Samba/SMB

If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules:

/etc/shorewall/rules:

ACTION SOURCE DEST PROTO DEST
PORT(S) SOURCE
PORT(S) ORIGINAL
DEST

ACCEPT fw loc udp 137:139

ACCEPT fw loc tcp 137,139,445

ACCEPT fw loc udp 1024: 137

ACCEPT loc fw udp 137:139

ACCEPT loc fw tcp 137,139,445

ACCEPT loc fw udp 1024: 137

To pass traffic SMB/Samba traffic between zones Z1 and Z2:

/etc/shorewall/rules:

ACTION SOURCE DEST PROTO DEST
PORT(S) SOURCE
PORT(S) ORIGINAL
DEST

ACCEPT Z1
Z2
udp 137:139

ACCEPT Z1
Z2
tcp 137,139,445

ACCEPT Z1
Z2
udp 1024: 137

ACCEPT Z2
Z1
udp 137:139

ACCEPT Z2
Z1
tcp 137,139,445

ACCEPT Z2
Z1
udp 1024: 137

To make network browsing ("Network Neighborhood") work properly between Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I run Samba on my firewall to handle browsing between two zones connected to my firewall. Details are here.

Last modified 10/22/2002 - Tom Eastep

ACTION	SOURCE	DEST	PROTO	DEST PORT(S)	SOURCE PORT(S)	ORIGINAL DEST
ACCEPT	fw	loc	udp	137:139
ACCEPT	fw	loc	tcp	137,139,445
ACCEPT	fw	loc	udp	1024:	137
ACCEPT	loc	fw	udp	137:139
ACCEPT	loc	fw	tcp	137,139,445
ACCEPT	loc	fw	udp	1024:	137