UFW firewall still blocking SMB despite adding rules

Question

I have an Ubuntu PC with ufw firewall (GUI version). I have added the preset Samba service, in and out, and even tried adding the ports manually (135-139, 445, UDP and TCP, in and out), but it still blocks samba.

I am trying to access a share on another PC on my LAN. If I disable ufw, it works fine. It must be still blocking something and I can't figure it out. Any ideas?

I'm on Ubuntu 11.04 beta 2.

score 35 · Answer 1 · edited Sep 22 '12 at 00:14

35

Mike's sudo ufw allow Samba works like a charm.

I personally prefer restricting to my private subnet, so for others who like the same, use:

$ sudo ufw allow from 192.168.0.0/16 to any app Samba

Also, try running sudo ufw app list for a list of other apps you can use as short-hand to the required ports (eg. Postfix, OpenSSH, etc). Makes your firewall rules list a lot easier to read and maintain.

edited Sep 22 '12 at 00:14

RolandiXor

51,091
31
161
256

answered Sep 06 '12 at 17:22

Omar

359
3
2

2

I like to add a "`comment 'passing samba from local'`" (without outer quotes) to the end of the ufw command line as a reminder so that when you do `sudo ufw status numbered` (or whatever) you can see why the rules are there. – pbhj Sep 22 '16 at 20:01
2

Samba application rules are not installed by default – wakeup May 29 '17 at 17:49

score 16 · Answer 2 · edited Feb 26 '12 at 05:01

16

To allow samba with ufw use the following command

sudo ufw allow Samba

See the links given to you by other users for additional information.

edited Feb 26 '12 at 05:01

Panther

100,877
19
193
283

answered Feb 26 '12 at 02:36

Mike

177
1
2

5

Samba application rules are not installed by default – wakeup Jun 13 '17 at 09:23

score 12 · Answer 3 · edited Aug 26 '23 at 10:36

As I found no ufw profile for Samba 4 AD DC I set up my own which worked for me (opens the ports as listed in the Samba Wiki: Ports for Samba 4 as AD DC) and is easier to manage :

Create a new file: /etc/ufw/applications.d/samba-ad-dc with the following content

 [samba-ad-dc]
 title=Samba 4 AD DC
 description=Samba 4 as domain controller
 ports=53|88|135/tcp|137/udp|138/udp|139/tcp|389|445/tcp|464|636/tcp|3268/tcp|3269/tcp|49152:65535/tcp

Now add it to ufw with one of the following commands:
- `sudo ufw allow from 192.168.192.0/24 to any app samba-ad-dc` if you want to only allow it on your 192.168.1.0/24 network
- sudo ufw allow samba-ad-dc if you want to allow it for every network

If you enter sudo ufw status verbose it will output something like the following

To                         Action      From
--                         ------      ----
...
53 (samba-ad-dc)           ALLOW IN    192.168.1.0/24
88 (samba-ad-dc)           ALLOW IN    192.168.1.0/24
135/tcp (samba-ad-dc)      ALLOW IN    192.168.1.0/24
137/udp (samba-ad-dc)      ALLOW IN    192.168.1.0/24
138/udp (samba-ad-dc)      ALLOW IN    192.168.1.0/24
139/tcp (samba-ad-dc)      ALLOW IN    192.168.1.0/24
389 (samba-ad-dc)          ALLOW IN    192.168.1.0/24
445/tcp (samba-ad-dc)      ALLOW IN    192.168.1.0/24
464 (samba-ad-dc)          ALLOW IN    192.168.1.0/24
636/tcp (samba-ad-dc)      ALLOW IN    192.168.1.0/24
3268/tcp (samba-ad-dc)     ALLOW IN    192.168.1.0/24
3269/tcp (samba-ad-dc)     ALLOW IN    192.168.1.0/24
49152:65535/tcp (samba-ad-dc) ALLOW IN    192.168.1.0/24

score 7 · Accepted Answer · answered Apr 23 '11 at 18:14

7

Try this:

As root, open /etc/default/ufw

Look for the line like this:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc"

Add nf_conntrack_netbios_ns to the line so that it looks like this:

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_netbios_ns"

Now reload the firewall:

sudo ufw reload

answered Apr 23 '11 at 18:14

Andrew Lambert

965
6
7

3

`echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper` is also necessary with newer kernels – Ayell Apr 15 '18 at 23:02
1

FWIW that will probably fail as the user doesn't have access to that file. Instead, `echo 1 | sudo tee /proc/sys/net/netfilter/nf_conntrack_helper` should work. – pbhj Nov 22 '20 at 00:15

score 5 · Answer 5 · edited Jun 07 '12 at 22:38

5

You can use logging to find out if you're blocking a port that should not be blocked.

tail -f /var/log/ufw.log

Some extra information in case you havened tried it already: ufw manual , ufw wiki

edited Jun 07 '12 at 22:38

Don Kirkby

1,437
14
22

answered Apr 23 '11 at 18:54

Gerwin

51
1

Helped me. The client used the external IPv6 address in my case so the allow rules were not working to my surprise. – Benjamin Peter Oct 21 '20 at 15:41

score 1 · Answer 6 · answered Oct 16 '11 at 21:35

I had the same problem.

Here's what I suggest: After installing Gufw, make sure you log out of your account and then log back in.

It worked for me.

In general, whenever you have a problem with software you just installed, try the above suggestion first.

You will be surprised as to how often it cures the problem.

UFW firewall still blocking SMB despite adding rules

6 Answers6

Linked