Samba/SMB Tom Eastep 2005-01-14 2002 2004 2005 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules: /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139,445 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139,445 ACCEPT loc fw udp 1024: 137 Users running Shorewall 2.0.0 or later may simpify the above through use of the AllowSMB action: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) AllowSMB fw loc AllowSMB loc fw To pass traffic SMB/Samba traffic between zones Z1 and Z2: /etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) ACCEPT Z1 Z2 udp 137:139 ACCEPT Z1 Z2 tcp 137,139,445 ACCEPT Z1 Z2 udp 1024: 137 ACCEPT Z2 Z1 udp 137:139 ACCEPT Z2 Z1 tcp 137,139,445 ACCEPT Z1 Z1 udp 1024: 137 Again, users running 2.0.0 or later may write: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) AllowSMB Z1 Z2 AllowSMB Z2 Z1 To make network browsing (Network Neighborhood) work properly between Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I run Samba on my firewall to handle browsing between two zones connected to my firewall. Details are here.