Hello guys,
I have a strange situation here. I'm aware of the issues samba has with
firewalling and decided to grant full access to the samba server from 1
IP. Added a line like:
pass in on $ext_if from <my_ip> to <samba_ip> port {0:65535}
and it worked. Yesterday I decided to play around with NAT, so I added an
extra network card (rl1) ans started reading. Managed to get NAT up and
running but when returning to my box (the <my_ip> box) I've noticed that I
could not access ther samba server any more. So I backtraced my steps and
commented out just about everything that could interfere with samba.
Nothing worked. Maybe I have some syntax error (none pointed by pfctl
-(n)f <file>) that I didn't figure out yet.
Ow, and one more thing. I changed the rule to macros. Read the pf.conf
file and ypu will understand
#####################
## Macros I ######
### Global ###
#####################
me = "192.168.0.2"
ext_if = "rl0"
int_if = "rl1"
lo_if = "lo0"
int_net = "192.168.1.0/24"
router = "192.168.0.1"
allowed_ports = "{ ftp, ssh, smtp, 80, 443, pop3, 65530:65535 }"
allowed_protocols = "{ tcp, udp }"
ks = "keep state"
ss = "synproxy state"
ms = "modulate state"
####################
### Macros II #####
# !! Exceptions !! #
####################
# Allow all ports from 192.168.0.6 to 192.168.0.2 (for SAMBA)
exception_if_1_src = "rl0" # Interface
exception_ip_1_src = "192.168.0.6" # !!! ATTENTION !!! These IP's get
access to ALL ports
exception_ip_1_dst = "192.168.0.2" #
exception_proto_1 = "{ tcp, udp }" # Protocols
exception_port_1 = "{ 0:65535 }" # Ports
# Edit use # Remeber to uncoment @ Automated rules
#exception_if_2_src = # Interface
#exception_ip_2_src = "" # !!! ATTENTION !!! These IP's get access
to ALL ports
#exception_ip_2_dst = "" #
#exception_proto_2 = "" # Protocols
#exception_port_2 = "" # Ports
# Edit use # Remeber to uncoment @ Automated rules
#exception_if_3_src = # Interface
#exception_ip_3_src = "" # !!! ATTENTION !!! These IP's get access
to ALL ports
#exception_ip_3_dst = "" #
#exception_proto_3 = "" # Protocols
#exception_port_3 = "" # Ports
## Tables
## Options
set skip on $lo_if
set debug urgent
set loginterface $ext_if
set ruleset-optimization basic
set state-policy if-bound
## Scrub
#scrub in on $ext_if all no-df random-id max-mss 1500 fragment reassemble
#scrub on $ext_if reassemble tcp
## Queueing
## Translation (NAT/RDR)
#nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)
#############################
##### Filter Rules ######
#############################
block in log all
pass out all
# Samba from/to 192.168.1.30
#pass in on $int_if proto udp from 192.168.1.30/32 to $int_if port {137,
138}
#pass out on $int_if proto udp from 192.168.1.30/32 to $int_if port {137,
138}
#pass in on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139,
445}
#pass out on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139,
445}
###############################
##### Automated Rules #####
# No editing past this point #
###############################
# Globals
pass in on $ext_if proto $allowed_protocols from any to $ext_if port
$allowed_ports
# Exceptions (1,2,3 ... )
pass in on $exception_if_1_src proto $exception_proto_1 from
$exception_ip_1_src \
to $exception_ip_1_dst port $exception_port_1
#pass in on $exception_if_2_src proto $exception_proto_2 from
$exception_ip_2_src \
to $exception_ip_2_dst port $exception_port_2
#pass in on $exception_if_3_src proto $exception_proto_3 from
$exception_ip_3_src \
to $exception_ip_3_dst port $exception_port_3
Also tryed with scrub on/pff. Didn't work. the <my_ip> box is 192.168.0.6
and the samba server is 192.168.0.2
pfctl -sr shows the rulles being loaded:
pass in on rl0 inet proto tcp from 192.168.0.6 to 192.168.0.2 port 0:65535
flags S/SA keep state (if-bound)
pass in on rl0 inet proto udp from 192.168.0.6 to 192.168.0.2 port 0:65535
keep state (if-bound)
Also I have block in all and pass out all:
block drop in log all
pass out all flags S/SA keep state (if-bound)
Thought that maybe I've mispelled something so I commented out
"exception1" and added:
pass in on rl0 from <my_ip> to <samba_svr> port {0:65535}
it was the same....
So I thought that maybe it's samba's fault... well, it's not. Not with pf
disable it's not.....
so.... ideas ?
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
