I recently started using pf for my firewall on FreeBSD 6.2. When the firewall
is enabled, it takes smbd a very long time to start, about 2-3 minutes. When
the firewall is disabled, it starts immediately. IIRC, I did not have this
problem using IPF. Anyone have any idea why this is?
Below are my smb.conf and pf.conf for reference (system default comments have
been removed).
pf.conf:
# $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
ext_wireless="wi0" # replace with actual external interface name i.e., dc0
ext_wired="xl0"
int_if="vmnet1" # replace with actual internal interface name i.e., dc1
tcp_services="{ 22, 113, 139, 445, 24800 }"
udp_services="{ 68, 137, 138, 139 }"
icmp_types="echoreq"
# Tables: similar to macros, but more flexible for many addresses.
table <allowed> { 10.0.0.0/8, 192.168.1.0/24, 192.168.5.0/24 }
table <denied> { 192.168.1.0/32, 192.168.1.255/32, 172.16.0.0/12, 10.0.0.0/32, \
10.0.0.255/32, 127.0.0.0/8, 0.0.0.0/8, 169.254.0.0/15, 192.0.2.0/24, \
204.152.64.0/23, 224.0.0.0/3 }
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
antispoof quick for { lo $int_if }
pass out all keep state
pass in quick on $int_if
# block all incoming packets from suspect networks
block in quick on $ext_wireless from <denied> to any
block in quick on $ext_wired from <denied> to any
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state
pass in quick on $ext_wireless proto tcp from <allowed> to any port
$tcp_services flags S/SA keep state
pass in quick on $ext_wireless proto udp from <allowed> to any port
$udp_services keep state
pass in quick on $ext_wired proto tcp from <allowed> to any port
$tcp_services flags S/SA keep state
pass in quick on $ext_wired proto udp from <allowed> to any port
$udp_services keep state
# allow pings from the LANs
pass in inet proto icmp from <allowed> to any icmp-type $icmp_types keep state
-----------------------------
smb.conf
#======================= Global Settings =====================================
[global]
workgroup = GEOS
server string = Samba Server
security = user
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=1048576
SO_SNDBUF=1048576
#============================ Share Definitions ==============================
[homes]
comment = Home directory for %u on %h
browseable = no
writable = yes
path = /usr/home/%u
valid users = %S
guest ok = no
--
Joshua Draper
--------------------
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG.
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
