<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Samba/SMB</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>Samba/SMB</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2002-2005 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292634"></a><p>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
      License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
    3.0.0 then please see the documentation for that
    release.</strong></span></p></div><p>If you wish to run Samba on your firewall and access shares between
  the firewall and local hosts, you need the following rules:</p><pre class="programlisting">#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)   SOURCE
#                                                 PORT(S)
SMB/ACCEPT  $FW      loc
SMB/ACCEPT  loc      $FW</pre><p>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</p><pre class="programlisting">#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)   SOURCE
#                                                 PORT(S)
SMB/ACCEPT  Z1       Z2
SMB/ACCEPT  Z2       Z1</pre><p>To make network browsing (“<span class="quote">Network Neighborhood</span>”) work
  properly between Z1 and Z2 <span class="bold"><strong>requires a Windows Domain
  Controller and/or a WINS server.</strong></span> I have run Samba on my firewall
  to handle browsing between two zones connected to my firewall.</p><p>When debugging Samba/SMB problems, I recommend that you do the
  following:</p><div class="orderedlist"><ol type="1"><li><p>Copy <code class="filename">action.Drop</code> and
      <code class="filename">action.Reject</code> from <code class="filename">/usr/share/shorewall</code> to <code class="filename">/etc/shorewall</code>.</p></li><li><p>Edit the copies and remove the <span class="bold"><strong>SMB/DROP</strong></span> and <span class="bold"><strong>SMB/REJECT</strong></span> lines.</p></li><li><p><span class="command"><strong>shorewall restart</strong></span></p></li></ol></div><p>The above steps will cause SMB traffic that is dropped or rejected by
  policy to be logged rather than handled silently.</p><p>If you are using <span class="trademark">Windows XP</span>™ to test your
  setup,make you sure you have a properly configured client firewall .</p><p>You can just remove the copies and <span class="command"><strong>shorewall
  restart</strong></span> when you are finished debugging.</p></div></body></html>