Samba/SMB

Tom Eastep

Copyright © 2002, 2004, 2005 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2005-04-14


If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules:

/etc/shorewall/rules:

#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)   SOURCE
#                                                 PORT(S)
ACCEPT    fw       loc    udp      137:139
ACCEPT    fw       loc    tcp      137,139,445
ACCEPT    fw       loc    udp      1024:          137
ACCEPT    loc      fw     udp      137:139
ACCEPT    loc      fw     tcp      137,139,445
ACCEPT    loc      fw     udp      1024:          137

Users running Shorewall 2.0.0 or later may simpify the above through use of the AllowSMB action:

#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)   SOURCE
#                                                 PORT(S)
AllowSMB  fw       loc
AllowSMB  loc      fw

To pass traffic SMB/Samba traffic between zones Z1 and Z2:

/etc/shorewall/rules:

#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)   SOURCE
#                                                 PORT(S)
ACCEPT    Z1       Z2     udp      137:139
ACCEPT    Z1       Z2     tcp      137,139,445
ACCEPT    Z1       Z2     udp      1024:          137
ACCEPT    Z2       Z1     udp      137:139
ACCEPT    Z2       Z1     tcp      137,139,445
ACCEPT    Z1       Z1     udp      1024:          137

Again, users running 2.0.0 or later may write:

#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)   SOURCE
#                                                 PORT(S)
AllowSMB  Z1       Z2
AllowSMB  Z2       Z1

To make network browsing (“Network Neighborhood”) work properly between Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I have run Samba on my firewall to handle browsing between two zones connected to my firewall.

When debugging Samba/SMB problems, I recommend that you do the following:

  1. Copy action.Drop and action.Reject from /usr/share/shorewall to /etc/shorewall.

  2. Edit the copies and remove the DropSMB and RejectSMB lines.

  3. shorewall restart

The above steps will cause SMB traffic that is dropped or rejected by policy to be logged rather than handled silently.

You can just remove the copies and shorewall restart when you are finished debugging.