Samba/SMB
Tom
Eastep
2005-01-14
2002
2004
2005
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:
/etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
ACCEPT fw loc udp 137:139
ACCEPT fw loc tcp 137,139,445
ACCEPT fw loc udp 1024: 137
ACCEPT loc fw udp 137:139
ACCEPT loc fw tcp 137,139,445
ACCEPT loc fw udp 1024: 137
Users running Shorewall 2.0.0 or later may simpify the above through
use of the AllowSMB action:
#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
AllowSMB fw loc
AllowSMB loc fw
To pass traffic SMB/Samba traffic between zones Z1 and Z2:
/etc/shorewall/rules:#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
ACCEPT Z1 Z2 udp 137:139
ACCEPT Z1 Z2 tcp 137,139,445
ACCEPT Z1 Z2 udp 1024: 137
ACCEPT Z2 Z1 udp 137:139
ACCEPT Z2 Z1 tcp 137,139,445
ACCEPT Z1 Z1 udp 1024: 137
Again, users running 2.0.0 or later may write:
#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE
# PORT(S)
AllowSMB Z1 Z2
AllowSMB Z2 Z1
To make network browsing (Network Neighborhood
) work
properly between Z1 and Z2 requires a Windows Domain Controller and/or a
WINS server. I run Samba on my firewall to handle browsing between two zones
connected to my firewall. Details are here.