Samba browsing [was: What I HATE about F11]

Chuck Anderson cra at WPI.EDU
Sun Jun 14 18:58:19 UTC 2009


On Sun, Jun 14, 2009 at 10:35:53AM +0200, Martin Sourada wrote:
> >       * Samba (outbound) browsing requires firewall mods
> I don't know how Samba works, so forgive me if I say obvious stupidity,
> but shouldn't *client* work even behind closed firewall (like with any
> other services like ssh, ftp, ...)? Isn't this a samba bug then?

Not a samba bug, but rather a s-c-firewall/iptables bug.  I was 
involved way back when to make this "just work" out of the box [2], 
but it seems we've regressed in this area.  There is an iptables 
module called "nf_conntrack_netbios_ns" that makes browsing possible 
without opening up firewall holes.  You can enable it by adding it to 
the IPTABLES_MODULES list in /etc/sysconfig/iptables-config:

IPTABLES_MODULES="nf_conntrack_netbios_ns"

You shouldn't need to poke a hole for 137/udp or 138/udp in the 
firewall when using this module.  When an outbound browse broadcast is 
made, this module allows the replies back in automatically.

Help would be appreciated with this since there is a scarcity of 
NetBIOS Browsing capability where I am these days:

[1] https://bugzilla.redhat.com/show_bug.cgi?id=469884

Original bug that proposed the creation of the iptables module:

[2] https://bugzilla.redhat.com/show_bug.cgi?id=113918




More information about the devel mailing list