I'd like to call attention to something wrong, or at least unintuitive, about how SuSEFirewall2 works with Samba. I have used SuSE 9.1 and 9.2 before switching over to Slackware. I have since returned to SuSE 9.3.

I believe that the problem is more severe than it seems. A search of samba firewall in the SuSE/Novell forum alone returns the following threads, none of which seems to end definitively. I believe the problem is that conventional solutions to this problem do not work, as this is a problem peculiar to SuSE.

During my first stint with SuSE, I noticed that I could not access Samba shares unless SuSEFirewall2 was disabled. When I switched to Slackware, I used different firewall frontends (Guarddog), and I was able to get my Samba working with no problems. This leads me to believe there was some problem with SuSEFirewall2. Since switching to SuSE 9.3, I have been pleasantly surprised by the improvements, especially in hardware detection, but still, there are problems with the firewall.

The most specific solution I've seen to this problem yet is http://lists.samba.org/archive/samba...ry/098121.html but the solution presented does not work for me.

Another problem is that sometimes people "think" the solution works, as they repeatedly enable or disable the firewall to test if they can access Samba shares. Remember that once you successfully access a Samba share (presumably with the firewall off), the directory structure of the share is cached, so when you enable the firewall again, you might think the share works, when it really doesn't.

I ask people with this problem to present the specific details of their problem so that we can diagnose it. Or hopefully, someone truly has their Samba share working with SuSEFirewall2, so that we can figure out this problem.

I was very pleased to read your post. I'm a few steps behind you in that I've finally got samba working, but only at the expense of shutting off the firewall. Now it is time to focus on getting the firewall working and that makes your post very timely. I've not yet tried the information in the link you referenced but should be able to give that a try in a day or two.

From reading the trials and tribulations of others, I have gotten the sense that the configuration of the network plays a big part in determining whether firewall2 works for you. It really seems to be designed around a two NIC concept with one NIC designated "external" for connection to the internet and a second NIC designated "internal" for a local network.

In my own case, I've got a single NIC that "sees" both the internet (via a router) and the local network and while I'd like to set up rules by IP address or range, that seemingly does not come easy with firewall2. And now I'd be delighted for someone to come along and prove me wrong...

I'm very tempted to just uninstall/disable SuSEFirewall2 and go with another firewall I know will work (or at least one that I can make work).

Are you thinking Guarddog? I had a brief look at that last night after I posted and what I saw looked good. It's not Zonealarm but it's closer in terms of ease of use. The only question in my mind is that the Suse RPM is for 9.1 not 9.3 but that may not matter.

One firewall frontend you could try out is Firestarter. I had lots of problems with it, though. The 9.3 packaged binary didn't work, compiling it from source didn't work either and the 9.2 version had issues with logging which I had to fiddle with. It also jammed outbound connections every now and then without any obvious reason.

Ironically, I found manual iptables configuration to be the easiest way to manage a firewall. I used the Susefirewall2 settings as a template and modified them.

Make that us! The Windows machines can see Suse just fine but Suse keeps saying it can't find any workgroups as long as the firewall is up.

Time for Plan B I guess.

I think a better way to get a fix for your issue is to ask a question. SuSEFirewall is (only in my opinion of course) one of the top 5 items that SuSE has going for it. It's easy to use on the surface but it can be very finely tuned if you are willing to get into the config file and read the comments. I've used it religiously including with SAMBA and have had no problems. Post your SuSEFirewall2 file (yes I know it's long take out the comments if you have time) and we can take a peek. Also any log files you might have would be equally beneficial.

I'm not saying SuSEFirewall is the best thing since Linux itself, but I'm certain with the proper info, we can get you working. Of couse if you want to try something else, that's fine too.

We differ in opinion because you equate "goodness" with being willing to undertake a significant learning experience and I equate goodness to being intuitive and highly usable without having to grok every pebble in the path.

I'm willing to go your way if you'll answer one question for me. My Linux machine is on a local network with six Windows machines and a network printer, all of which are located behind a D-Link DL-624 router. Shields-Up only sees two closed ports and otherwise gives me a clean bill of health.

What value-add would result from enabling the Linux firewall?

My initial reply was to the original poster, but in response to your post, it's your network! If you don't want to run it, that is perfectly fine by me. Only you can gauge how important your data is to you. As I said, SuSEFirewall is a great firewall and is very configurable. From my chair, it appears you are doing a lot more work to find something "easy" then if you'd just read the comments and make the adjustments as required.

