best that can be done in the short term. Given that the most likely
effect of this problem is users disabling the firewall entirely, I
think it should be applied.
Comment 1 Miloslav Trmac 2004-04-13 09:36:52 EDT
Created attachment 99360 [details]
A "cannonball" approach: Enable all incoming traffic on UDP port 137.
Comment 2 Brent Fox 2004-04-13 12:31:06 EDT
notting: opinion?
Comment 3 Bill Nottingham 2004-04-13 12:37:19 EDT
Eek, a SMB/NMB checkbox is better.
Comment 4 Mike Hearn 2004-04-13 13:07:48 EDT
That's fine, as long as it's not blocked by default. I'd guess most
users could not link "nothing appears in windows network browsing" to
"NMB is checked in the firewall config program".
Comment 5 Brent Fox 2004-04-14 15:01:19 EDT
Mike: When you enable the firewall, all ports and services are blocked
by default.  The user has to intentionally select those checkboxes to
open those ports.  Being "secure by default" has its advantages even
if it means losing a bit of convenience out of the box.
Comment 6 Mike Hearn 2004-04-14 15:19:49 EDT
Alright, I understand that. In that case there needs to be some
ultra-clear way of letting the user know that the reason they are
seeing nothing in the NetHood is because of the firewall. At the
moment it silently fails, which is really bad. 

Unfortunately code which accesses the SMB network is all over the
place. For instance, in gnome-vfs, in system-config-printer, and so
on. So it's probably better to add a checkbox and warn the user inside
system-config-securitylevel that if this box is checked they won't be
able to browse windows networks.
Comment 7 Brent Fox 2004-04-14 17:23:01 EDT
Created attachment 99431 [details]
patch to lokkit to create an SMB checkbox

notting: This is a patch to add a SMB checkbox to lokkit.  Can you take a look
at it and see if it's sane?  If this is ok, I'll add a SMB checkbox to the
s-c-securitylevel GUI.
Comment 8 Bill Nottingham 2004-04-14 17:33:15 EDT
a) you probably need more than just TCP
b) ideally, the kernel's stateful firewall would catch this
c) this unintentionally opens up any local SMB server for general access.
Comment 9 Brent Fox 2004-04-15 15:04:00 EDT
notting: what would be a better way?
Comment 10 Bill Nottingham 2004-04-15 16:34:03 EDT
Technically, this is a dup of #58004, one way or another. The kernel
fix is the 'preferred' one, but that may take a while.
Comment 11 Brent Fox 2004-06-25 09:53:38 EDT

*** This bug has been marked as a duplicate of 58004 ***
Comment 12 Red Hat Bugzilla 2006-02-21 14:02:33 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.