TW firewall and zeroconf / smb3 on TrueNAS
I have two machines running, a TW (most recent always) and a trueNAS (FreeBSD based). I have in the TrueNAS running a jail with miniDLNA to stream movies via the network (to a smart TV but also to a PC). I also have put the pools with samba on a share with appropriate permissions. I did allow in firewall of TW (via yast): upnp, zeroconf, samba client. Now guess what, if I am running the dolphin to search the network for services, he does not see on TW neither upnp services nor zeroconf not even samba. When I do instead stop the firewall and search, all appears and works. This is true also after reboot - just in case anybody suggested it. Are the yast allowances to the FW still working or has all to be edited via some config file / table? Thank you.
On 2022-11-07 12:10, Stakanov wrote:
I have two machines running, a TW (most recent always) and a trueNAS (FreeBSD based).
I have in the TrueNAS running a jail with miniDLNA to stream movies via the network (to a smart TV but also to a PC). I also have put the pools with samba on a share with appropriate permissions.
I did allow in firewall of TW (via yast): upnp, zeroconf, samba client. Now guess what, if I am running the dolphin to search the network for services, he does not see on TW neither upnp services nor zeroconf not even samba.
When I do instead stop the firewall and search, all appears and works. This is true also after reboot - just in case anybody suggested it. Are the yast allowances to the FW still working or has all to be edited via some config file / table? Well, the traditional trick is to watch the firewall log to see what it rejects from the machine of interest and open it.
-- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)
On 2022-11-07 12:10, Stakanov wrote:
I have two machines running, a TW (most recent always) and a trueNAS (FreeBSD
I have in the TrueNAS running a jail with miniDLNA to stream movies via the
network (to a smart TV but also to a PC). I also have put the pools
with samba on a share with appropriate permissions.
I did allow in firewall of TW (via yast): upnp, zeroconf, samba client. Now guess what, if I am running the dolphin to search the network for services, he does not see on TW neither upnp services nor zeroconf not even samba. When I do instead stop the firewall and search, all appears and works. This is
In data lunedì 7 novembre 2022 12:21:34 CET, Carlos E. R. ha scritto: based). true also after reboot - just in case anybody suggested it. Are
the yast allowances to the FW still working or has all to be edited via some config file / table?
Well, the traditional trick is to watch the firewall log to see what it rejects from the machine of interest and open it.
-- Cheers / Saludos,
Carlos E. R. (from 15.3 x86_64 at Telcontar)
well, there is the first problem. I do not find any log file from firewall. There is in /var/log firewalld but it does not seem to hold logs from firewall. It repeats:
2022-09-20 19:09:05 ERROR: Backup of file '/etc/firewalld/zones/public.xml' failed: [Errno 30] File system in sola lettura: '/etc/firewalld/zones/public.xml.old'> 2022-09-20 19:09:05 Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/firewall/server/decorators.py", line 67, in _impl> return func(*args, **kwargs)
File "/usr/lib/python3.10/site-packages/firewall/server/config_zone.py", line 241, in update> self.obj = self.config.set_zone_config(self.obj, settings)
File "/usr/lib/python3.10/site-packages/firewall/core/fw_config.py", line 808, in set_zone_config> return self.set_zone_config_dict(obj, conf_dict)
File "/usr/lib/python3.10/site-packages/firewall/core/fw_config.py", line 821, in set_zone_config_dict> zone_writer(x)
File "/usr/lib/python3.10/site-packages/firewall/core/io/zone.py", line 445, in zone_writer> f = io.open(name, mode='wt', encoding='UTF-8')
OSError: [Errno 30] File system in sola lettura: '/etc/firewalld/zones/public.xml'
So apparently the system is not writable??? Maybe I am not using firewalld? I am lost sorry. What else logs I have to look at?
On 2022-11-07 16:16, Stakanov wrote:
In data lunedì 7 novembre 2022 12:21:34 CET, Carlos E. R. ha scritto:
On 2022-11-07 12:10, Stakanov wrote:
Well, the traditional trick is to watch the firewall log to see what it rejects from the machine of interest and open it.
well, there is the first problem. I do not find any log file from firewall. There is in /var/log firewalld but it does not seem to hold logs from firewall.
You might have to tell the firewall to log things. I don't have firewalld in this machine, so I can not look up for you where it is done.
