Samba and UFW

Earlier today, I found myself frustrated because I could not see my Samba shares when browsing my network in Nautilus. It turned out to be a firewall issue.

From The Official Samba 3.2.x HOWTO and Reference Guide:

Many people use a firewall to deny access to services they do not want exposed outside their network. This can be a good idea, although I recommend using it in conjunction with the above methods so you are protected even if your firewall is not active for some reason.

If you are setting up a firewall, you need to know what TCP and UDP ports to allow and block. Samba uses the following:

Port 135/TCP - used by smbd
Port 137/UDP - used by nmbd
Port 138/UDP - used by nmbd
Port 139/TCP - used by smbd
Port 445/TCP - used by smbd

The last one is important because many older firewall setups may not be aware of it, given that this port was only added to the protocol in recent years.

When configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and therefore should be permitted through the firewall. It is prudent to block incoming packets on the high order ports except for established connections.

In order to open these ports, you must run the following commands:

sudo ufw allow proto tcp to any port 135 from 192.168.1.0/24
sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

Of course, you should replace 192.168.1.0/24 with the appropriate IP/CIDR subnet for your network.

Generally speaking, I find it useful to add rules by service whenever possible. For example, if I want to open up ports for AOL/AIM, I can add this rule:

sudo ufw allow aol

The syntax is much less verbose and thus easier to remember. You can see a list of all service names by doing

less /etc/services

Not everything will be listed, but most common services are.