-
-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/samba-wsdd: openFirewall option does not allow multicast traffic #309910
Comments
Working this variant?:
Information from https://github.com/christgau/wsdd#firewall-setup |
On my home server I use this variant:
|
Oh, I just realized my iptables commands are complete bogus. The reason this works anyway is that firewall.service will fail silently and just not start lol. Here's a config that actually works: networking.firewall.extraCommands = ''
iptables -A nixos-fw -p udp -m conntrack --ctstate NEW -m pkttype --pkt-type multicast -d 239.255.255.250 -j nixos-fw-accept
ip6tables -A nixos-fw -p udp -m conntrack --ctstate NEW -m pkttype --pkt-type multicast -d ff02::c -j nixos-fw-accept
''; I'm still improving on this at the moment. IPv4 is not really working. |
networking.firewall.extraCommands = ''
iptables -A nixos-fw -p udp -m pkttype --pkt-type multicast -m udp --dport 3702 -d 239.255.255.250/32 -j nixos-fw-accept
ip6tables -A nixos-fw -p udp -m pkttype --pkt-type multicast -m udp --dport 3702 -d ff02::c/128 -j nixos-fw-accept
''; I think this should be sufficiently precise. I have confirmed that it works via IPv6 and IPv4. Afaik this will not work with nftables, sadly. |
Describe the bug
Machines (called "servers" from hereon) running the samba-wsdd modules with openFirewall set to true will announce themselves on the network when wsdd starts up, but will not receive multicasts from scanning Windows machines (called "clients" from hereon). This results in servers only showing up in the Windows Explorer network section when wsdd is (re-)started while the Explorer is open, but not when you open or refresh the Explorer while wsdd is running.
Steps To Reproduce
Steps to reproduce the behavior:
1.
systemctl stop firewall.service
Expected behavior
services.samba-wsdd.openFirewall
should configure the firewall in a way that does not block any traffic sent or received by the service. I have found this configuration, which works for me*:*Edit: Because it crashes firewall.service, oops.
I don't know whether this is fine security-wise.IPv6 should probably also be configured similarly.Notify maintainers
@Izorkin
Metadata
Add a 👍 reaction to issues you find important.
The text was updated successfully, but these errors were encountered: