From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 18:11:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BA5416A40F for ; Thu, 16 Nov 2006 18:11:27 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from a5.virtuaal.com (a5.virtuaal.com [195.222.15.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09FB243D5C for ; Thu, 16 Nov 2006 18:11:20 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from pc97.host50.starman.ee ([62.65.242.97] helo=[192.168.2.100]) by a5.virtuaal.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.52) id 1Gklhm-0008Mv-51 for freebsd-pf@freebsd.org; Thu, 16 Nov 2006 20:11:18 +0200 From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Thu, 16 Nov 2006 20:11:21 +0200 User-Agent: KMail/1.9.4 References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <200611151910.53727.antik@bsd.ee> <20061116100307.GC32666@nexus.subspacefield.org> In-Reply-To: <20061116100307.GC32666@nexus.subspacefield.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611162011.21765.antik@bsd.ee> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - a5.virtuaal.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bsd.ee X-Source: X-Source-Args: X-Source-Dir: Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 18:11:27 -0000 On Thursday 16 November 2006 12:03, you wrote: > On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu wrote: > > I am struggling here with PF firewall and just can't connect to any samba > > share if PF is enabled: > > That's because the SMB protocol was designed in total ignorance of > firewalls (and, to be fair, is much older than the first book on > firewalls). Like "talk" and other such protocols, which are virtually > impossible to do safely across a firewall, it has a mishmash of > connections in and out and back in again. > > You may find this page of mine useful; using the information here > might get you up and running, but you'll be poking some serious > holes in the firewall to do this. > > http://www.subspacefield.org/~travis/firewalls_and_protocols.html > > You may find this old paper interesting though: > http://web.textfiles.com/hacking/cifs.txt > > Ack, I gave in to curiousity, read a bit, and now I need a shower. > I couldn't get past the "Phase 0". Perhaps Bill Gates is a genius, > not because CIFS/SMB is great, but because it is so horrible; > yet he actually got people to pay for it. That counts for something. > > But given that MS Services for Unix is free, wouldn't you be > happier using NFS than some dodgy proprietary anachronism that > is so chock full of arbitrariness that it boggles and stupefies > the mind? Let's just pretend IPX and SMB never existed. In a > decade nobody will even remember it. Here's to hoping. Yes, I understand that SMB is bad, but why PF blocks port that is opened with rules? /etc/pf.conf: pass in on rl0 proto udp from any to (rl0) port 137 keep state # tcpdump -n -e -ttt -i pflog0: rule 0/0(match): block in on rl0: 192.168.2.100.137 > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST