Hello,
On 12/07/2016 07:20 PM, Giovanni Santini wrote:
Il 27/09/2016 13:12, Thomas Woerner ha scritto:
...
If you additionally have direct rules, then also these.
So, found a workaround for this. After ages, my computer is fully perfectly working. So I made some debugging, trying to ping a NetBIOS reachable machine. This was the output from journalctl when having enabled firewalld:
... dic 07 19:06:17 antergos_E1-570G kernel: FINAL_REJECT: IN=wlp3s0 OUT= MAC=48:d2:24:66:ab:ec:00:11:32:3b:7b:60:08:00 SRC=192.168.0.50 DST=192.168.0.103 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=48412 LEN=70 ...
As you can see, the port UDP 137 (used for NetBIOS resolution) is read as source port and not as destination one! So I just added the port 137/udp to the source ports of the samba-client service and it fixed all my problems.
to allow the source port is a solution, but this is allowing all connections using this port as a source.
Should I fix it upstream? I can make a patch easily.
Waiting feedback!
There is a new firewalld version in testing for F-23 and in stable for F-24+: firewalld-0.4.4.2.
Please give this a try. It is providing a fix for selinux-policy to enable firewalld to use the connection tracking modules provided by the kernel.
Please report back on this.
Regards, Thomas