From owner-freebsd-pf@FreeBSD.ORG Thu Nov 16 21:01:03 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DD9416A4A0 for ; Thu, 16 Nov 2006 21:01:03 +0000 (UTC) (envelope-from antik@bsd.ee) Received: from mx1.starman.ee (smtp-out1.starman.ee [85.253.0.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4F6B43D70 for ; Thu, 16 Nov 2006 21:00:57 +0000 (GMT) (envelope-from antik@bsd.ee) Received: from [192.168.2.101] (pc97.host50.starman.ee [62.65.242.97]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.starman.ee (Postfix) with ESMTP id 61DB323C49D for ; Thu, 16 Nov 2006 23:00:56 +0200 (EET) From: Andrei Kolu To: freebsd-pf@freebsd.org Date: Thu, 16 Nov 2006 23:00:57 +0200 User-Agent: KMail/1.9.3 References: <00b201c709ad$b1b96d20$c806a8c0@lfarr> <200611162055.48636.antik@bsd.ee> In-Reply-To: <200611162055.48636.antik@bsd.ee> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200611162300.58310.antik@bsd.ee> X-Virus-Scanned: by Amavisd-New at mx1.starman.ee Subject: Re: problems connecting samba shares X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 21:01:03 -0000 On Thursday 16 November 2006 20:55, Andrei Kolu wrote: > On Thursday 16 November 2006 20:33, Lawrence Farr wrote: > > > /etc/pf.conf: > > > pass in on rl0 proto udp from any to (rl0) port 137 keep state > > > > > > # tcpdump -n -e -ttt -i pflog0: > > > rule 0/0(match): block in on rl0: 192.168.2.100.137 > > > > 192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; > > > RESPONSE; UNICAST > > > > Because that came FROM port 137 not TO port 137. > > Oops, I thought it wants to connenct back to my port 137- silly me. Then I > have to open all ports that is higher than 1024? > > This line is correct? > > pass in proto {tcp,udp} from any to any port 1024:65535 keep state > _______________________________________________ OK, I'll answer this question myself. # Ports from 49152 to 65535 are known as Dynamic or Private Ports. # Ports between 1024 and 29151 are known as the Registered Ports. # Basically, programs are supposed to register their use of these # ports and thereby try to be careful and avoid stomping on each other. Sry, not ports from 1024 and up but starting from 49152 and up. set skip on lo0 set block-policy return set loginterface rl0 scrub in all block in log antispoof quick for lo0 inet block in from no-route to any pass out keep state table persist file "/etc/blacklist" pass inet proto icmp from any to any pass in proto {tcp,udp} from any to any port 49152:65535 keep state pass in quick on rl0 proto udp from any to (rl0) port 137 keep state pass in quick on rl0 proto udp from any to (rl0) port 138 keep state pass in quick on rl0 proto tcp from any to (rl0) port 22 keep state pass in quick on rl0 proto tcp from any to (rl0) port 445 keep state pass in quick on rl0 proto tcp from any to (rl0) port 137 keep state pass in quick on rl0 proto tcp from any to (rl0) port 139 keep state block on rl0 from to any