foo_daemon
May 10th, 2009, 08:23
Hi all,
I'm having some trouble accomplishing port forwarding with pf for a samba print share.
Basically:
I have the apache/cups/samba services running in a jail. When the user accesses the primary IP (192.168.0.101), I want it to forward requests on those ports to the jail's IP (192.168.0.101), and similarly have the primary IP appear in all replies, so that is completely unknown to the users that a jail is in use.
Here is my pf.conf file (I am new to pf: this server is already behind a NAT'ed router, hence the very permissive ruleset)
/etc/pf.conf
lo_if="lo0"
lo_addr="127.0.0.1"
ext_if="rl0"
base_addr="{192.168.0.101/24, 127.0.0.1}"
jail_addr="192.168.0.103/32"
tcp_forwards = "{ www, netbios-ns, netbios-dgm, netbios-ssn, https, microsoft-ds, swat }"
udp_forwards = "{ www, netbios-ns, netbios-dgm, netbios-ssn, https, microsoft-ds }"
nat on $ext_if from $jail_addr to any -> $ext_if
rdr pass on $ext_if proto tcp from any to $base_addr port $tcp_forwards -> $jail_addr
rdr pass on $ext_if proto udp from any to any port $udp_forwards -> $jail_addr
pass in on $ext_if proto tcp from port $tcp_forwards to $ext_if flags S/SA keep state
pass in on $ext_if proto udp from port $udp_forwards to $ext_if keep state
pass in all
pass out all
The above works great for samba file shares, http/https and swat requests, but when I try to access the printer share, XP machine whines "This operation could not be completed. Either the printer name was typed incorrectly, or the specified printer has lost its connection with the server."
If I use the jail's IP directly, though, I can access the print share (and all other services) and use it without problems.
Here is the pertinent samba log with log level 5:
http://pastebin.com/m50604197
[2009/05/09 23:16:30, 5] rpc_parse/parse_prs.c:prs_werror(830)
0014 status code: WERR_INVALID_PRINTER_NAME
I appreciate any and all advice...
I'm having some trouble accomplishing port forwarding with pf for a samba print share.
Basically:
I have the apache/cups/samba services running in a jail. When the user accesses the primary IP (192.168.0.101), I want it to forward requests on those ports to the jail's IP (192.168.0.101), and similarly have the primary IP appear in all replies, so that is completely unknown to the users that a jail is in use.
Here is my pf.conf file (I am new to pf: this server is already behind a NAT'ed router, hence the very permissive ruleset)
/etc/pf.conf
lo_if="lo0"
lo_addr="127.0.0.1"
ext_if="rl0"
base_addr="{192.168.0.101/24, 127.0.0.1}"
jail_addr="192.168.0.103/32"
tcp_forwards = "{ www, netbios-ns, netbios-dgm, netbios-ssn, https, microsoft-ds, swat }"
udp_forwards = "{ www, netbios-ns, netbios-dgm, netbios-ssn, https, microsoft-ds }"
nat on $ext_if from $jail_addr to any -> $ext_if
rdr pass on $ext_if proto tcp from any to $base_addr port $tcp_forwards -> $jail_addr
rdr pass on $ext_if proto udp from any to any port $udp_forwards -> $jail_addr
pass in on $ext_if proto tcp from port $tcp_forwards to $ext_if flags S/SA keep state
pass in on $ext_if proto udp from port $udp_forwards to $ext_if keep state
pass in all
pass out all
The above works great for samba file shares, http/https and swat requests, but when I try to access the printer share, XP machine whines "This operation could not be completed. Either the printer name was typed incorrectly, or the specified printer has lost its connection with the server."
If I use the jail's IP directly, though, I can access the print share (and all other services) and use it without problems.
Here is the pertinent samba log with log level 5:
http://pastebin.com/m50604197
[2009/05/09 23:16:30, 5] rpc_parse/parse_prs.c:prs_werror(830)
0014 status code: WERR_INVALID_PRINTER_NAME
I appreciate any and all advice...