pf.conf with samba

pf.conf with samba

Post by Sam Wu » Wed, 19 Dec 2001 11:46:18



Hi,

I have problem of letting samba go thru the pf firewall. As soon as
I enable the pf, the samba from the windows client machines doesn't work
any more. I have the following rules defined in the /etc/pf.conf:

# normalize all incoming traffic
scrub in on fxp0 all
scrub in on fxp1 all

block                   out log on fxp0                 all
block                   in  log on fxp0                 all
block return-rst        in  log on fxp0 proto tcp       all
block return-icmp       in  log on fxp0 proto udp       all
block                   out log on fxp1                 all
block                   in  log on fxp1                 all
block return-rst        in  log on fxp1 proto tcp       all
block return-icmp       in  log on fxp1 proto udp       all

pass out quick on lo0 all
pass in  quick on lo0 all

## These are packets that have probably been spoofed.
block in log quick on fxp0 from { \
                        0.0.0.0/32, 255.255.255.255/32, \
                        192.168.0.0/16, 172.16.0.0/12, \
                        10.0.0.0/8, 127.0.0.0/8 } to any

block in log quick on fxp0 from any to { \
                        0.0.0.0/32, 255.255.255.255/32, 127.0.0.0/8 }

pass in quick on fxp0 inet proto icmp all icmp-type 0 keep state
pass in quick on fxp0 inet proto icmp all icmp-type 3 keep state
pass in quick on fxp0 inet proto icmp all icmp-type 8 keep state
pass in quick on fxp0 inet proto icmp all icmp-type 11 keep state

pass in quick on fxp0 proto tcp  from any to any port = 7 flags S keep
state
pass in quick on fxp0 proto udp  from any to any port = 7 flags S keep
state
pass in quick on fxp0 proto tcp  from any to any port = 22 flags S keep
state
pass in quick on fxp0 proto tcp  from any to any port = 53 flags S keep
state
pass in quick on fxp0 proto tcp  from any to any port = 443 flags S keep
state
pass in quick on fxp0 proto tcp  from any to any port = 80 flags S keep
state
pass in quick on fxp0 proto tcp  from any to any port = 6000 flags S
keep state

# Samba ports
pass in quick on fxp0 proto tcp  from any to any port = 137 flags S keep
state
pass in quick on fxp0 proto tcp  from any to any port = 138 flags S keep
state
pass in quick on fxp0 proto tcp  from any to any port = 139 flags S keep
state
pass in quick on fxp0 proto udp  from any to any port = 137 flags S keep
state
pass in quick on fxp0 proto udp  from any to any port = 138 flags S keep
state
pass in quick on fxp0 proto udp  from any to any port = 139 flags S keep
state

block return-icmp(port-unr) in log quick on fxp0 proto tcp from any to
any port = 23

block in log quick on fxp0 proto udp from any to any port 33434 >< 33465

# Allow Stateful connection to outside
pass out quick on fxp0 proto tcp        from any to any keep state
pass out quick on fxp0 proto udp        from any to any keep state
pass out quick on fxp0 proto icmp       from any to any keep state

# for internal LAN
pass in quick on fxp1 inet proto icmp all icmp-type 0 keep state
pass in quick on fxp1 inet proto icmp all icmp-type 3 keep state
pass in quick on fxp1 inet proto icmp all icmp-type 8 keep state
pass in quick on fxp1 inet proto icmp all icmp-type 11 keep state

pass in quick on fxp1 proto tcp  from any to any port = 7 flags S keep
state
pass in quick on fxp1 proto udp  from any to any port = 7 flags S keep
state
pass in quick on fxp1 proto tcp  from any to any port = 22 flags S keep
state
pass in quick on fxp1 proto tcp  from any to any port = 53 flags S keep
state
pass in quick on fxp1 proto tcp  from any to any port = 443 flags S keep
state
pass in quick on fxp1 proto tcp  from any to any port = 80 flags S keep
state
pass in quick on fxp1 proto tcp  from any to any port = 6000 flags S
keep state

block return-icmp(port-unr) in log quick on fxp1 proto tcp from any to
any port = 23

block in log quick on fxp1 proto udp from any to any port 33434 >< 33465

# Allow Stateful connection to outside
pass out quick on fxp1 proto tcp        from any to any keep state
pass out quick on fxp1 proto udp        from any to any keep state
pass out quick on fxp1 proto icmp       from any to any keep state

