Bug 1395909 - firewalld not properly supporting samba & ftp from ver 0.4.4.1-1.fc24
Summary: firewalld not properly supporting samba & ftp from ver 0.4.4.1-1.fc24
Keywords:
Status: CLOSED DUPLICATE of bug 1394597
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 24
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-16 22:55 UTC by dan
Modified: 2016-11-22 11:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-22 11:40:29 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description dan 2016-11-16 22:55:02 UTC 
Description of problem:

When using the firewalld GUI and the Fedora Workstation profile I am unable to successfully add samba to the policy.  Checking the smb box produces an error as follows:  INVALID_HELPER: nf_conntrack_netbios_ns not available in kernel.

However, as a workaround, I switched to the Fedora Server profile and was able to successfully add samba.
Comment 1 dan 2016-11-17 00:32:27 UTC 
On further check, the situation seems to be more serious.  Samba cannot be accessed from the network when firewalld is running, disabling firewalld allows access.  Will see if I can gather some additional info.
Comment 2 dan 2016-11-17 00:58:29 UTC 
Iptables output does not show that firewalld has inserted a rule for samba, ie ports 139/tcp, 445/tcp, etc.  Now I also see that trying to uncheck samba from the FedoraServer policy also triggers the error as above.

I next used firewalld to create an samba-workaround object with the proper ports, then reloaded firewalld.

Reload of firewalld also shows:

Nov 16 19:53:13 ears.private firewalld[3934]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel

I next selected samba-workaround in the FedoraServer policy and it created the rules in iptables.

Issue worked around but obviously a serious problem for anyone running firewalld and samba.  


The issue began today after a dnf upgrade:

Nov 16 12:32:52 DEBUG ---> Package firewalld.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 16 12:32:52 DEBUG ---> Package firewalld.noarch 0.4.4.1-1.fc24 will be an upgrade
Nov 16 12:32:52 DEBUG ---> Package firewalld-filesystem.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 16 12:32:52 DEBUG ---> Package firewalld-filesystem.noarch 0.4.4.1-1.fc24 will be an upgrade
Comment 3 dan 2016-11-17 13:23:56 UTC 
ftp also affected with similar error, unable to load nf_conntrack_ftp, not in kernel.
Comment 4 dan 2016-11-18 04:41:05 UTC 
Modprobe of modules prior to starting firewalld does not help.
Comment 5 John 2016-11-20 05:36:21 UTC 
Added info:

A "systemctl status firewalld" results in:

Nov 17 11:21:55 bilbo systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 11:22:01 bilbo systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 17 11:22:15 bilbo firewalld[724]: WARNING: INVALID_HELPER: 'nf_conntrack_ftp' not available in kernel
Nov 17 11:22:17 bilbo firewalld[724]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel
Comment 6 Jeroen Huisman 2016-11-21 16:16:18 UTC 
Identical issue on Fedora 24 kernel 4.8.8-200.fc24.armv7hl

Upgraded:
Nov 21 10:21:22 DEBUG ---> Package firewall-config.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 21 10:21:22 DEBUG ---> Package firewall-config.noarch 0.4.4.1-1.fc24 will be an upgrade
Nov 21 10:21:22 DEBUG ---> Package firewalld.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 21 10:21:22 DEBUG ---> Package firewalld.noarch 0.4.4.1-1.fc24 will be an upgrade
Nov 21 10:21:22 DEBUG ---> Package firewalld-filesystem.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 21 10:21:22 DEBUG ---> Package firewalld-filesystem.noarch 0.4.4.1-1.fc24 will be an upgrade
Comment 7 Igor Gnatenko 2016-11-22 11:40:29 UTC 

*** This bug has been marked as a duplicate of bug 1394597 ***
Note You need to log in before you can comment on or make changes to this bug.