It repeats:
2022-09-20 19:09:05 ERROR: Backup of file '/etc/firewalld/zones/public.xml' failed: [Errno 30] File system in sola lettura: '/etc/firewalld/zones/public.xml.old'> 2022-09-20 19:09:05 Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/firewall/server/decorators.py", line 67, in _impl> return func(*args, **kwargs)
File "/usr/lib/python3.10/site-packages/firewall/server/config_zone.py", line 241, in update> self.obj = self.config.set_zone_config(self.obj, settings)
File "/usr/lib/python3.10/site-packages/firewall/core/fw_config.py", line 808, in set_zone_config> return self.set_zone_config_dict(obj, conf_dict)
File "/usr/lib/python3.10/site-packages/firewall/core/fw_config.py", line 821, in set_zone_config_dict> zone_writer(x)
File "/usr/lib/python3.10/site-packages/firewall/core/io/zone.py", line 445, in zone_writer> f = io.open(name, mode='wt', encoding='UTF-8')
OSError: [Errno 30] File system in sola lettura: '/etc/firewalld/zones/public.xml'
So apparently the system is not writable??? Maybe I am not using firewalld? I am lost sorry. What else logs I have to look at?
Did you say TW? Maybe in TW the /etc path is RO. Or the firewall runs too early. No idea. -- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)
On 07.11.2022 14:10, Stakanov wrote:
I have two machines running, a TW (most recent always) and a trueNAS (FreeBSD based).
I have in the TrueNAS running a jail with miniDLNA to stream movies via the network (to a smart TV but also to a PC). I also have put the pools with samba on a share with appropriate permissions.
I did allow in firewall of TW (via yast): upnp, zeroconf, samba client.
You cannot "allow in firewall of TW (via yast)" anything. You can "allow in the specific zone". And then you must make sure this zone is actually active for the correct interface. Check your active zones, which zone is assigned to the interface which is used to reach your TrueNAS and configuration of *this* zone.
Now guess what, if I am running the dolphin to search the network for services, he does not see on TW neither upnp services nor zeroconf not even samba.
When I do instead stop the firewall and search, all appears and works. This is true also after reboot - just in case anybody suggested it. Are the yast allowances to the FW still working or has all to be edited via some config file / table? Thank you.
In data lunedì 7 novembre 2022 18:49:00 CET, Andrei Borzenkov ha scritto:
On 07.11.2022 14:10, Stakanov wrote:
I have two machines running, a TW (most recent always) and a trueNAS (FreeBSD based).
I have in the TrueNAS running a jail with miniDLNA to stream movies via the network (to a smart TV but also to a PC). I also have put the pools with samba on a share with appropriate permissions.
I did allow in firewall of TW (via yast): upnp, zeroconf, samba client.
You cannot "allow in firewall of TW (via yast)" anything. You can "allow in the specific zone". And then you must make sure this zone is actually active for the correct interface.
Check your active zones, which zone is assigned to the interface which is used to reach your TrueNAS and configuration of *this* zone.
Now guess what, if I am running the dolphin to search the network for services, he does not see on TW neither upnp services nor zeroconf not even samba.
When I do instead stop the firewall and search, all appears and works. This is true also after reboot - just in case anybody suggested it. Are the yast allowances to the FW still working or has all to be edited via some config file / table? Thank you. Thank you Andrei for your reply. I have two physical network interfaces in the machine. Only one currently is branched to the network.
Interfaces are therefore (I am using wicked) br0 public br1 public docker0 docker (I am not using docker but apparently this interface is now standard in TW?) enp7s0 public enp8s0 public in the zone public I did define following allowances apcupsd dhcpv6-client ipp-client kdeconnect kdeconnect-kde samba-client sip sips upnp-client On the truenas beforehand I could see: miniDLNA streaming samba as a service, reachable with user name and password I can reach sftp as ssh based service with username and password. If I do not deactivate the fw I do see not a single service. If I currently deactivate the fw, although I am having trouble to make upnp miniDLNA work on vlc in TW I do actually see and am requested credentials for samba. So my problem is that I do not understand what else I have to define as allowed to make it work in the first place. I mean, the finetune to say i am using two interfaces, several zones etc. has sense for me only if I am able to get to work at least the local network behind the (in Germany I could nearly say "obvious" FritzBox router. Open ports I have defined in TW as follows (still to favor miniDLNA): TCP 9100 (for my printer share usb over router), 1714-1764 and 3551. And UDP 1714-1764. SCTP and DCCP none. And still, as long as I do not stop the firewall I do not reach or see my samba share. Oh, and the active zones are the right ones, currently all "public". But thank you for the suggestion.
