Re: pf filter problem: cannot connect to external SMB share from LAN

Wed, 10 Aug 2016 08:21:20 -0700 

‎Sorry... Just couldn't resist this one...

you've won so many huge battles, yet need help with pf/ NAT?

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: William Wallace
Sent: Wednesday 10 August 2016 19:34
To: misc@openbsd.org
Subject: pf filter problem: cannot connect to external SMB share from LAN

I am trying to connect to an SMB share outside of the office. I have
confirmed that the share works and others on the Internet can connect
to it fine, but connections from within my office do not go through.

I am guessing I have something wrong with the office's pf filters or
NATing but I cannot identify the problem -- my pf.conf is fairly
simple. All machines on the network can get to other services (http,
https, rdp, ssh, ... anything, really) but cannot establish an SMB
connection. Nothing of interest shows up in the pf log.

pf.conf pasted below. Thank you for your time.

Sincerely,
william

## macros
# interfaces
intIf = "fxp0"
extIf = "fxp1"
# inside machines
dvrIp = "192.168.10.7"
scannerIp = "192.168.10.20"
pc2Ip = "192.168.10.21"
pc3Ip = "192.168.10.32"
# public IPs
natOutIp = "single.public.ip.address"
serviceInIp = "d.i.tt.o"
# internal services
rdpPort = "3389"
rdpPort2 = "3390"
rdpPort3 = "3391"
dvrWebPubPort = 82
dvrServicePort = 6036

## block list
APNIC = '"1.0.0.0/8" "43.0.0.0/8"'
RIPE = '"31.0.0.0/8" "109.230.240.0/20"'
CHINA = '"121.8.0.0/13"'
blockList = "{ " $APNIC $RIPE $CHINA " }"

## options
set block-policy return
set skip on lo

## filter rules
block in log quick on $extIf from $blockList
block in log on $extIf
pass in quick on $intIf
pass out
# NATing
pass out on $extIf from 192.168.10.0/24 to any nat-to $natOutIp
# internal services
pass in on $extIf inet proto tcp to $serviceInIp port $dvrWebPubPort
rdr-to $dvrIp port 80
pass in on $extIf inet proto tcp to $serviceInIp port $dvrServicePort
rdr-to $dvrIp
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort rdr-to
$scannerIp port $rdpPort keep state
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort2 rdr-to
$pc2Ip port $rdpPort keep state
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort3 rdr-to
$pc3Ip port $rdpPort keep state
# ssh
pass in on $extIf inet proto tcp to $serviceInIp port ssh

Reply via email to