New subject: [Bug 462307] Cannot open SuSEfirewall2 for Samba using Yast2

24 Dec 2008

      https://bugzilla.novell.com/show_bug.cgi?id=462307

           Summary: Cannot open SuSEfirewall2 for Samba using Yast2
           Product: openSUSE 11.1
           Version: Final
          Platform: i586
        OS/Version: openSUSE 11.1
            Status: NEW
          Severity: Major
          Priority: P5 - None
         Component: YaST2
        AssignedTo: bnc-team-screening@forge.provo.novell.com
        ReportedBy: swerdna@opensuse-forums.org
         QAContact: jsrain@novell.com
          Found By: Community User

I have so much trouble getting the terminology right that I will be a bit
pedantic in this report or I'll get it wrong.

If Samba is to operate in openSUSE 11.1 when SuSEfirewall2 is running, then
five entries in the file /etc/sysconfig/SuSEfirewall2 are enabled as follows:

The first is FW_DEV_EXT is set to include the network interface/s
There is a Yast2 tool for this at Security and Users --> Firewall -->
Interfaces and it works

The second is FW_SERVICES_EXT_TCP is set to include 139 and 445 (or their
respective synonyms netbios-ssn and microsoft-ds)
There is a tool for this at Security and Users --> Firewall --> Allowed
Services --> Add Service --> Samba Server and it does not work.
The third is: This tool in past releases (like 11.0) concurrently sets the
third parameter FW_SERVICES_EXT_UDP to include 137 and 138 (or their respective
synonyms netbios-ns and netbios-dgm). The tool (Allowed Services --> Add
Service --> Samba Server) does not work for this either.

NB this is similar to bug 443132 but it is different in that in bug 443132 the
problem that the tool was not present. In my report the tool is present but it
does not work.

The fourth is FW_ALLOW_FW_BROADCAST_EXT which must be set to "yes" or for
better security to 137 and 138 (or their respective synonyms netbios-ns and
netbios-dgm).
There is a tool for this at Security and Users --> Firewall --> Allowed
Services --> Add Service --> Samba Server and it does not work. Once again this
is similar to bug 443132 except there was no tool there. Here there is a tool
but it doesn't work.
There is a second (alternative) tool for this at Firewall --> Broadcast -->
External Zone --> here enter netbios-ns and netbios-dgm (or 137 and 138) and
click Next. This does work.

The fifth is FW_SERVICES_ACCEPT_RELATED_EXT which is set for a world wide
trusted network like 0/0 or with better security to the local LAN e.g.
10.1.1.0/24,udp,137

These then are the tools that do and don't work. There is another tool
mentioned in bug 443132 (Network Services --> Samba Server --> Startup -->
Firewall. That's covered by the bug report presumably but I can confirm that it
still doesn't work.

The really big issue is that the tool "Security and Users --> Firewall -->
Allowed Services --> Add Service --> Samba Server" is a make it or break it
tool for Samba users. The three settings that it controls can be fixed/set for
Samba in a separate/alternate tool: Yast's etc/sysconfig --> Network -->
Firewall tool. But that's so difficult for new users as to be of limited use to
the point where users mostly just turn the firewall off or abandon Samba.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

[Bug 462307] New: Cannot open SuSEfirewall2 for Samba using Yast2

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

bugzilla_noreply＠novell.com

tags

participants (1)