Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Nov 2006 20:11:21 +0200
From:      Andrei Kolu <antik@bsd.ee>
To:        freebsd-pf@freebsd.org
Subject:   Re: problems connecting samba shares
Message-ID:  <200611162011.21765.antik@bsd.ee>
In-Reply-To: <20061116100307.GC32666@nexus.subspacefield.org>
References:  <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <200611151910.53727.antik@bsd.ee> <20061116100307.GC32666@nexus.subspacefield.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thursday 16 November 2006 12:03, you wrote:
> On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu wrote:
> > I am struggling here with PF firewall and just can't connect to any samba
> > share if PF is enabled:
>
> That's because the SMB protocol was designed in total ignorance of
> firewalls (and, to be fair, is much older than the first book on
> firewalls).  Like "talk" and other such protocols, which are virtually
> impossible to do safely across a firewall, it has a mishmash of
> connections in and out and back in again.
>
> You may find this page of mine useful; using the information here
> might get you up and running, but you'll be poking some serious
> holes in the firewall to do this.
>
> http://www.subspacefield.org/~travis/firewalls_and_protocols.html
>
> You may find this old paper interesting though:
> http://web.textfiles.com/hacking/cifs.txt
>
> Ack, I gave in to curiousity, read a bit, and now I need a shower.
> I couldn't get past the "Phase 0".  Perhaps Bill Gates is a genius,
> not because CIFS/SMB is great, but because it is so horrible;
> yet he actually got people to pay for it.  That counts for something.
>
> But given that MS Services for Unix is free, wouldn't you be
> happier using NFS than some dodgy proprietary anachronism that
> is so chock full of arbitrariness that it boggles and stupefies
> the mind?  Let's just pretend IPX and SMB never existed.  In a
> decade nobody will even remember it.  Here's to hoping.

Yes, I understand that SMB is bad, but why PF blocks port that is opened with 
rules?

/etc/pf.conf:
pass in on rl0 proto udp from any to (rl0) port 137 keep state

# tcpdump -n -e -ttt -i pflog0:
rule 0/0(match): block in on rl0: 192.168.2.100.137 > 
192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611162011.21765.antik>