This Novell Cool Solutions page begins a trail on figuring out how to get Samba working with the SuseFirewall switched on. It explains all the key components well and provides references to further reading.
Although a solution is provided, it only covers the situation that you will never be using one of the interfaces and talks about using other software to manipulate the iptables system (the kernal level firewall if you will). I wanted to keep things simple and thought I’d try to champion a way, or at least build reasoning on enabling SMB over the firewall using the standard Yast tools, without opening the share up to who knows what on the big bad Internet.
It actually led me to read Chapter 23 of the Suse Linux Reference Guide about Security in Linux. It’s a well written doc that explains how the operating system uses iptables to manipulate packets that flow through a machine. The other key concept explained in this doc, are the firewall zones, internal, external and DMZ (demilatarised zone) which may be new to you if you are coming from using a mainstream firewall in a Windows OS. Each interface is associated with one zone only.
The internal zone consists of interfaces that are usually plugged into each other – places on a local LAN you can trust. You have an external zone consisting of the Internet and other untrusted sources. Suse’s default setup is to place both your network interfaces in the external zone. The yast wizard is very leading and the only place you can dictate allowed services with minimal effort is in the external zone.
I think SuSEFirewall makes the assumption that you are connecting one port directly to a dsl modem (ppp interface) and you have a seperate network cable going out to your local server. One interface is external and the other internal and thus you can specify what services can run between LAN machines and what services can run between internet machines seperately.
When researching this problem, I noticed that writers of firewall articles were careful to emphasise the importance of setting the zones correcly and that is another piece of the puzzle. If all your interfaces and services run out of the external zone, but the external zone merely represents a connection to a router than its your routers responsibility to be the firewall for your network.
There is still more to read, and I’ll edit this blog as I get to them.
Ways to configure SuSEfirewall
Consider SuSEFirewall as an interface to the iptables that the operating system uses to dictate its packet filtering. SuSEFirewall can be configured with Yast’s Security->Firewall component which provides wizards for ‘ease-of-use’ setup. The only problem is that there is no specific SMB Client rule and the SMB Server rule doesn’t appear to work.
/etc/sysconfig/SUSEfirewall2 is the controlling file of the firewall. Its a good config file to read as it explains all the paramaters with examples. This file is what the Yast module actually writes to once you’ve made changes to the firewall. I found that you can also manipulate this file via the /etc/sysconfig module in Yast which just wraps the comments and their paramaters up in a nifty GUI.