Re: pf filter problem: cannot connect to external SMB share from LAN

Wed, 10 Aug 2016 09:01:24 -0700 

On Wed, 10 Aug 2016 09:50:38 -0400
William Wallace <b...@moonlighttechhelp.com> wrote:

> I am trying to connect to an SMB share outside of the office.  I have
> confirmed that the share works and others on the Internet can connect
> to it fine, but connections from within my office do not go through.
>
> I am guessing I have something wrong with the office's pf filters or
> NATing but I cannot identify the problem -- my pf.conf is fairly
> simple.  All machines on the network can get to other services (http,
> https, rdp, ssh, ... anything, really) but cannot establish an SMB
> connection.  Nothing of interest shows up in the pf log.

Can you connect to the same share from the same client but from the
different (unrestricted) network?

Does IP address belong to restricted IP pools?

I see you aren't scrubbing, clearing no-df bits and adjusting max-mss -
this is definitely a must on some ADSL links, including mine.

Perhaps you could reorganize rules and turn on logging for all blocked
packets, this could help you troubleshoot with tcpump.

Here's example of my rules, maybe they'll help:

---snip---
# QUICK BLOCKS
antispoof for $if_int
antispoof for $if_ext
block log quick inet6
block log quick from <zlice>

# SCRUB & NAT & FTP
match in all scrub ( no-df random-id max-mss 1440 )
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick on lo0

# RULES
block log all

pass in  on $if_ext inet proto tcp  from any \
     to ($if_ext:0) port ssh
pass in  on $if_ext inet proto tcp  from any \
     to ($if_ext:0) port $fw_svc1 rdr-to $svc1
pass in  on $if_ext inet proto tcp  from any \
     to ($if_ext:0) port $fw_svc2 rdr-to $svc2
pass in  on $if_ext inet proto icmp from
     any to ($if_ext:0) icmp-type 8

pass in quick on $if_int inet proto tcp from $if_int:network to any \
     port ftp divert-to 127.0.0.1 port 8021
pass in on $if_int inet proto tcp
pass in on $if_int inet proto udp
pass in on $if_int inet proto icmp

pass out on $if_ext
pass out on $if_int
---snip---

The above ruleset is easy to troubleshoot, as all the blocked packets
can be seen in real time with:

tcpdump -n -e -q -ttt -i pflog0

...and history of blocked packets can be seen with:

tcpdump -n -e -q -ttt -r /var/log/pflog

Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply via email to