Packages

net-fs/samba

Samba configuration

Create a share in /etc/samba/smb.conf. As usual /etc/samba/smb.conf.default is a good place to start from.

[myshare]
    comment = A cool share.
    path = /home/share
    browseable = no
    read only = yes
    valid users = me

Here we're sharing /home/share and it'll only be useable by user "me".

Now in the [global] section, ensure passwd backend is "tdbsam".

[global]
    server string = someserver
    server role = standalone server
    hosts allow = 192.168.1.
    passwd backend = tdbsam
    disable netbios = yes
    dns proxy = no

Adding a user password

Here we'll use pdb to create passwords. I believe this requires a UNIX account of the same name to be already created. As root, pdbedit -a -u me and enter the password you'd like to use for the account. Now samba clients will use that name and password to access the share.

Starting samba

rc-service samba start

Nftables

Assuming you only want to connect to using a modern client (Windows 2000 and above?), we only need to expose 445/tcp since 139/tcp is for Samba on NetBIOS. In addition, we can only allow certain IPs to connect that we trust. Below we only allow 192.168.1.34 to connect.

#!/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "early drop of invalid packets"
        ct state {established, related} counter accept comment "accept all connections related to connections made by us"
        iif lo accept comment "accept loopback"
        iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
        iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"

        # Accept ICMP (and so, also ping).
        ip protocol icmp counter accept comment "accept all ICMP types"
        ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

        # Ports to enable.
        tcp dport 22 counter accept comment "accept SSH"

        # Samba
        ip saddr 192.168.1.34 tcp dport 445 counter accept comment "accept Samba from someclient"

        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
        counter comment "count accepted packets"
    }
}

Sources

Samba ports - https://www.varonis.com/blog/smb-port/
Nftables firewall - https://wiki.gentoo.org/wiki/Nftables/Examples