On Saturday 30 September 2006 5:21 am, Darryl Gregorash wrote:
On 29/09/06 17:32, Paul Abrahams wrote:
On Friday 29 September 2006 5:23 pm, Darryl Gregorash wrote:
If it is possible, please set FW_TRUSTED_NETS to just 192.168.0.0/24, restart the firewall, and then run:
iptables-save
The results of this should tell us what is going on.This should work without having to specify a bunch of protocol/port options.
Here you are:
<snip> -A INPUT -i eth0 -j input_ext <snip> -A input_ext -m pkttype --pkt-type broadcast -j DROP
OK, those are the first two rules in the input chains. After some icmp
stuff comes:
-A input_ext -s 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-ACC-TRUST " --log-tcp-options --log-ip-options -A input_ext -s 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Windows uses broadcasts extensively in its file sharing, so refusing all broadcasts is the reason why a Windows client cannot see the shares (as you mentioned in your next post). I believe if you set FW_ALLOW_FW_BROADCAST_EXT="137" in /etc/sysconfig/SuSEfirewall2, things should work again. Sorry I didn't catch this earlier, but I never even thought to ask you if you were denying broadcasts -- I just assumed that if you were using Samba, you must be allowing port 137 broadcasts. Please see the firewall config file for a discussion of how this variable works.
That has to qualify as a "gotcha". I fixed it just as you suggested and Samba now works on my Windows machines. An epistemological question: how might I have discovered that if you hadn't told me, other than plowing through all the FW parameters and just maybe realizing that this one needed to be changed -- and changed to 137? Even though the description of this variable in the config file mentions Samba, it doesn't indicate very clearly how essential it is. Too bad all this necessary stuff isn't in the Firewall section of Yast (granted that you can get at it through sysconfig if you know to look there). Thanks for all your help, Darryl. You certainly know a lot about this stuff. Paul