[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
windows shares through pf
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: windows shares through pf
- From: David Norman <norny_(_at_)_yahoo_(_dot_)_com>
- Date: Mon, 11 Nov 2002 18:39:06 -0800 (PST)
I put a OpenBSD 3.2 machine up to do NAT in a computer lab. The
machines behind the NAT use a Win2k mapped drive on the other side of
the firewall as an openly shared drive. Occasionally, when people save
a Word doc to the mapped drive, it gets trashed. Half their document is
overwritten by blank pages, and section and page breaks.
I also use a Win2k share for storing Win2k service packs and Office
updates. When I try to open a update from the share, it starts
downloading and then my download gets dropped.
Then we have some network printers outside the NAT for the lab and
offices to print to. On some machines, when printing, the printout
prints to nowhere. It never comes out at the printer.
It wouldn't think that PF would mess up Win2k network processes like
that unless perhaps my rules were too strict somehow. I've included the
whole ruleset at the end of the email, but in particular, is it
possible that the following three lines would cause my trouble, or is
it something else?
block in quick on $ExtIF proto tcp all flags FPU/FPU
block in quick on $ExtIF proto tcp all flags FS/FSRA
block in quick on $ExtIF proto tcp all flags /FSRA
I can't stand telling another student they'll have to re-type their big
end of semester papers. Is there some traffic I should specifically
allow within pf outside the scope of tcp, udp, and icmp? Any have
advice?
David Norman
ExtIF="xl0"
IntIF="xl1"
DMZ="xl2"
spoofed="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, \
224.0.0.0/4, 240.0.0.0/5, 127.0.0.1/8 }"
reserved="{ 0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 5.0.0.0/8, \
7.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8, \
36.0.0.0/8, 37.0.0.0/8, 39.0.0.0/8, 41.0.0.0/8, \
42.0.0.0/8, 58.0.0.0/8, 59.0.0.0/8, 60.0.0.0/8, \
67.0.0.0/8, 68.0.0.0/8, 69.0.0.0/8, 70.0.0.0/8, \
71.0.0.0/8, 72.0.0.0/8, 73.0.0.0/8, 74.0.0.0/8, \
75.0.0.0/8, 76.0.0.0/8, 77.0.0.0/8, 78.0.0.0/8, \
79.0.0.0/8, 80.0.0.0/8, 81.0.0.0/8, 82.0.0.0/8, \
83.0.0.0/8, 84.0.0.0/8, 85.0.0.0/8, 86.0.0.0/8, \
87.0.0.0/8, 88.0.0.0/8, 89.0.0.0/8, 90.0.0.0/8, \
91.0.0.0/8, 92.0.0.0/8, 93.0.0.0/8, 94.0.0.0/8, \
95.0.0.0/8, 96.0.0.0/8, 97.0.0.0/8, 98.0.0.0/8, \
99.0.0.0/8, 100.0.0.0/8, 101.0.0.0/8, 102.0.0.0/8, \
103.0.0.0/8, 104.0.0.0/8, 105.0.0.0/8, 106.0.0.0/8, \
107.0.0.0/8, 108.0.0.0/8, 109.0.0.0/8, 110.0.0.0/8, \
111.0.0.0/8, 112.0.0.0/8, 113.0.0.0/8, 114.0.0.0/8, \
115.0.0.0/8, 116.0.0.0/8, 117.0.0.0/8, 118.0.0.0/8, \
119.0.0.0/8, 120.0.0.0/8, 121.0.0.0/8, 122.0.0.0/8, \
123.0.0.0/8, 124.0.0.0/8, 125.0.0.0/8, 126.0.0.0/8, \
127.0.0.0/8, 197.0.0.0/8, 201.0.0.0/8, 219.0.0.0/8, \
220.0.0.0/8, 221.0.0.0/8, 222.0.0.0/8, 223.0.0.0/8, \
240.0.0.0/8, 241.0.0.0/8, 242.0.0.0/8, 243.0.0.0/8, \
244.0.0.0/8, 245.0.0.0/8, 246.0.0.0/8, 247.0.0.0/8, \
248.0.0.0/8, 249.0.0.0/8, 250.0.0.0/8, 251.0.0.0/8, \
252.0.0.0/8, 253.0.0.0/8, 254.0.0.0/8, 255.0.0.0/8 }"
scrub in on $ExtIF all
scrub in on $DMZ all
nat on $ExtIF from 10.0.0.0/8 to any -> $ExtIF
pass out quick on lo0 all
pass in quick on lo0 all
block in on $ExtIF all
block in on $IntIF from any to $IntIF
block in on $DMZ all
antispoof for lo0
antispoof for { $ExtIF, $IntIF, $DMZ } inet
block in quick on $ExtIF proto tcp all flags FPU/FPU
block in quick on $ExtIF proto tcp all flags FS/FSRA
block in quick on $ExtIF proto tcp all flags /FSRA
block in quick on $ExtIF proto udp from any to 255.255.255.255/32
block in quick on $ExtIF from $spoofed to any
block in quick on $ExtIF from $reserved to any
pass in quick on $DMZ proto tcp from any to any port { ssh, http, https
} flags S/SA modulate state
pass in quick on { $ExtIF, $IntIF, $DMZ } inet proto icmp all icmp-type
8 code 0 keep state
pass in quick on $IntIF proto udp from 10.0.0.0/24 to any port { 68,
123 } keep state
pass out quick on $ExtIF proto tcp all flags S/SA keep state
pass out quick on $ExtIF proto udp all keep state
pass out quick on $ExtIF inet proto icmp all icmp-type 8 code 0 keep state
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
Visit your host, monkey.org