From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 10:03:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65B1416A416 for ; Thu, 16 Nov 2006 10:03:09 +0000 (UTC) (envelope-from travis@subspacefield.org) Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAFB243D62 for ; Thu, 16 Nov 2006 10:03:08 +0000 (GMT) (envelope-from travis@subspacefield.org) Received: by nexus.subspacefield.org (Postfix, from userid 1003) id 590D564F774; Thu, 16 Nov 2006 04:03:07 -0600 (CST) Date: Thu, 16 Nov 2006 04:03:07 -0600 From: "Travis H." To: Andrei Kolu Message-ID: <20061116100307.GC32666@nexus.subspacefield.org> References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> <200611151910.53727.antik@bsd.ee> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200611151910.53727.antik@bsd.ee> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 10:03:09 -0000 On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu wrote: > I am struggling here with PF firewall and just can't connect to any samba > share if PF is enabled: That's because the SMB protocol was designed in total ignorance of firewalls (and, to be fair, is much older than the first book on firewalls). Like "talk" and other such protocols, which are virtually impossible to do safely across a firewall, it has a mishmash of connections in and out and back in again. You may find this page of mine useful; using the information here might get you up and running, but you'll be poking some serious holes in the firewall to do this. http://www.subspacefield.org/~travis/firewalls_and_protocols.html You may find this old paper interesting though: http://web.textfiles.com/hacking/cifs.txt Ack, I gave in to curiousity, read a bit, and now I need a shower. I couldn't get past the "Phase 0". Perhaps Bill Gates is a genius, not because CIFS/SMB is great, but because it is so horrible; yet he actually got people to pay for it. That counts for something. But given that MS Services for Unix is free, wouldn't you be happier using NFS than some dodgy proprietary anachronism that is so chock full of arbitrariness that it boggles and stupefies the mind? Let's just pretend IPX and SMB never existed. In a decade nobody will even remember it. Here's to hoping. -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez -><-