samba and pf (full access rule)

Sun Apr 5 08:25:20 PDT 2009

omg, and I thought I was the only one writing novells here .. haha

> Don't worry about syntax errors per se, pfctl won't load a new ruleset
> if its syntax isn't good.

I know.

> You've already said it works without pf loaded, so I'll avoid my usual
> "have you checked your inteface IPs and routing table" blurb ;-)

You forgot to ask me if my network rj45 cable is connected lol.

> Your rule set is small, and its obviously not a production box so you
> can afford to set every rule to log just now.  Do that, then run
> tcpdump on the pflog interface [....]

Already done that.  Just that, I've done so much it's hard on a one try
basis to remeber everything. Now that you mention it, I recall doing
tcpdump and nothing out of the ordinary was logged.

>  you don't need to open all ports
> for samba.

I know, but first we test, then we narrow down the ports ... etc.
I previously opened each port individual and had no success with samba.

> The last thing I'd say is you may be using macros a tad too much.

Will work on the syntax latter.

> The documentation at http://www.openbsd.org/faq/pf/ has good
> explanations on most of pretty much everything pf, and you could do
> worse than copy the style from the sample file, at least to start
> with.

Yup, I know, I have a tab with it opened. am reading it (again)

ok, some info:
i'm working on a xp64 box with no firewall (deactivated), no anty-spy, no
anty-nothing....
when (in my computer) I write \\<samba-ip> I'm able to log into the shares
BUT
when I try to access the samba share through my network places -> M$ Win
Net. -> "domain" -> "samba server"
I get "permision denied" and/or "cannot find hostname"

*BUT - 2*

If prior to that, I deactivate pf (if pf is down I'm able to browse
through my network places) and establish a conection (click on "samba
server" in my "domain") and afterwards re-activate pf, I am able to browse
the network (through my net. places)

hmm.... keep in mind that windows firewall is down, and have no
restrictions what-so-ever.

//-->> I replaced ports 0:65535 with {135, 137:139, 445}
and reloaded the rules
//

Knowing that IF a prior conection is establied with samba (even with pf
up) I first rebooted my xp64 box.

So: pf is up, samba is up, xp64 is rebooted and here we go.

try 1:
My computer - > my network places -> entire network -> microsoft windows  
network -> "workgroup name" -> *and no samba server in sight*

try2:
my computer -> *write* \\<samba-comp-name>  : windows cannot find hostname

try3:
my computer -> *write* \\<samba-ip>    : works (as always)

I again do "try1"
my comp -> my net. places -> entire network -> M$ win. network (*stalls  
for ~10-15 sec) -> "my workgroup" (stalles again : same time period) ->  
*and I can see my samba box but cannot access it*

Proof of concept:

I deactivate pf, go -> my net. places ..... -> am able to see/browse the  
samba box ( !!! NO STALLS !!!)
I re-activate pf
Again my computer -> my network places (no stalls up until I want to  
access the samba box itself *stall ~ 10 sec*) -> works

It's not that I'm an idiot and really really whant to access samba through  
my network places (am perfectly capable of mapping drives or adding  
network shares to xp (wich are already done btw)) but am really curious  
why this behaviour. I know samba was written prior to first firewall book  
but ...... c'mon, somethings wrong and it's slipping by me, and i'm furious

Ideas ?