447335 – Default configuration should not block smb/netbios browsing

Bug 447335 - Default configuration should not block smb/netbios browsing

Summary: Default configuration should not block smb/netbios browsing

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	anaconda
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-19 15:40 UTC by Simo Sorce
Modified:	2008-07-22 15:01 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-22 14:54:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Simo Sorce 2008-05-19 15:40:15 UTC

Description of problem:

The current firewall rules break smb servers browsing. This makes impossible to
find other machines sharing data.

it seem that the only way to restore this for an unexperienced user is to add
"samba" as a trusted service or to disable the firewall.

In both cases the solution is sub-optimal.

Enabling samba as a trust service allows me to browse but it also *expose* my
samba server.

An option that allows a machine to browse and access other machines without
exposing our own samba service is highly desirable, possible  and should be the
default.

Comment 1 Thomas Woerner 2008-05-19 15:52:08 UTC

What is needed for browsing (client) and what is needed for a server?

This is the current configuration for the samba service:

137/udp, 138/udp, 139/udp and 445/tcp
helper: nf_conntrack_netbios_ns

Comment 2 Simo Sorce 2008-05-19 16:39:38 UTC

For browsing you need to be able to send and receive packets on 137/138 udp
For accessing other servers you need to be able to connect to 139/445 tcp

You do not need to give access to 139/445 tcp (the smbd server); that is
necessary only if you want to share printers.

139/udp is wrong, it is not used, 139/tcp is correct

Simo.

Comment 3 Thomas Woerner 2008-05-20 12:02:44 UTC

I meant 139/tcp, it was a typo.

So the configuration should be like this:

Samba Client:
137,138/udp, ip_conntrack_netbios_ns (allows netbios broadcasts through the
firewall)

Samba Server:
139,445/tcp

Is that correct? The server does not need the udp ports at all?

Comment 4 Simo Sorce 2008-05-20 12:52:23 UTC

No the server still need them to allow clients to find it, and announce itself
of the netbios network.

Comment 5 Thomas Woerner 2008-05-26 16:26:44 UTC

Please have a look at system-config-firewall-1.2.8 in testing. There is a new
client service for Samba. Please test if this is working for you.

The initial firewall configuration is done in anaconda, therefore this bug
should be assigned to anaconda afterwards, it should enable the desktop defaults
for the firewall.

Comment 6 Simo Sorce 2008-05-27 13:21:58 UTC

Is it in Fedora 9 testing already ?
It seem I can't see it there.

Comment 7 Simo Sorce 2008-07-12 14:58:15 UTC

New system-config-firewall looks fine, now rerouting to anaconda for the install
time fixes.

Comment 8 Chris Lumens 2008-07-22 14:54:56 UTC

Our general plan in anaconda is to make the default firewall/security setting as
strict as possible, then have the user make whatever settings they want to
afterwards with system-config-firewall.  Right now, the most strict useful
settings we can come up with are SELinux enforcing and the firewall with ssh
open.  People get pretty angry when new holes are opened by default in the
installed firewall - in fact, we get occasional bug reports saying ssh shouldn't
even be allowed.

Comment 9 Simo Sorce 2008-07-22 15:01:34 UTC

Please make sure you understand this is for use as a client, in theory you could
just use contrack although I can't remember how good that is.
Certainly you are not thinking of blocking ssh clients are you ?

Note You need to log in before you can comment on or make changes to this bug.