|
List Info
Thread: problems connecting samba shares
|
|
| problems connecting samba shares |
|
2006-11-16 10:03:07 |
On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu wrote:
> I am struggling here with PF firewall and just can't
connect to any samba
> share if PF is enabled:
That's because the SMB protocol was designed in total
ignorance of
firewalls (and, to be fair, is much older than the first
book on
firewalls). Like "talk" and other such protocols,
which are virtually
impossible to do safely across a firewall, it has a mishmash
of
connections in and out and back in again.
You may find this page of mine useful; using the information
here
might get you up and running, but you'll be poking some
serious
holes in the firewall to do this.
http://www.subspacefield.org/~travis/firewalls_
and_protocols.html
You may find this old paper interesting though:
http://web.
textfiles.com/hacking/cifs.txt
Ack, I gave in to curiousity, read a bit, and now I need a
shower.
I couldn't get past the "Phase 0". Perhaps Bill
Gates is a genius,
not because CIFS/SMB is great, but because it is so
horrible;
yet he actually got people to pay for it. That counts for
something.
But given that MS Services for Unix is free, wouldn't you be
happier using NFS than some dodgy proprietary anachronism
that
is so chock full of arbitrariness that it boggles and
stupefies
the mind? Let's just pretend IPX and SMB never existed. In
a
decade nobody will even remember it. Here's to hoping.
--
"Cryptography is nothing more than a mathematical
framework for
discussing various paranoid delusions." -- Don Alvarez
<URL:http://www.
subspacefield.org/~travis/> -><-
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Array |
|
2006-11-16 18:11:21 |
On Thursday 16 November 2006 12:03, you wrote:
> On Wed, Nov 15, 2006 at 07:10:51PM +0200, Andrei Kolu
wrote:
> > I am struggling here with PF firewall and just
can't connect to any samba
> > share if PF is enabled:
>
> That's because the SMB protocol was designed in total
ignorance of
> firewalls (and, to be fair, is much older than the
first book on
> firewalls). Like "talk" and other such
protocols, which are virtually
> impossible to do safely across a firewall, it has a
mishmash of
> connections in and out and back in again.
>
> You may find this page of mine useful; using the
information here
> might get you up and running, but you'll be poking some
serious
> holes in the firewall to do this.
>
> http://www.subspacefield.org/~travis/firewalls_
and_protocols.html
>
> You may find this old paper interesting though:
> http://web.
textfiles.com/hacking/cifs.txt
>
> Ack, I gave in to curiousity, read a bit, and now I
need a shower.
> I couldn't get past the "Phase 0". Perhaps
Bill Gates is a genius,
> not because CIFS/SMB is great, but because it is so
horrible;
> yet he actually got people to pay for it. That counts
for something.
>
> But given that MS Services for Unix is free, wouldn't
you be
> happier using NFS than some dodgy proprietary
anachronism that
> is so chock full of arbitrariness that it boggles and
stupefies
> the mind? Let's just pretend IPX and SMB never
existed. In a
> decade nobody will even remember it. Here's to hoping.
Yes, I understand that SMB is bad, but why PF blocks port
that is opened with
rules?
/etc/pf.conf:
pass in on rl0 proto udp from any to (rl0) port 137 keep
state
# tcpdump -n -e -ttt -i pflog0:
rule 0/0(match): block in on rl0: 192.168.2.100.137 >
192.168.2.101.53259: NBT UDP PACKET(137): QUERY; POSITIVE;
RESPONSE; UNICAST
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Array |
|
2006-11-16 18:28:32 |
On Thu, Nov 16, 2006 at 08:11:21PM +0200, Andrei Kolu wrote:
> Yes, I understand that SMB is bad, but why PF blocks
port that is opened with
> rules?
>
> /etc/pf.conf:
> pass in on rl0 proto udp from any to (rl0) port 137
keep state
>
> # tcpdump -n -e -ttt -i pflog0:
> rule 0/0(match): block in on rl0: 192.168.2.100.137
>
> 192.168.2.101.53259: NBT UDP PACKET(137): QUERY;
POSITIVE; RESPONSE; UNICAST
Your rule passes IN packets TO *DESTINATION* port 137
The packet you are blocking is coming IN, FROM *SOURCE* port
137
If that isn't clear enough, I can't help you, you need to
read a
book on firewalls or TCP/IP.
--
"Cryptography is nothing more than a mathematical
framework for
discussing various paranoid delusions." -- Don Alvarez
<URL:http://www.
subspacefield.org/~travis/> -><-
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Array |
|
2006-11-16 18:33:21 |
> /etc/pf.conf:
> pass in on rl0 proto udp from any to (rl0) port 137
keep state
>
> # tcpdump -n -e -ttt -i pflog0:
> rule 0/0(match): block in on rl0: 192.168.2.100.137
>
> 192.168.2.101.53259: NBT UDP PACKET(137): QUERY;
POSITIVE;
> RESPONSE; UNICAST
Because that came FROM port 137 not TO port 137.
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Array |
|
2006-11-16 19:04:22 |
On Thursday 16 November 2006 13:11, Andrei Kolu wrote:
> pass in on rl0 proto udp from any to (rl0) port 137
keep state
Maybe you're blocking some necessary broadcast packets. Try
changing your
rules to something more like:
pass in on rl0 proto udp from any to any port 137 keep state
or possibly:
pass in on rl0 proto udp from any to (rl0:network) port 137
keep state
Even better, use a macro to define the ports:
samba_ports = "{ 137:139, 445 }"
pass in on rl0 proto { tcp, udp } from any to any port
$samba_ports keep state
You may want to use this in your smb.conf:
smb ports = 139
and then change the above pf macro to:
samba_ports = "{ 137:139 }"
As a note it appears that your previous log is not showing a
block from "any
to rl0 port 137" but from "any port 137 to
rl0", assuming the rl0 address is
192.168.2.101. So unless there is some state matching the
block seems valid.
Chris
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
[1-5]
|
|