Allowing home LAN through pf.

[tedbell]

Just a quick question.
How do I allow just computers on my home LAN to access my samba shares. I can access my freeBSD machine from other computers by disabling pf and I would rather not do that.
Here is my pf.conf

###macro name for external interface
ext_if = "wlan0"

# Macros to define the set of TCP and UDP ports to open.
# Add additional ports or ranges separated by commas.
# UDP 60000-60010 is mosh control http://mosh.mit.edu/
tcp_services = "{56303, 56307}"
udp_services = "{56303, 56307}"

# Modulate the initial sequence number of TCP packets.
# Broken operating systems sometimes don't randomize this number,
# making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"

# Don't send rejections. Just drop.
set block-policy drop

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

nat on $ext_if from any to any -> ($ext_if)

### Default deny everything
block log all

### Pass loopback
set skip on lo0


### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

# drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

# Allow the services defined in the macros at the top of the file
pass in on $ext_if inet proto tcp from any to any port $tcp_services $tcp_state

pass in on $ext_if inet proto udp from any to any port $udp_services $udp_state

Thanks for any help.

 

[sidetone]

I checked in a reference book, that Samba largely uses Netbios. grep -i netbios /etc/services. swat showed up for samba, and nothing showed for smb. It says swat has to be secured if it's used, to firewall it, further secure its permissions and only use it from localhost.

As with some protocols, I noticed that pf has to allow packets to come in without a state for a given port, or many will get dropped if they send a connection first, or if the connection responds too much. Perhaps not for swat itself, which should be more restricted, to prevent passwords from showing on the network.

netbios-ns    137/tcp       #NETBIOS Name Service
netbios-ns    137/udp       #NETBIOS Name Service
netbios-dgm    138/tcp       #NETBIOS Datagram Service
netbios-dgm    138/udp       #NETBIOS Datagram Service
netbios-ssn    139/tcp       #NETBIOS Session Service
netbios-ssn    139/udp       #NETBIOS Session Service
----
swat        901/tcp       # samba web configuration tool

By doing a web search, maybe port 445,

microsoft-ds    445/tcp
microsoft-ds    445/udp

 

[mickey]

Just a quick question.
How do I allow just computers on my home LAN to access my samba shares. I can access my freeBSD machine from other computers by disabling pf and I would rather not do that.

SMB uses TCP on port 445 (microsoft-ds). Unless you need NetBios for anything that should be all you need to allow inbound. You could define a macro for your home network at the top of your config file and then use that macro in a filter rule to allow inbound TCP connections to port 445, like so:

home_lan="192.168.1.0/24"
(...)
pass in quick on $ext_if inet proto tcp from $home_lan to port 445 $tcp_state

Beware though that this will allow connections based on their source IP address. So if you connect to another network that happens to use the same IP range it will also allow connecting from that network. Restricting connections to your LAN and your LAN only would require a more sophisticated approach.

 

[tedbell]

Thanks a lot guys I'll give that a try!
This is my first time configuring Samba in over a decade and even then I never got it fully working.

 

[Datapanic]

You could also control access to samba shares in your smb4.conf file with the hosts allow:

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.
hosts allow = 10.0.1. 127.

 

[tedbell]

You could also control access to samba shares in your smb4.conf file with the hosts allow:

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.
hosts allow = 10.0.1. 127.

I'll give it a shot as well.
The above method doesn't appear to be working for me atm.
I'll try again tomorrow.

 

[sidetone]

You could define a macro for your home network

A macro can also be for Samba, and service ports that need the same rule. Swat may need a different, so more restrictive rule.

 

[gigagoochelaar]

A more general solution to your type of problem is to check your log. You already have log in your default block rule, if you also have pflog_enable="YES" in your /etc/rc.conf you can check what actually gets blocked.
# tcpdump -enr /var/log/pflog shows you what got logged/blocked, # tcpdump -eni pflog0 shows logging in real time. The -e and -n are optional in both cases.

 

[tedbell]

A more general solution to your type of problem is to check your log. You already have log in your default block rule, if you also have pflog_enable="YES" in your /etc/rc.conf you can check what actually gets blocked.
# tcpdump -enr /var/log/pflog shows you what got logged/blocked, # tcpdump -eni pflog0 shows logging in real time. The -e and -n are optional in both cases.

OK thanks
BTW the more and more I learn about this packet filter the more I love FreeBSD and its security!