[solved]WORKGROUP is not indicated(signalised)

Hello,
I can’t access with samba WORKGROUP.

Dolphin-> network-> samba shares->

No working group is discoverable(findable) on the local network. This would be able  are caused by an activated Firewall.

Indeed, functions(works):
smb: / “computer name”
and to me the shares of the concerning(relevant) computer are indicated(signalised) like
otherwise(but) under WORKGROUP.

How can I reach(achieve) that WORKGROUP is indicated(signalised)?

Greeting
Ch. Hanisch

and what about if you stop the firewall?

# systemctl stop firewalld

Ok. without firewall WORKGROUP is showed.
What can I do for settings in firewall?

regards
Ch. Hanisch

I only know this way, but I’m not a firewall expert:

# firewalld-cmd --permanent --zone=public --add-port=1024-65535/udp
# systemctl restart firewalld

You can set the firewall also with firewall-config

I guess you can do that from System Settings applet too.

Probably, firewalld-cmd should be written firewall-cmd (without the “d”).
The ports needed by samba are given here, at least for a simple configuration.
It’s easy to configure firewalld with firewall-config
Ideally, for a windows workgroup discovery, it should be sufficient to allow the incoming udp packets from the only port 137.
I don’t know how to do it with firewall-config, but in cli:

iptables -I IN_internal_allow -p udp -s 192.168.0.0/16 --sport 137 -j ACCEPT

Note that the chain IN_internal_allow is defined by firewalld.

OK. - with firewall-config ‘add-port=1024-65535/udp’ works fine.

Sure, sorry for the typo.

Port 137/udp is open in firewalld config, but dolphin do not discover samba shares

I have answered far too fast and I should have been more specific. Sorry.
When a request is sent to discover the windows shares, the source port is udp/1024-65535 and the destination port is udp/137.
When the master browser answers, its source port is udp/137 and the destination port is the one used by the request.
Therefore, the firewall should allow only those packets. This is more restrictive than allowing packets from any udp ports.
I should have written:
iptables -I IN_<zonename>_allow -p udp -s 0.0.0.0/0 --sport 137 --dport 1024:65535 -j ACCEPT

But this is not permanent. With firewall-cmd:
firewall-cmd --permanent --zone=<zonename> --add-source-port=137/udp
This can also be done with firewall-config (thumbnail “source port”)
The result isn’t as specific however.

Anyway, firewall-config permits the choice of the zone for an interface. So, it is possible to choose the zone trusted to make the network discovery working.

ok. tested with source port 137/udp and it works!
thanks.

postedit: so it seems that source port 137/udp in firewalld->service->samba-client is missing

Then, what is the right command/procedure exactly?
So we can mark it as the issue solution.

I think that add source port 137/udp in firewalld config could be the best solution

1 Like

Hmm, right now, I don’t see any reason to not add it.
Maybe, we could ask other people for more tests before?

Hello,
only the command

# firewall-cmd --permanent --zone=public --add-source-port=137/udp

has no effect for showing WORKGROUP.

Additional the command

# iptables -I IN_public_allow -p udp -s 0.0.0.0/0 --sport 137 --dport 1024:65535 -j ACCEPT

let me show the WORKGROUP.

regards
Ch. Hanisch

And if you restart firewalld?
systemctl restart firewalld

It works also after Reboot.