ufw blocks samba in 8.10

Thank you for taking the time to report this bug and helping to make Ubuntu better. Unfortunately we can't fix it, because your description didn't include enough information. You may find it helpful to read "How to report bugs effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then provide a more complete description of the problem. We have instructions on debugging some types of problems at http://wiki.ubuntu.com/DebuggingProcedures . At a minimum, we need: 1. the specific steps or actions you took that caused you to encounter the problem, 2. the behavior you expected, and 3. the behavior you actually encountered (in as much detail as possible). Thanks!

Please also add all the files from '/var/lib/ufw', '/etc/ufw' and '/etc/default/ufw' to this bug as separate attachments and give the version of ufw as seen with 'ufw --version'. You also didn't report if the problematic rules are on the server or the client. Thanks in advance.

ufw 0.23.3 --> 8.10 machine

ufw 0.16.2.4 --> 8.04 machine

8.10 machine /etc/default/ufw

8.10 machine /etc/ufw/applications.d

8.10 machine /etc/ufw/applications.d

8.10 machine /etc/ufw/applications.d

8.10 machine /etc/ufw/

8.10 machine /etc/ufw/

8.10 machine /etc/ufw/

8.10 machine /etc/ufw/

8.10 machine /etc/ufw/

8.10 machine /var/lib/ufw/

8.10 machine /var/lib/ufw/

8.10 machine /var/lib/ufw/messages

8.04 machine /etc/default/ufw

8.04 machine /etc/ufw

8.04 machine /etc/ufw

8.04 machine /etc/ufw

8.04 machine /etc/ufw

8.04 machine /etc/ufw

8.04 machine /etc/ufw

8.04 machine /var/lib/ufw

8.04 machine /var/lib/ufw

Problem:

I have two machines 8.04 and 8.10

I have installed samba on both machines and shared a folder on both machines.

I have enabled ufw on both machines.

on 8.04 the samba ports i have opened are:
139:tcp ALLOW 192.168.1.0/24
138:udp ALLOW 192.168.1.0/24
137:udp ALLOW 192.168.1.0/24
445:tcp ALLOW 192.168.1.0/24
135:tcp ALLOW 192.168.1.0/24

on 8.10 the samba ports I have enabled are:
135/tcp ALLOW 192.168.1.0/24
137/udp ALLOW 192.168.1.0/24
138/udp ALLOW 192.168.1.0/24
139/tcp ALLOW 192.168.1.0/24
445/tcp ALLOW 192.168.1.0/24

When ufw is enabled, workgroup/comuputers/shares do not show up in nautilus ... i.e
on 8.04->Network Severs->Windows Network = Blank window
on 8.10->Network->Windows Network = Blank window

I am expecting to see the workgroup icon within which i will see the individual computers.

I only get this expected behavior if i totally disable ufw.

So my problem is that ufw seems to be blocking samba even when the appropriate ports outlined in the samba documentation are opened in ufw.

Additionaly...if i run findsmb on 8.10 machine with ufw enabled...it only shows that 8.10 in the list that findsmb returns. and vice versa for the 8.04 machine

If I disable the ufw and run findsmb again from 8.10....then findsmb shows both 8.10 and 8.04 on the network. and vice versa for 8.04 machine

What is this and what does it do exactly....

# The nf_contrack_netbios_ns has been added
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"

I found this while doing some research....and added it to /etc/default/ufw at the very bottom, disabled and enabled ufw and immediately

smbtree and findsmb were giving me proper results.

Shares are now showing up in the nautilus networks.

to be clear i changed ...

# The nf_contrack_netbios_ns has been added
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc

to

# The nf_contrack_netbios_ns has been added
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"

This is what is needed to make samba with browsing work:

On the server (assumes Intrepid server):
$ sudo ufw allow Samba
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Status: loaded

To Action From
-- ------ ----
Samba ALLOW Anywhere

Then on the client:
$ sudo ufw allow from any port 137 proto udp
$ sudo ufw logging on
$ sudo ufw enable
$ sudo ufw status
Firewall loaded

To Action From
-- ------ ----
Anywhere ALLOW 137:udp

The client rule is needed because when browsing, the client sends out a broadcast packet and the servers respond from their own ip address. The broadcast packets and server addresses are different so they aren't added to the connection tracking table, so a specific rule is needed. You can of course limit this to your internal network like so:
$ sudo ufw allow from 192.168.0.1/24 port 137 proto udp

I tested this configuration and confirmed it works fine via Places/Network. If you are stilll having problems, please ensure that you enabled logging as above, and please give the UFW entries from /var/log/kern.log.

Can you also let me know if this "nf_conntrack_netbios_ns" is loaded in your /etc/default/ufw

Thanks.

It is not.

Marking Invalid as it appears to be a configuration issue. Please reopen if this is in error.