Am 07.11.22 um 20:00 schrieb Stakanov:
apcupsd dhcpv6-client ipp-client kdeconnect kdeconnect-kde samba-client sip sips upnp-client
And still, as long as I do not stop the firewall I do not reach or see my samba share.
i am missing at least "samba" not samba-client but if you have installed samba with yast, there is(was) a question if you like to open the firewallport, and i guess, this will open the correct port. simoN -- www.becherer.de
In data lunedì 7 novembre 2022 20:26:49 CET, Simon Becherer ha scritto:
Am 07.11.22 um 20:00 schrieb Stakanov:
apcupsd dhcpv6-client ipp-client kdeconnect kdeconnect-kde samba-client sip sips upnp-client
And still, as long as I do not stop the firewall I do not reach or see my samba share.
i am missing at least "samba" not samba-client
but if you have installed samba with yast, there is(was) a question if you like to open the firewallport, and i guess, this will open the correct port.
simoN
Well, this is because I understood that, if I am running the samba client on TW and the server on TrueNAS (another machine) then I will have to open for the client, not for the server function? In fact, I do not find a preset for avahi/zeroconf in the firewall presets. As a workaround I suppose that the "mdns" is equal to allowing avahi/zeroconf. ....and that actually seems to work. It was mdns missing! Ok, with this I will go on trying to get at least samba working. I have seen that this partially solves the issue with the Remote TV (showing DR+) but I am still not seeing the offer of miniDLNA from TrueNAS. Actually, I thought that would be easier.... not trivial at all. Sidenote: if anybody happens to know the permission settings for SAMBA shares to be accessible as mounting points in a miniDLNA jail of TrueNAS well, I would be taker. I must have some permission issue on the NAS right now, but I am not understanding which.
On Mon, 7 Nov 2022 20:00, Stakanov <stakanov@...> wrote:
In data lunedì 7 novembre 2022 18:49:00 CET, Andrei Borzenkov ha scritto:
On 07.11.2022 14:10, Stakanov wrote: <snip> in the zone public I did define following allowances
apcupsd dhcpv6-client ipp-client kdeconnect kdeconnect-kde samba-client sip sips upnp-client
On the truenas beforehand I could see: miniDLNA streaming samba as a service, reachable with user name and password I can reach sftp as ssh based service with username and password.
If I do not deactivate the fw I do see not a single service. If I currently deactivate the fw, although I am having trouble to make upnp miniDLNA work on vlc in TW I do actually see and am requested credentials for samba. So my problem is that I do not understand what else I have to define as allowed to make it work in the first place. I mean, the finetune to say i am using two interfaces, several zones etc. has sense for me only if I am able to get to work at least the local network behind the (in Germany I could nearly say "obvious" FritzBox router. Open ports I have defined in TW as follows (still to favor miniDLNA): TCP 9100 (for my printer share usb over router), 1714-1764 and 3551. And UDP 1714-1764.
SCTP and DCCP none.
Q: is "avahi" aka zeroconf installed? Also, "avahi" is missing from your public zone Whether "samba" or "samba-client" is the right choice I can't say. Both could be a part of the issue. HtH, Yamaban.
In data lunedì 7 novembre 2022 21:12:36 CET, Yamaban ha scritto:
On Mon, 7 Nov 2022 20:00, Stakanov <stakanov@...> wrote:
In data lunedì 7 novembre 2022 18:49:00 CET, Andrei Borzenkov ha scritto:
On 07.11.2022 14:10, Stakanov wrote:
<snip>
in the zone public I did define following allowances
apcupsd dhcpv6-client ipp-client kdeconnect kdeconnect-kde samba-client sip sips upnp-client
On the truenas beforehand I could see: miniDLNA streaming samba as a service, reachable with user name and password I can reach sftp as ssh based service with username and password.
If I do not deactivate the fw I do see not a single service. If I currently deactivate the fw, although I am having trouble to make upnp miniDLNA work on vlc in TW I do actually see and am requested credentials for samba. So my problem is that I do not understand what else I have to define as allowed to make it work in the first place. I mean, the finetune to say i am using two interfaces, several zones etc. has sense for me only if I am able to get to work at least the local network behind the (in Germany I could nearly say "obvious" FritzBox router. Open ports I have defined in TW as follows (still to favor miniDLNA): TCP 9100 (for my printer share usb over router), 1714-1764 and 3551. And UDP 1714-1764.
SCTP and DCCP none.
Q: is "avahi" aka zeroconf installed?
Also, "avahi" is missing from your public zone
Whether "samba" or "samba-client" is the right choice I can't say.
Both could be a part of the issue.
HtH, Yamaban.
It appears that for TW firewalld settings, the avahi/zeroconf designation has been substituted with mdns. I have avahi installed. As a consequence putting mdns in allowed services seems to solve the issue. I do not know if the pure substitution to mdns was a majority decision taken on purpose to overcome the multiple designation. But if not, maybe I should file a bug against it, as users may be confused by this (or not, if they google it and go by trial and error). If anybody knows please educate me about it. Thank you. (I was anyway confused why there are three names for the very same thing)
participants (5)
-
Andrei Borzenkov -
Carlos E. R. -
Simon Becherer -
Stakanov -
Yamaban