Thanks
Sam

 
 
 

pf.conf with samba

Post by Sam Wu » Wed, 19 Dec 2001 12:27:05


Here is more msg from the log file:

[2001/12/18 10:11:40, 0]
nmbd/nmbd_responserecordsdb.c:find_response_record(239)
  find_response_record: response packet id 32893 received with no matching
record.
[2001/12/18 10:12:01, 0]
nmbd/nmbd_responserecordsdb.c:find_response_record(239)
  find_response_record: response packet id 32895 received with no matching
record.


[2001/12/18 10:38:36, 0] lib/util_sock.c:set_socket_options(165)
  Failed to set socket option TCP_NODELAY (Error Connection reset by peer)
[2001/12/18 10:38:36, 0] lib/util_sock.c:read_socket_data(478)
  read_socket_data: recv failure for 4. Error = Connection reset by peer
[2001/12/18 10:38:36, 0] smbd/connection.c:yield_connection(63)
  yield_connection: tdb_delete for name  failed with error Record does not
exist.

Thanks
Sam


> Hi,

> I have problem of letting samba go thru the pf firewall. As soon as
> I enable the pf, the samba from the windows client machines doesn't work
> any more. I have the following rules defined in the /etc/pf.conf:

> # normalize all incoming traffic
> scrub in on fxp0 all
> scrub in on fxp1 all

> block                   out log on fxp0                 all
> block                   in  log on fxp0                 all
> block return-rst        in  log on fxp0 proto tcp       all
> block return-icmp       in  log on fxp0 proto udp       all
> block                   out log on fxp1                 all
> block                   in  log on fxp1                 all
> block return-rst        in  log on fxp1 proto tcp       all
> block return-icmp       in  log on fxp1 proto udp       all

> pass out quick on lo0 all
> pass in  quick on lo0 all

> ## These are packets that have probably been spoofed.
> block in log quick on fxp0 from { \
>                         0.0.0.0/32, 255.255.255.255/32, \
>                         192.168.0.0/16, 172.16.0.0/12, \
>                         10.0.0.0/8, 127.0.0.0/8 } to any

> block in log quick on fxp0 from any to { \
>                         0.0.0.0/32, 255.255.255.255/32, 127.0.0.0/8 }

> pass in quick on fxp0 inet proto icmp all icmp-type 0 keep state
> pass in quick on fxp0 inet proto icmp all icmp-type 3 keep state
> pass in quick on fxp0 inet proto icmp all icmp-type 8 keep state
> pass in quick on fxp0 inet proto icmp all icmp-type 11 keep state

> pass in quick on fxp0 proto tcp  from any to any port = 7 flags S keep
> state
> pass in quick on fxp0 proto udp  from any to any port = 7 flags S keep
> state
> pass in quick on fxp0 proto tcp  from any to any port = 22 flags S keep
> state
> pass in quick on fxp0 proto tcp  from any to any port = 53 flags S keep
> state
> pass in quick on fxp0 proto tcp  from any to any port = 443 flags S keep
> state
> pass in quick on fxp0 proto tcp  from any to any port = 80 flags S keep
> state
> pass in quick on fxp0 proto tcp  from any to any port = 6000 flags S
> keep state

