Bug 120719 - Default firewall rules block NMB traffic
Summary: Default firewall rules block NMB traffic
Status: CLOSED DUPLICATE of bug 58004
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel
Version: 1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Brent Fox
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-04-13 13:33 UTC by Mike Hearn
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2006-02-21 19:02:33 UTC

Attachments (Terms of Use)
A "cannonball" approach: Enable all incoming traffic on UDP port 137. (666 bytes, patch)
2004-04-13 13:36 UTC, Miloslav Trmac
no flags Details | Diff
patch to lokkit to create an SMB checkbox (2.17 KB, patch)
2004-04-14 21:23 UTC, Brent Fox
no flags Details | Diff

Description Mike Hearn 2004-04-13 13:33:34 UTC
The default firewall rules in this tool block NMB traffic, which
prevents Windows Network Neighbourhood browsing from working
correctly. The best fix is not the proposed patch, but this is the
best that can be done in the short term. Given that the most likely
effect of this problem is users disabling the firewall entirely, I
think it should be applied.

Comment 1 Miloslav Trmac 2004-04-13 13:36:52 UTC
Created attachment 99360 [details]
A "cannonball" approach: Enable all incoming traffic on UDP port 137.

Comment 2 Brent Fox 2004-04-13 16:31:06 UTC
notting: opinion?

Comment 3 Bill Nottingham 2004-04-13 16:37:19 UTC
Eek, a SMB/NMB checkbox is better.

Comment 4 Mike Hearn 2004-04-13 17:07:48 UTC
That's fine, as long as it's not blocked by default. I'd guess most
users could not link "nothing appears in windows network browsing" to
"NMB is checked in the firewall config program".

Comment 5 Brent Fox 2004-04-14 19:01:19 UTC
Mike: When you enable the firewall, all ports and services are blocked
by default.  The user has to intentionally select those checkboxes to
open those ports.  Being "secure by default" has its advantages even
if it means losing a bit of convenience out of the box.

Comment 6 Mike Hearn 2004-04-14 19:19:49 UTC
Alright, I understand that. In that case there needs to be some
ultra-clear way of letting the user know that the reason they are
seeing nothing in the NetHood is because of the firewall. At the
moment it silently fails, which is really bad. 

Unfortunately code which accesses the SMB network is all over the
place. For instance, in gnome-vfs, in system-config-printer, and so
on. So it's probably better to add a checkbox and warn the user inside
system-config-securitylevel that if this box is checked they won't be
able to browse windows networks.

Comment 7 Brent Fox 2004-04-14 21:23:01 UTC
Created attachment 99431 [details]
patch to lokkit to create an SMB checkbox

notting: This is a patch to add a SMB checkbox to lokkit.  Can you take a look
at it and see if it's sane?  If this is ok, I'll add a SMB checkbox to the
s-c-securitylevel GUI.

Comment 8 Bill Nottingham 2004-04-14 21:33:15 UTC
a) you probably need more than just TCP
b) ideally, the kernel's stateful firewall would catch this
c) this unintentionally opens up any local SMB server for general access.

Comment 9 Brent Fox 2004-04-15 19:04:00 UTC
notting: what would be a better way?

Comment 10 Bill Nottingham 2004-04-15 20:34:03 UTC
Technically, this is a dup of #58004, one way or another. The kernel
fix is the 'preferred' one, but that may take a while.

Comment 11 Brent Fox 2004-06-25 13:53:38 UTC

*** This bug has been marked as a duplicate of 58004 ***

Comment 12 Red Hat Bugzilla 2006-02-21 19:02:33 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.