ufw/gufw need a preset for samba-client

Bug #579931 reported by komputes on 2010-05-13
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gufw
Undecided
Unassigned
ufw (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: ufw

Going to "Places > Network" returns "unable to mount location - failed to retrieve share list from server" when ufw is enabled. Turning off ufw allows receiving responses from the samba broadcast (tested in GNOME's "Places > Network" and with smbtree). There is no preset for samba-client in ufw/gufw. This bug requests a "samba-client" preset for ufw/gufw which allows inbound udp ports 1024-65535.

By allowing inbound udp ports 1024-65535, browsing shares through Places > Network works as expected.

This bug is also related to the following:
https://bugs.edge.launchpad.net/ubuntu/+source/gvfs/+bug/474020

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: ufw 0.30pre1-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
NonfreeKernelModules: wl
Architecture: i386
Date: Thu May 13 12:34:38 2010
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_CA:en
 PATH=(custom, user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: ufw

komputes (komputes) wrote :
costales (costales) wrote :

Hi! Try gufw 10.04.4 with Ubuntu Lucid :) Best regards!

komputes (komputes) wrote :

Marcos, this was already tested in Ubuntu 10.04 using gufw 10.04.4-0ubuntu1.

gufw has a service preset for samba (135, 139, 445/tcp in & 137, 138/udp in). This is only good if you are running a samba server on your own computer and would like people to be able to connect to you.

The preset I am requesting gives the ability to browse network shares using a samba client (1024:65535/udp in).

As you can see in the attached snapshot, setting the firewall to use the samba (server) preset does not allow me to get a reply to the broadcast message and see all the shares on the network.

costales (costales) wrote :

Hi! 1024:65535/udp in > You're opening all UDP ports... Is it save? :O

komputes (komputes) wrote :

Hi Marcos, I can't believe it is safe, but I have not found a better way to allow the broadcast to be returned so that we may discover the nodes on the network which are sharing samba. It would be worth testing and looking into what samba clients specifically requires to be able to see broadcast packets being returned.

costales (costales) wrote :

Hi komputes! :) Sorry, but I think that open these ports is an unsecure solution for a firewall.
Best regards.

Changed in gui-ufw:
status: New → Won't Fix

Opening those ports is not the only solution.
By performing the following ufw command, one can allow Samba connections.

ufw allow Samba

DiQ (dik23) wrote :

On Lucid 32 using 0.30 from repos when I do a :

sudo ufw allow Samba

I get :

ERROR: Could not find a profile matching 'Samba'

Seems a bit odd that UFW is setup to allow you to serve Samba but if you want to browse a network it's not possible. For example if you're running a laptop and go between multiple WLANs then you don't want to be constantly messing with rules to make it possible to view network shares.

Krastanov (krastanov-stefan) wrote :

Samba server needs a number of ports to be open. This bug is not about samba server(which works great).

Samba client needs to be able to receive unicast replies to multicast query(completely different problem). The problem is that the firewall does not know if the reply is inbound attack or inbound reply to outbound query. There is a kernel module for that. Permanently opening all udp ports is stupid solution. The real solution is given in Bug #360975.

I'm marking it as a duplicate.

roudel (philippe-roudel) wrote :

on Ubunutu 16.04 same issue (unable to browse samba share from my ubuntu PC as client)

the workaround is open ports 1024:65535/udp out:

1024:65535/udp out (and only these large ports range, the others samba ports are only needed for samba server on your pc !!!)

a preconfigured rules in GUFW firewall should be available

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers