problems connecting samba shares
Andrei Kolu
antik at bsd.ee
Thu Nov 16 18:11:27 UTC 2006
On Thursday 16 November 2006 12:03, you wrote:
> On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu wrote:
> > I am struggling here with PF firewall and just can't connect to any samba
> > share if PF is enabled:
>
> That's because the SMB protocol was designed in total ignorance of
> firewalls (and, to be fair, is much older than the first book on
> firewalls). Like "talk" and other such protocols, which are virtually
> impossible to do safely across a firewall, it has a mishmash of
> connections in and out and back in again.
>
> You may find this page of mine useful; using the information here
> might get you up and running, but you'll be poking some serious
> holes in the firewall to do this.
>
> http://www.subspacefield.org/~travis/firewalls_and_protocols.html
>
> You may find this old paper interesting though:
> http://web.textfiles.com/hacking/cifs.txt
>
> Ack, I gave in to curiousity, read a bit, and now I need a shower.
> I couldn't get past the "Phase 0". Perhaps Bill Gates is a genius,
> not because CIFS/SMB is great, but because it is so horrible;
> yet he actually got people to pay for it. That counts for something.
>
> But given that MS Services for Unix is free, wouldn't you be
> happier using NFS than some dodgy proprietary anachronism that
> is so chock full of arbitrariness that it boggles and stupefies
> the mind? Let's just pretend IPX and SMB never existed. In a
> decade nobody will even remember it. Here's to hoping.
Yes, I understand that SMB is bad, but why PF blocks port that is opened with
rules?
/etc/pf.conf:
pass in on rl0 proto udp from any to (rl0) port 137 keep state
# tcpdump -n -e -ttt -i pflog0:
rule 0/0(match): block in on rl0: 192.168.2.100.137 >
192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST
More information about the freebsd-pf
mailing list