Date: Sun, 05 Apr 2009 16:02:57 +0300 From: "Vasadi I. Claudiu Florin" <claudiu.vasadi@gmail.com> To: freebsd-pf@freebsd.org Subject: samba and pf (full access rule) Message-ID: <op.urwzu6k4flcvyi@da1-desktop-x64>
next in thread | raw e-mail | index | archive | help
Hello guys, I have a strange situation here. I'm aware of the issues samba has with firewalling and decided to grant full access to the samba server from 1 IP. Added a line like: pass in on $ext_if from <my_ip> to <samba_ip> port {0:65535} and it worked. Yesterday I decided to play around with NAT, so I added an extra network card (rl1) ans started reading. Managed to get NAT up and running but when returning to my box (the <my_ip> box) I've noticed that I could not access ther samba server any more. So I backtraced my steps and commented out just about everything that could interfere with samba. Nothing worked. Maybe I have some syntax error (none pointed by pfctl -(n)f <file>) that I didn't figure out yet. Ow, and one more thing. I changed the rule to macros. Read the pf.conf file and ypu will understand ##################### ## Macros I ###### ### Global ### ##################### me = "192.168.0.2" ext_if = "rl0" int_if = "rl1" lo_if = "lo0" int_net = "192.168.1.0/24" router = "192.168.0.1" allowed_ports = "{ ftp, ssh, smtp, 80, 443, pop3, 65530:65535 }" allowed_protocols = "{ tcp, udp }" ks = "keep state" ss = "synproxy state" ms = "modulate state" #################### ### Macros II ##### # !! Exceptions !! # #################### # Allow all ports from 192.168.0.6 to 192.168.0.2 (for SAMBA) exception_if_1_src = "rl0" # Interface exception_ip_1_src = "192.168.0.6" # !!! ATTENTION !!! These IP's get access to ALL ports exception_ip_1_dst = "192.168.0.2" # exception_proto_1 = "{ tcp, udp }" # Protocols exception_port_1 = "{ 0:65535 }" # Ports # Edit use # Remeber to uncoment @ Automated rules #exception_if_2_src = # Interface #exception_ip_2_src = "" # !!! ATTENTION !!! These IP's get access to ALL ports #exception_ip_2_dst = "" # #exception_proto_2 = "" # Protocols #exception_port_2 = "" # Ports # Edit use # Remeber to uncoment @ Automated rules #exception_if_3_src = # Interface #exception_ip_3_src = "" # !!! ATTENTION !!! These IP's get access to ALL ports #exception_ip_3_dst = "" # #exception_proto_3 = "" # Protocols #exception_port_3 = "" # Ports ## Tables ## Options set skip on $lo_if set debug urgent set loginterface $ext_if set ruleset-optimization basic set state-policy if-bound ## Scrub #scrub in on $ext_if all no-df random-id max-mss 1500 fragment reassemble #scrub on $ext_if reassemble tcp ## Queueing ## Translation (NAT/RDR) #nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if) ############################# ##### Filter Rules ###### ############################# block in log all pass out all # Samba from/to 192.168.1.30 #pass in on $int_if proto udp from 192.168.1.30/32 to $int_if port {137, 138} #pass out on $int_if proto udp from 192.168.1.30/32 to $int_if port {137, 138} #pass in on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139, 445} #pass out on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139, 445} ############################### ##### Automated Rules ##### # No editing past this point # ############################### # Globals pass in on $ext_if proto $allowed_protocols from any to $ext_if port $allowed_ports # Exceptions (1,2,3 ... ) pass in on $exception_if_1_src proto $exception_proto_1 from $exception_ip_1_src \ to $exception_ip_1_dst port $exception_port_1 #pass in on $exception_if_2_src proto $exception_proto_2 from $exception_ip_2_src \ to $exception_ip_2_dst port $exception_port_2 #pass in on $exception_if_3_src proto $exception_proto_3 from $exception_ip_3_src \ to $exception_ip_3_dst port $exception_port_3 Also tryed with scrub on/pff. Didn't work. the <my_ip> box is 192.168.0.6 and the samba server is 192.168.0.2 pfctl -sr shows the rulles being loaded: pass in on rl0 inet proto tcp from 192.168.0.6 to 192.168.0.2 port 0:65535 flags S/SA keep state (if-bound) pass in on rl0 inet proto udp from 192.168.0.6 to 192.168.0.2 port 0:65535 keep state (if-bound) Also I have block in all and pass out all: block drop in log all pass out all flags S/SA keep state (if-bound) Thought that maybe I've mispelled something so I commented out "exception1" and added: pass in on rl0 from <my_ip> to <samba_svr> port {0:65535} it was the same.... So I thought that maybe it's samba's fault... well, it's not. Not with pf disable it's not..... so.... ideas ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.urwzu6k4flcvyi>