As title stated, the samba nmblookup failed when firewalld on, I already enable all the samba context on SELINUX, no selinux error, and already --permanent / allow the samba service permanently on my Fedora 37.
nf_contrack_netbios_ns is loaded, is there anything else that I can check so I could find the cause why firewalld is blocking nmblookup?
Thanks
On Sun, Jan 01, 2023 at 05:21:47AM -0000, Benyamin Limanto wrote:
As title stated, the samba nmblookup failed when firewalld on, I already enable all the samba context on SELINUX, no selinux error, and already --permanent / allow the samba service permanently on my Fedora 37.
nf_contrack_netbios_ns is loaded, is there anything else that I can check so I could find the cause why firewalld is blocking nmblookup?
I think automatic connection tracking is now disabled on all kernels. So you have to explicitly assign them.
This can be done in firewalld with a policy:
# firewall-cmd --permanent --new-policy outboundHelpers # firewall-cmd --permanent --policy outboundHelpers --add-ingress-zone HOST # firewall-cmd --permanent --policy outboundHelpers --add-egress-zone ANY # firewall-cmd --permanent --policy outboundHelpers --add-service netbios-ns # firewall-cmd --reload
Let me know if the above works.
Eric.
I think this works, but what is the different between
firewall-cmd --set-automatic-helpers=yes
and the policy outbound helper?
Is by enabling is cause security issue? I mean we already has samba and samba-client by default on firewalld config, but seems it's left out for some reason?
Thank you.
On Wed, Jan 04, 2023 at 10:01:28AM +0700, Benyamin Limanto wrote:
I think this works, but what is the different between
firewall-cmd --set-automatic-helpers=yes
and the policy outbound helper?
Is by enabling is cause security issue? I mean we already has samba and samba-client by default on firewalld config, but seems it's left out for some reason?
The setting --set-automatic-helpers is ignored. Firewalld never uses automatic helpers (and newer kernels dropped support).
man firewalld.conf:
AutomaticHelpers Deprecated. This option is ignored and no longer used.
firewalld-users@lists.fedorahosted.org