subject:"pf filter problem\: cannot connect to external SMB share from LAN"

Re: pf filter problem: cannot connect to external SMB share from LAN

2016-08-10 Thread Marko Cupać

On Wed, 10 Aug 2016 09:50:38 -0400
William Wallace  wrote:

> I am trying to connect to an SMB share outside of the office.  I have
> confirmed that the share works and others on the Internet can connect
> to it fine, but connections from within my office do not go through.
>
> I am guessing I have something wrong with the office's pf filters or
> NATing but I cannot identify the problem -- my pf.conf is fairly
> simple.  All machines on the network can get to other services (http,
> https, rdp, ssh, ... anything, really) but cannot establish an SMB
> connection.  Nothing of interest shows up in the pf log.

Can you connect to the same share from the same client but from the
different (unrestricted) network?

Does IP address belong to restricted IP pools?

I see you aren't scrubbing, clearing no-df bits and adjusting max-mss -
this is definitely a must on some ADSL links, including mine.

Perhaps you could reorganize rules and turn on logging for all blocked
packets, this could help you troubleshoot with tcpump.

Here's example of my rules, maybe they'll help:

---snip---
# QUICK BLOCKS
antispoof for $if_int
antispoof for $if_ext
block log quick inet6
block log quick from 

# SCRUB & NAT & FTP
match in all scrub ( no-df random-id max-mss 1440 )
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick on lo0

# RULES
block log all

pass in  on $if_ext inet proto tcp  from any \
 to ($if_ext:0) port ssh
pass in  on $if_ext inet proto tcp  from any \
 to ($if_ext:0) port $fw_svc1 rdr-to $svc1
pass in  on $if_ext inet proto tcp  from any \
 to ($if_ext:0) port $fw_svc2 rdr-to $svc2
pass in  on $if_ext inet proto icmp from
 any to ($if_ext:0) icmp-type 8

pass in quick on $if_int inet proto tcp from $if_int:network to any \
 port ftp divert-to 127.0.0.1 port 8021
pass in on $if_int inet proto tcp
pass in on $if_int inet proto udp
pass in on $if_int inet proto icmp

pass out on $if_ext
pass out on $if_int
---snip---

The above ruleset is easy to troubleshoot, as all the blocked packets
can be seen in real time with:

tcpdump -n -e -q -ttt -i pflog0

...and history of blocked packets can be seen with:

tcpdump -n -e -q -ttt -r /var/log/pflog

Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: pf filter problem: cannot connect to external SMB share from LAN

2016-08-10 Thread Vivek Vinod

‎Sorry... Just couldn't resist this one...

you've won so many huge battles, yet need help with pf/ NAT?

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: William Wallace
Sent: Wednesday 10 August 2016 19:34
To: misc@openbsd.org
Subject: pf filter problem: cannot connect to external SMB share from LAN

I am trying to connect to an SMB share outside of the office. I have
confirmed that the share works and others on the Internet can connect
to it fine, but connections from within my office do not go through.

I am guessing I have something wrong with the office's pf filters or
NATing but I cannot identify the problem -- my pf.conf is fairly
simple. All machines on the network can get to other services (http,
https, rdp, ssh, ... anything, really) but cannot establish an SMB
connection. Nothing of interest shows up in the pf log.

pf.conf pasted below. Thank you for your time.

Sincerely,
william

## macros
# interfaces
intIf = "fxp0"
extIf = "fxp1"
# inside machines
dvrIp = "192.168.10.7"
scannerIp = "192.168.10.20"
pc2Ip = "192.168.10.21"
pc3Ip = "192.168.10.32"
# public IPs
natOutIp = "single.public.ip.address"
serviceInIp = "d.i.tt.o"
# internal services
rdpPort = "3389"
rdpPort2 = "3390"
rdpPort3 = "3391"
dvrWebPubPort = 82
dvrServicePort = 6036

## block list
APNIC = '"1.0.0.0/8" "43.0.0.0/8"'
RIPE = '"31.0.0.0/8" "109.230.240.0/20"'
CHINA = '"121.8.0.0/13"'
blockList = "{ " $APNIC $RIPE $CHINA " }"

## options
set block-policy return
set skip on lo

## filter rules
block in log quick on $extIf from $blockList
block in log on $extIf
pass in quick on $intIf
pass out
# NATing
pass out on $extIf from 192.168.10.0/24 to any nat-to $natOutIp
# internal services
pass in on $extIf inet proto tcp to $serviceInIp port $dvrWebPubPort
rdr-to $dvrIp port 80
pass in on $extIf inet proto tcp to $serviceInIp port $dvrServicePort
rdr-to $dvrIp
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort rdr-to
$scannerIp port $rdpPort keep state
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort2 rdr-to
$pc2Ip port $rdpPort keep state
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort3 rdr-to
$pc3Ip port $rdpPort keep state
# ssh
pass in on $extIf inet proto tcp to $serviceInIp port ssh

pf filter problem: cannot connect to external SMB share from LAN

2016-08-10 Thread William Wallace

I am trying to connect to an SMB share outside of the office.  I have
confirmed that the share works and others on the Internet can connect
to it fine, but connections from within my office do not go through.

I am guessing I have something wrong with the office's pf filters or
NATing but I cannot identify the problem -- my pf.conf is fairly
simple.  All machines on the network can get to other services (http,
https, rdp, ssh, ... anything, really) but cannot establish an SMB
connection.  Nothing of interest shows up in the pf log.

pf.conf pasted below.  Thank you for your time.

Sincerely,
william

## macros
# interfaces
intIf = "fxp0"
extIf = "fxp1"
# inside machines
dvrIp = "192.168.10.7"
scannerIp = "192.168.10.20"
pc2Ip = "192.168.10.21"
pc3Ip = "192.168.10.32"
# public IPs
natOutIp = "single.public.ip.address"
serviceInIp = "d.i.tt.o"
# internal services
rdpPort = "3389"
rdpPort2 = "3390"
rdpPort3 = "3391"
dvrWebPubPort = 82
dvrServicePort = 6036

## block list
APNIC = '"1.0.0.0/8" "43.0.0.0/8"'
RIPE = '"31.0.0.0/8" "109.230.240.0/20"'
CHINA = '"121.8.0.0/13"'
blockList = "{ " $APNIC $RIPE $CHINA " }"

## options
set block-policy return
set skip on lo

## filter rules
block in log quick on $extIf from $blockList
block in log on $extIf
pass  in quick on $intIf
pass  out
# NATing
pass out on $extIf from 192.168.10.0/24 to any nat-to $natOutIp
# internal services
pass in on $extIf inet proto tcp to $serviceInIp port $dvrWebPubPort
rdr-to $dvrIp port 80
pass in on $extIf inet proto tcp to $serviceInIp port $dvrServicePort
rdr-to $dvrIp
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort  rdr-to
$scannerIp port $rdpPort keep state
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort2 rdr-to
$pc2Ip port $rdpPort keep state
pass in on $extIf inet proto tcp to $serviceInIp port $rdpPort3 rdr-to
$pc3Ip port $rdpPort keep state
# ssh
pass in on $extIf inet proto tcp to $serviceInIp port ssh

Re: pf filter problem: cannot connect to external SMB share from LAN

Re: pf filter problem: cannot connect to external SMB share from LAN

pf filter problem: cannot connect to external SMB share from LAN

3 matches

Site Navigation

Mail list logo

Footer information