BTW, I don't remember ever using the word "goodness" or even discussing what I equate it with?!!??

Sorry for interrupting - I thought your post was in reponse to mine. And I'm also sorry if I mischaracterized your intentions by summarizing "great firewall and very configurable" as "goodness".

You're quite right, I do not want to "run my network" any more than I run the train when I buy a ticket to ride it. I want a firewall that will let me tell it by host name or IP address who the good guys are and let it do the network engineering. I see ZoneAlarm as the gold standard and firewall2 isn't even in the same league.

Here's the output of iptables -L:
I'm not sure how to output my SuSEfirewall2 config file.

I'm wondering if there's any way to have a firewall with rules based on programs. It might not be as sophisticated or as powerful, but it's good enough for me as a home user. I believe that's what bigchris also likes about Zone Alarm, a different paradigm of configuring firewall settings.

Right on! There are plenty of people who know exactly how to configure a network firewall. What is needed is that the know how gets codified in such a way that users can stand on the shoulders of those who know how and not have to re-invent the knowledge all over again.

A paradigm based on "you're not smart enough / well read enough to use Linux" is not likely to improve its acceptance.

You know what, your "I'm lazy and that's fine by me" attitude must work well for you and thats fine. How ever my intention was perceived seems to have been misunderstood, but "bigchris" you certainly seem to be on the offensive. I'm not sure what your issue is with me, but I do this for a living and have been so for quite a while. I also can help the original poster so I think I've more than earned a little respect especially from someone that thinks a Dlink firewall and ZoneAlarm are "high security". If this thread no longer applies to you then don't read it, but your attitude is over the top.

By "run it" I was referring to SuSEfirewall. Again, rather than waste more time trying to argue with me, run ZoneAlarm. I've said it in both of my previous posts, I don't care what you use for a firewall. I have SuSEFirewall running in a situation similar to the original posters and the problem he is calling attention to is not completely correct.

If you want to continue to be a jerk then you can shove your attitude up your,... well you know, but then again you are probably too lazy to turn around and find it.

BTW apachedude the SuSEfirewall config is in /etc/sysconfig/SuSEfirewall2, but "bigchris" has pretty much killed any chance of getting any more help from me. Sorry.

Here is the output of my SuSEfirewall2 configuration file, if anyone can be of help. ghight, I am perfectly understanding if you are now unwilling to help, as it is definitely not require of you; at the same time, I believe you misinterpreted bigchris' posts, because I did not read into them anything offensive.

Nevertheless, here it is:

I guess I'll take my chances.

You can do this two way. You can either edit the /etc/sysconfig/SuSEfirewall2 file manually or you can do a couple tests and use Yast to open a port or two. I'll give you both ways and believe it or not, the GUI way is the better method.

Use Yast GUI---
With the firewall on, open a console, su to root, then type this: "watch tail /var/log/firewall". In the output you will see SPT= and DPT= which stands for Source Port and Destination Port. Keep this console open then use the Network desktop icon to search for your network shares. After you get your error messege click over to the console and see the ports that come up. The SPT should be 137 and on mine the DPT was 1113. Yours may differ. Write down the DPT number then open the firewall module in Yast. Click the "Allowed Services" section on the left and click "Advanced" in the lower right. Then type the number you have written down in the UDP Ports section. Save it, and restart your firewall and you should be able to see your network. Keep in mind that you should have the Samba ports open in the "Allowed Services" as well. Either select "Samba" from the list or go back to the "advanced section and add ports 445, 137, 138 and 139 separated by spaces only in both the TCP and UDP Ports section.

The other way is to open the /etc/sysconfig/SuSEfirewall2 file and find the section that says FW_ALLOW_INCOMING_HIGHPORTS_UDP="" and put 'yes' between the "". This will open all non-privledged (above port 1024) UDP ports which is not the most secure way of doing things.

If it matters, the other firewalls that have not given you problems do not block ports above 1024 so they seem to be "easy" but in fact leave the other 64,512 ports open for probing and cracking. Shields Up only scans the first 1024 ports or so, so it won't tell you this. Ports above 1024 do not run services as "root" so many firewalls take that as acceptable risk and don't bother blocking them inorder to prevent the very things that you are experiencing. SuSEfirewall is a very good firewall that steers more towards "total security" although I'm sure it too has it's flaws.