> # Samba ports
> pass in quick on fxp0 proto tcp  from any to any port = 137 flags S keep
> state
> pass in quick on fxp0 proto tcp  from any to any port = 138 flags S keep
> state
> pass in quick on fxp0 proto tcp  from any to any port = 139 flags S keep
> state
> pass in quick on fxp0 proto udp  from any to any port = 137 flags S keep
> state
> pass in quick on fxp0 proto udp  from any to any port = 138 flags S keep
> state
> pass in quick on fxp0 proto udp  from any to any port = 139 flags S keep
> state

> block return-icmp(port-unr) in log quick on fxp0 proto tcp from any to
> any port = 23

> block in log quick on fxp0 proto udp from any to any port 33434 >< 33465

> # Allow Stateful connection to outside
> pass out quick on fxp0 proto tcp        from any to any keep state
> pass out quick on fxp0 proto udp        from any to any keep state
> pass out quick on fxp0 proto icmp       from any to any keep state

> # for internal LAN
> pass in quick on fxp1 inet proto icmp all icmp-type 0 keep state
> pass in quick on fxp1 inet proto icmp all icmp-type 3 keep state
> pass in quick on fxp1 inet proto icmp all icmp-type 8 keep state
> pass in quick on fxp1 inet proto icmp all icmp-type 11 keep state

> pass in quick on fxp1 proto tcp  from any to any port = 7 flags S keep
> state
> pass in quick on fxp1 proto udp  from any to any port = 7 flags S keep
> state
> pass in quick on fxp1 proto tcp  from any to any port = 22 flags S keep
> state
> pass in quick on fxp1 proto tcp  from any to any port = 53 flags S keep
> state
> pass in quick on fxp1 proto tcp  from any to any port = 443 flags S keep
> state
> pass in quick on fxp1 proto tcp  from any to any port = 80 flags S keep
> state
> pass in quick on fxp1 proto tcp  from any to any port = 6000 flags S
> keep state

> block return-icmp(port-unr) in log quick on fxp1 proto tcp from any to
> any port = 23

> block in log quick on fxp1 proto udp from any to any port 33434 >< 33465

> # Allow Stateful connection to outside
> pass out quick on fxp1 proto tcp        from any to any keep state
> pass out quick on fxp1 proto udp        from any to any keep state
> pass out quick on fxp1 proto icmp       from any to any keep state

> Thanks
> Sam


 
 
 

pf.conf with samba

Post by Daniel Hartmeie » Thu, 20 Dec 2001 18:34:21



> I have problem of letting samba go thru the pf firewall. As soon as
> I enable the pf, the samba from the windows client machines doesn't work
> any more. I have the following rules defined in the /etc/pf.conf:

Make sure all your blocking rules have option 'log' set. Then load the rule
set and enable the filter and reproduce the behavior. Then check /var/log/pflog
(as described in pflogd(8)) for the log messages. They will tell you which
rule blocked which packets. The rule numbers in the log entries refer to
the output of pfctl -sr.

Daniel

 
 
 

1. pf.conf

Hi

I've setup OpenBSD 3.0 with pf.  I am trying to get my internal
network to have access to the web...  below is my rules, they are
simple.  Block all inboud and allow only www & https out

# Rules for fxp0
#----------------
block in log on fxp0 all
block out log on fxp0 all

pass out quick on fxp0 inet proto tcp from 10.0.1.1/32 to any port 80
keep state

if i use the following rule;

pass out quick on fxp0 inet proto tcp from any to any port 80 keep
state

it works, but i want it narrowed down to a machine or subnet.

any ideal

roq

2. Test Linux

3. Apply changes to pf.conf file without rebooting

4. Has PFM been complied for XF86 3.1?

5. pf.conf - multiple class Cs

6. Does Linux support ATA type of harddisk ??

7. OpenBSD pf.conf and Scheduler

8. Multiple core files?

9. "no route to host" but pf.conf seems to be correct :-(

10. pf.conf issues, need fresh eyes

11. rule for ssh in pf.conf, flags

12. pf.conf synatx change?

13. OpenBSD 3.0 port redirection/pf.conf problem