after some time of looking into FW logs I found that the problem was (how easy to find, when a man knows what to look for:). From /var/log/messages
Sep 10 20:15:03 nganga kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:06:5b:dd:a2:9d:00:60:52:06:97:20:08:00 SRC=157.218.65.59 DST=157.218.65.109 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=50979 PROTO=UDP SPT=137 DPT=2676 LEN=70
is clearly seen that master browser (157.218.65.59) send a UDP packet to my box on a port 2676. After enabling FW_SERVICES_EXT_UDP="137 138 2676" then I have got correct answer
I'm just guessing here now, but nmblookup is probably randomly selecting 2676 as the source address when it sends the boradcast. I thought that smb was all over TCP, though? I guess you'd need a rule in there to catch "related" packets and allow them, then drop other packets. I'm not entirely sure if related works with UDP, though. That's for someone else to answer (or test). :) Look at the "cstate" iptables module for more info (in the iptables man page). As usually you are "however" right. Now it use UDP 2715... But what should I try to find? Is it --ctstate or --state. I couldn't find any world cstate.
--Danny Best regards Stepan