From owner-freebsd-pf@FreeBSD.ORG Sun Apr 5 13:38:02 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EE76106566B for ; Sun, 5 Apr 2009 13:38:02 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mail-fx0-f167.google.com (mail-fx0-f167.google.com [209.85.220.167]) by mx1.freebsd.org (Postfix) with ESMTP id BAB668FC15 for ; Sun, 5 Apr 2009 13:38:01 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: by fxm11 with SMTP id 11so1496396fxm.43 for ; Sun, 05 Apr 2009 06:38:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:to:subject:from :content-type:mime-version:content-transfer-encoding:message-id :user-agent; bh=yl4xhlz9zMmZHnbPFukhXZcxH4t1OvoUHqAkpJ1Yb5w=; b=N1O+/TjmDffYHWadrDQ2ytnUQEBotqoPKH2PCU5uTnNmPgo0zWe3atSslp3tE2v3gn bZ2RkstQKGhPpj7jGAJwn+2Y0qLA7RLH6qpjxUXNnG8ayVof0qwXLpO7DIDjntrhbaIF VciZ+AcfKjMWyxJcWNSKSvVbmlC7NiPSZqrQQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:to:subject:from:content-type:mime-version :content-transfer-encoding:message-id:user-agent; b=d1BNfvB8iMfj4YPoM+QxZ86BXlQwIMW5A+QjnYRoZYppx9RV2ANg7HTUqNJmUEVbFD cxyYNOsCxfTt6aLiyAhp+IjTsjfLod438gn9Tx91eiou5M3abtzuAMVxuZAaOB3eKmfX TIhSYKJeSR40zDyGxwo1ejoWjnJ35cCrA9e1k= Received: by 10.103.173.15 with SMTP id a15mr1454562mup.59.1238936698168; Sun, 05 Apr 2009 06:04:58 -0700 (PDT) Received: from da1-desktop-x64 ([79.113.14.227]) by mx.google.com with ESMTPS id j10sm9373932muh.31.2009.04.05.06.04.57 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 05 Apr 2009 06:04:57 -0700 (PDT) Date: Sun, 05 Apr 2009 16:02:57 +0300 To: freebsd-pf@freebsd.org From: "Vasadi I. Claudiu Florin" Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Message-ID: User-Agent: Opera Mail/9.64 (Win32) Subject: samba and pf (full access rule) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Apr 2009 13:38:02 -0000 Hello guys, I have a strange situation here. I'm aware of the issues samba has with firewalling and decided to grant full access to the samba server from 1 IP. Added a line like: pass in on $ext_if from to port {0:65535} and it worked. Yesterday I decided to play around with NAT, so I added an extra network card (rl1) ans started reading. Managed to get NAT up and running but when returning to my box (the box) I've noticed that I could not access ther samba server any more. So I backtraced my steps and commented out just about everything that could interfere with samba. Nothing worked. Maybe I have some syntax error (none pointed by pfctl -(n)f ) that I didn't figure out yet. Ow, and one more thing. I changed the rule to macros. Read the pf.conf file and ypu will understand ##################### ## Macros I ###### ### Global ### ##################### me = "192.168.0.2" ext_if = "rl0" int_if = "rl1" lo_if = "lo0" int_net = "192.168.1.0/24" router = "192.168.0.1" allowed_ports = "{ ftp, ssh, smtp, 80, 443, pop3, 65530:65535 }" allowed_protocols = "{ tcp, udp }" ks = "keep state" ss = "synproxy state" ms = "modulate state" #################### ### Macros II ##### # !! Exceptions !! # #################### # Allow all ports from 192.168.0.6 to 192.168.0.2 (for SAMBA) exception_if_1_src = "rl0" # Interface exception_ip_1_src = "192.168.0.6" # !!! ATTENTION !!! These IP's get access to ALL ports exception_ip_1_dst = "192.168.0.2" # exception_proto_1 = "{ tcp, udp }" # Protocols exception_port_1 = "{ 0:65535 }" # Ports # Edit use # Remeber to uncoment @ Automated rules #exception_if_2_src = # Interface #exception_ip_2_src = "" # !!! ATTENTION !!! These IP's get access to ALL ports #exception_ip_2_dst = "" # #exception_proto_2 = "" # Protocols #exception_port_2 = "" # Ports # Edit use # Remeber to uncoment @ Automated rules #exception_if_3_src = # Interface #exception_ip_3_src = "" # !!! ATTENTION !!! These IP's get access to ALL ports #exception_ip_3_dst = "" # #exception_proto_3 = "" # Protocols #exception_port_3 = "" # Ports ## Tables ## Options set skip on $lo_if set debug urgent set loginterface $ext_if set ruleset-optimization basic set state-policy if-bound ## Scrub #scrub in on $ext_if all no-df random-id max-mss 1500 fragment reassemble #scrub on $ext_if reassemble tcp ## Queueing ## Translation (NAT/RDR) #nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if) ############################# ##### Filter Rules ###### ############################# block in log all pass out all # Samba from/to 192.168.1.30 #pass in on $int_if proto udp from 192.168.1.30/32 to $int_if port {137, 138} #pass out on $int_if proto udp from 192.168.1.30/32 to $int_if port {137, 138} #pass in on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139, 445} #pass out on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139, 445} ############################### ##### Automated Rules ##### # No editing past this point # ############################### # Globals pass in on $ext_if proto $allowed_protocols from any to $ext_if port $allowed_ports # Exceptions (1,2,3 ... ) pass in on $exception_if_1_src proto $exception_proto_1 from $exception_ip_1_src \ to $exception_ip_1_dst port $exception_port_1 #pass in on $exception_if_2_src proto $exception_proto_2 from $exception_ip_2_src \ to $exception_ip_2_dst port $exception_port_2 #pass in on $exception_if_3_src proto $exception_proto_3 from $exception_ip_3_src \ to $exception_ip_3_dst port $exception_port_3 Also tryed with scrub on/pff. Didn't work. the box is 192.168.0.6 and the samba server is 192.168.0.2 pfctl -sr shows the rulles being loaded: pass in on rl0 inet proto tcp from 192.168.0.6 to 192.168.0.2 port 0:65535 flags S/SA keep state (if-bound) pass in on rl0 inet proto udp from 192.168.0.6 to 192.168.0.2 port 0:65535 keep state (if-bound) Also I have block in all and pass out all: block drop in log all pass out all flags S/SA keep state (if-bound) Thought that maybe I've mispelled something so I commented out "exception1" and added: pass in on rl0 from to port {0:65535} it was the same.... So I thought that maybe it's samba's fault... well, it's not. Not with pf disable it's not..... so.... ideas ?