samba and pf (full access rule)

Vasadi I. Claudiu Florin claudiu.vasadi at gmail.com
Sun Apr 5 06:38:02 PDT 2009 

Hello guys,

I have a strange situation here. I'm aware of the issues samba has with  
firewalling and decided to grant full access to the samba server from 1  
IP. Added a line like:

pass in on $ext_if from <my_ip> to <samba_ip> port {0:65535}

and it worked. Yesterday I decided to play around with NAT, so I added an  
extra network card (rl1) ans started reading. Managed to get NAT up and  
running but when returning to my box (the <my_ip> box) I've noticed that I  
could not access ther samba server any more. So I backtraced my steps and  
commented out just about everything that could interfere with samba.  
Nothing worked. Maybe I have some syntax error (none pointed by pfctl  
-(n)f <file>) that I didn't figure out yet.

Ow, and one more thing. I changed the rule to macros. Read the pf.conf  
file and ypu will understand


#####################
##   Macros I  ######
###   Global      ###
#####################

me = "192.168.0.2"
ext_if = "rl0"
int_if = "rl1"
lo_if = "lo0"
int_net = "192.168.1.0/24"
router = "192.168.0.1"
allowed_ports = "{ ftp, ssh, smtp, 80, 443, pop3, 65530:65535 }"
allowed_protocols = "{ tcp, udp }"
ks = "keep state"
ss = "synproxy state"
ms = "modulate state"



####################
###  Macros II #####
# !! Exceptions !! #
####################


# Allow all ports from 192.168.0.6 to 192.168.0.2 (for SAMBA)

exception_if_1_src = "rl0"                # Interface
exception_ip_1_src = "192.168.0.6"      # !!! ATTENTION !!! These IP's get  
access to ALL ports
exception_ip_1_dst = "192.168.0.2"      #
exception_proto_1 = "{ tcp, udp }"      # Protocols
exception_port_1 = "{ 0:65535 }"        # Ports


# Edit use      # Remeber to uncoment @ Automated rules

#exception_if_2_src =           # Interface
#exception_ip_2_src = ""        # !!! ATTENTION !!! These IP's get access  
to ALL ports
#exception_ip_2_dst = ""        #
#exception_proto_2 = ""         # Protocols
#exception_port_2 = ""          # Ports


# Edit use      # Remeber to uncoment @ Automated rules

#exception_if_3_src =           # Interface
#exception_ip_3_src = ""        # !!! ATTENTION !!! These IP's get access  
to ALL ports
#exception_ip_3_dst = ""        #
#exception_proto_3 = ""         # Protocols
#exception_port_3 = ""          # Ports




## Tables




## Options
set skip on $lo_if
set debug urgent
set loginterface $ext_if
set ruleset-optimization basic
set state-policy if-bound


## Scrub
#scrub in on $ext_if all no-df random-id max-mss 1500 fragment reassemble
#scrub on $ext_if reassemble tcp

## Queueing



## Translation (NAT/RDR)

#nat on $ext_if from 192.168.1.0/24 to any -> ($ext_if)


#############################
#####   Filter Rules   ######
#############################

block in log all
pass out all


# Samba from/to 192.168.1.30

#pass in on $int_if proto udp from 192.168.1.30/32 to $int_if port {137,  
138}
#pass out on $int_if proto udp from 192.168.1.30/32 to $int_if port {137,  
138}
#pass in on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139,  
445}
#pass out on $int_if proto tcp from 192.168.1.30/32 to $int_if port {139,  
445}






###############################
#####   Automated Rules   #####
# No editing past this point  #
###############################

# Globals

pass in on $ext_if proto $allowed_protocols from any to $ext_if port  
$allowed_ports


# Exceptions (1,2,3 ... )

pass in on $exception_if_1_src proto $exception_proto_1 from  
$exception_ip_1_src \
to $exception_ip_1_dst port $exception_port_1

#pass in on $exception_if_2_src proto $exception_proto_2 from  
$exception_ip_2_src \
to $exception_ip_2_dst port $exception_port_2

#pass in on $exception_if_3_src proto $exception_proto_3 from  
$exception_ip_3_src \
to $exception_ip_3_dst port $exception_port_3





Also tryed with scrub on/pff. Didn't work. the <my_ip> box is 192.168.0.6  
and the samba server is 192.168.0.2


pfctl -sr shows the rulles being loaded:

pass in on rl0 inet proto tcp from 192.168.0.6 to 192.168.0.2 port 0:65535  
flags S/SA keep state (if-bound)
pass in on rl0 inet proto udp from 192.168.0.6 to 192.168.0.2 port 0:65535  
keep state (if-bound)

Also I have block in all and pass out all:
block drop in log all
pass out all flags S/SA keep state (if-bound)

Thought that maybe I've mispelled something so I commented out  
"exception1" and added:
pass in on rl0 from <my_ip> to <samba_svr> port {0:65535}

it was the same....


So I thought that maybe it's samba's fault... well, it's not. Not with pf  
disable it's not.....

so.... ideas ?

More information about the freebsd-pf mailing list