Solved, was an IF misconfiguration only. Sorry
Le jeudi 09 septembre 2010 03:48:59, Jean-Frangois SIMON a icrit : > Hello, > > I have tonight a small problem, if you could please check and see if > something is wrong here. > The samba share seems blocked, the packets are not broadcasted. > > Thanks. > > # tcpdump -eni pflog0 > 03:41:26.500159 rule 30/(match) block in on re1: 192.168.0.195.138 > > 192.168.0.255.138: udp 207 > 03:41:49.296060 rule 30/(match) block in on re1: 192.168.1.186.137 > > 192.168.1.255.137: udp 50 > > re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > mtu 1500 > lladdr 00:08:64:a9:51:81 > priority: 0 > media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) > status: active > inet6 fe80::208:54ff:fea8:5181%re1 prefixlen 64 scopeid 0x2 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > > ext_if="re0" > int_if="re1" > > set skip on lo > match in all scrub (no-df max-mss 1440) > > match out on $ext_if from 192.168.1.0/24 to any nat-to ($ext_if) > > match in on $ext_if proto tcp from any to any port 4466 rdr-to > 192.168.100.196 > match in on $ext_if proto tcp from any to any port 3729 rdr-to > 192.168.100.195 > match in on $ext_if proto tcp from any to any port 3730 rdr-to > 192.168.100.192 > match in on $ext_if proto tcp from any to any port 3731 rdr-to > 192.168.100.193 > match in on $ext_if proto tcp from any to any port 3733 rdr-to > 192.168.100.190 > match in on $ext_if proto tcp from any to any port 3728 rdr-to > 192.168.100.4 match in on $ext_if proto udp from any to any port 3740 > rdr-to > 192.168.100.187 > match in on $ext_if proto udp from any to any port 46655 rdr-to > 192.168.100.4 > match in on $ext_if proto tcp from any to any port 3734 rdr-to > 192.168.100.186 > match in on $ext_if proto tcp from any to any port 3727 rdr-to > 192.168.100.183 > match in on $ext_if proto tcp from any to any port 3735 rdr-to > 192.168.100.181 > match in on $ext_if proto {tcp,udp} from any to any port 3389 rdr-to > 192.168.100.186 > match in on $ext_if proto tcp from any to any port 5800 rdr-to > 192.168.100.186 > match in on $ext_if proto tcp from any to any port 5900 rdr-to > 192.168.100.186 > match in on $ext_if proto tcp from any to any port 5801 rdr-to > 192.168.100.181 > match in on $ext_if proto tcp from any to any port 5901 rdr-to > 192.168.100.181 > match in on $ext_if proto tcp from any to any port 5902 rdr-to > 192.168.100.193 > match in on $ext_if proto tcp from any to any port 5903 rdr-to > 192.168.100.183 > match in on $ext_if proto {tcp,udp} from any to any port 80 rdr-to > 192.168.100.184 > match in on $ext_if proto {tcp,udp} from any to any port 20 rdr-to > 192.168.100.184 > match in on $ext_if proto tcp from any to any port 16022 rdr-to > 192.168.100.186 > match in on $ext_if proto udp from any to any port 63112 rdr-to > 192.168.100.186 > match in on $ext_if proto udp from any to any port 3726 rdr-to > 192.168.100.3 match in on $ext_if proto udp from any to any port > 31336:31341 rdr-to 192.168.100.186 > > pass out # connexions sortantes passantes > block in log all # connexions entrantes bloqueees par defaut > > antispoof for $ext_if > pass in on $int_if proto icmp to any tagged macok > pass in on $int_if proto tcp to any tagged macok > pass in on $int_if proto udp to any tagged macok > pass in on $ext_if proto icmp to any > pass in on $ext_if proto {tcp,udp} to any port 3389 > pass in on $ext_if proto udp to any port 3726 > pass in on $ext_if proto tcp to any port 3727:3731 > pass in on $ext_if proto tcp to any port 3733:3735 > pass in on $ext_if proto udp to any port 3740 > pass in on $ext_if proto tcp to any port 4466 > pass in on $ext_if proto tcp to any port 5800:5801 > pass in on $ext_if proto tcp to any port 5900:5903 > pass in on $ext_if proto tcp to any port 16022 > pass in on $ext_if proto udp to any port 63112 > pass in on $ext_if proto udp to any port 46655 > pass in on $ext_if proto {tcp,udp} to any port 20 > pass in on $ext_if proto {tcp,udp} to any port 80 > > pass in on bridge1 > > # cat > /etc/hostname.bridge0 > > # ****************************************************************** > # * Pour modifier les adresses adresses MAC, modifier la section I * > # ****************************************************************** > > # On cree un pont filtrant > add re1 -learn re1 > > # ********************* > # * Section I (debut) * > # ********************* > > # DEBUT DES REGLES DE FILTRAGE MAC > # Adresses MAC des postes clients connus > > rule pass in on re1 src c8:0a:a9:20:02:44 tag macok # PC portable JB > rule pass in on re1 src F0:DE:F1:07:56:77 tag macok # PC portable J-F > > # FIN DES REGLES DE FILTRAGE MAC > > # ******************* > # * Section I (fin) * > # ******************* > > # activation du pont filtrant > up