Date: Sun, 05 Apr 2009 18:23:17 +0300 From: "Vasadi I. Claudiu Florin" <claudiu.vasadi@gmail.com> To: "Peter Maxwell" <peter@allicient.co.uk> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: samba and pf (full access rule) Message-ID: <op.urw6c2f4flcvyi@da1-desktop-x64> In-Reply-To: <7731938b0904050718g25673a75s9b0f16a045f891b3@mail.gmail.com> References: <op.urwzu6k4flcvyi@da1-desktop-x64> <7731938b0904050718g25673a75s9b0f16a045f891b3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
omg, and I thought I was the only one writing novells here .. haha > Don't worry about syntax errors per se, pfctl won't load a new ruleset > if its syntax isn't good. I know. > You've already said it works without pf loaded, so I'll avoid my usual > "have you checked your inteface IPs and routing table" blurb ;-) You forgot to ask me if my network rj45 cable is connected lol. > Your rule set is small, and its obviously not a production box so you > can afford to set every rule to log just now. Do that, then run > tcpdump on the pflog interface [....] Already done that. Just that, I've done so much it's hard on a one try basis to remeber everything. Now that you mention it, I recall doing tcpdump and nothing out of the ordinary was logged. > you don't need to open all ports > for samba. I know, but first we test, then we narrow down the ports ... etc. I previously opened each port individual and had no success with samba. > The last thing I'd say is you may be using macros a tad too much. Will work on the syntax latter. > The documentation at http://www.openbsd.org/faq/pf/ has good > explanations on most of pretty much everything pf, and you could do > worse than copy the style from the sample file, at least to start > with. Yup, I know, I have a tab with it opened. am reading it (again) ok, some info: i'm working on a xp64 box with no firewall (deactivated), no anty-spy, no anty-nothing.... when (in my computer) I write \\<samba-ip> I'm able to log into the shares BUT when I try to access the samba share through my network places -> M$ Win Net. -> "domain" -> "samba server" I get "permision denied" and/or "cannot find hostname" *BUT - 2* If prior to that, I deactivate pf (if pf is down I'm able to browse through my network places) and establish a conection (click on "samba server" in my "domain") and afterwards re-activate pf, I am able to browse the network (through my net. places) hmm.... keep in mind that windows firewall is down, and have no restrictions what-so-ever. //-->> I replaced ports 0:65535 with {135, 137:139, 445} and reloaded the rules // Knowing that IF a prior conection is establied with samba (even with pf up) I first rebooted my xp64 box. So: pf is up, samba is up, xp64 is rebooted and here we go. try 1: My computer - > my network places -> entire network -> microsoft windows network -> "workgroup name" -> *and no samba server in sight* try2: my computer -> *write* \\<samba-comp-name> : windows cannot find hostname try3: my computer -> *write* \\<samba-ip> : works (as always) I again do "try1" my comp -> my net. places -> entire network -> M$ win. network (*stalls for ~10-15 sec) -> "my workgroup" (stalles again : same time period) -> *and I can see my samba box but cannot access it* Proof of concept: I deactivate pf, go -> my net. places ..... -> am able to see/browse the samba box ( !!! NO STALLS !!!) I re-activate pf Again my computer -> my network places (no stalls up until I want to access the samba box itself *stall ~ 10 sec*) -> works It's not that I'm an idiot and really really whant to access samba through my network places (am perfectly capable of mapping drives or adding network shares to xp (wich are already done btw)) but am really curious why this behaviour. I know samba was written prior to first firewall book but ...... c'mon, somethings wrong and it's slipping by me, and i'm furious Ideas ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.urw6c2f4flcvyi>