From owner-freebsd-pf@FreeBSD.ORG Sun Apr 5 15:25:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D0381065675 for ; Sun, 5 Apr 2009 15:25:20 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by mx1.freebsd.org (Postfix) with ESMTP id F05D88FC1B for ; Sun, 5 Apr 2009 15:25:19 +0000 (UTC) (envelope-from claudiu.vasadi@gmail.com) Received: by mu-out-0910.google.com with SMTP id w9so521186mue.3 for ; Sun, 05 Apr 2009 08:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:to:subject:from:cc :content-type:mime-version:references:content-transfer-encoding :message-id:in-reply-to:user-agent; bh=TPOwu13qD9RRZz1lKAGLQCR6VAwKyQyqEMdIleR1ED8=; b=UpTOAgKm5kw1Z/vpK1iSHhRzh5u5vTUDtaGKfND/RgPqrSHxG/DVLmOfhxl/jipOcf emmM7+/DJXICf4WtT3AuheP5JYss8j5e/bA1zdMvioHeL/ToRxWrbCpxUm4eueOd+SO1 ci1Z/kL/CbOCC9HE60H6RRA/gZwTI5/GTyEpg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:to:subject:from:cc:content-type:mime-version:references :content-transfer-encoding:message-id:in-reply-to:user-agent; b=rLBZkaAmkTyniImaldPr12h8L673Y8CEDSaxlhFAYjA/b92J0KhpkSYGEiR9kqJCGq Kkp0KniFuT7n7JOmhC5Xcz9f130twmnC2r6kK0q/eIcMFb/w0uL9Xy1ZufF2/Mn53BTr 3edCkkAE6BGMPm53xwdL6+J9kXOaeRsW+TyZ8= Received: by 10.103.11.7 with SMTP id o7mr1492619mui.103.1238945118821; Sun, 05 Apr 2009 08:25:18 -0700 (PDT) Received: from da1-desktop-x64 ([79.113.14.227]) by mx.google.com with ESMTPS id 23sm6903723mum.37.2009.04.05.08.25.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 05 Apr 2009 08:25:18 -0700 (PDT) Date: Sun, 05 Apr 2009 18:23:17 +0300 To: "Peter Maxwell" From: "Vasadi I. Claudiu Florin" Content-Type: text/plain; format=flowed; delsp=yes; charset=iso-8859-15 MIME-Version: 1.0 References: <7731938b0904050718g25673a75s9b0f16a045f891b3@mail.gmail.com> Content-Transfer-Encoding: 7bit Message-ID: In-Reply-To: <7731938b0904050718g25673a75s9b0f16a045f891b3@mail.gmail.com> User-Agent: Opera Mail/9.64 (Win32) Cc: "freebsd-pf@freebsd.org" Subject: Re: samba and pf (full access rule) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Apr 2009 15:25:20 -0000 omg, and I thought I was the only one writing novells here .. haha > Don't worry about syntax errors per se, pfctl won't load a new ruleset > if its syntax isn't good. I know. > You've already said it works without pf loaded, so I'll avoid my usual > "have you checked your inteface IPs and routing table" blurb ;-) You forgot to ask me if my network rj45 cable is connected lol. > Your rule set is small, and its obviously not a production box so you > can afford to set every rule to log just now. Do that, then run > tcpdump on the pflog interface [....] Already done that. Just that, I've done so much it's hard on a one try basis to remeber everything. Now that you mention it, I recall doing tcpdump and nothing out of the ordinary was logged. > you don't need to open all ports > for samba. I know, but first we test, then we narrow down the ports ... etc. I previously opened each port individual and had no success with samba. > The last thing I'd say is you may be using macros a tad too much. Will work on the syntax latter. > The documentation at http://www.openbsd.org/faq/pf/ has good > explanations on most of pretty much everything pf, and you could do > worse than copy the style from the sample file, at least to start > with. Yup, I know, I have a tab with it opened. am reading it (again) ok, some info: i'm working on a xp64 box with no firewall (deactivated), no anty-spy, no anty-nothing.... when (in my computer) I write \\ I'm able to log into the shares BUT when I try to access the samba share through my network places -> M$ Win Net. -> "domain" -> "samba server" I get "permision denied" and/or "cannot find hostname" *BUT - 2* If prior to that, I deactivate pf (if pf is down I'm able to browse through my network places) and establish a conection (click on "samba server" in my "domain") and afterwards re-activate pf, I am able to browse the network (through my net. places) hmm.... keep in mind that windows firewall is down, and have no restrictions what-so-ever. //-->> I replaced ports 0:65535 with {135, 137:139, 445} and reloaded the rules // Knowing that IF a prior conection is establied with samba (even with pf up) I first rebooted my xp64 box. So: pf is up, samba is up, xp64 is rebooted and here we go. try 1: My computer - > my network places -> entire network -> microsoft windows network -> "workgroup name" -> *and no samba server in sight* try2: my computer -> *write* \\ : windows cannot find hostname try3: my computer -> *write* \\ : works (as always) I again do "try1" my comp -> my net. places -> entire network -> M$ win. network (*stalls for ~10-15 sec) -> "my workgroup" (stalles again : same time period) -> *and I can see my samba box but cannot access it* Proof of concept: I deactivate pf, go -> my net. places ..... -> am able to see/browse the samba box ( !!! NO STALLS !!!) I re-activate pf Again my computer -> my network places (no stalls up until I want to access the samba box itself *stall ~ 10 sec*) -> works It's not that I'm an idiot and really really whant to access samba through my network places (am perfectly capable of mapping drives or adding network shares to xp (wich are already done btw)) but am really curious why this behaviour. I know samba was written prior to first firewall book but ...... c'mon, somethings wrong and it's slipping by me, and i'm furious Ideas ?