PF pf is preventing connection to a samba jail, but nothing appears to be logged

[puppydog]

I have a pf firewall script that I've been putting together (partly converting from my old ipfw script and partly improving for current needs), and I cannot figure out what is going on here with my samba jail.

I use samba as a time machine backup target for Mac, and with pf disabled it works just fine. But the moment I turn it on, all attempts fail. I must be missing something obvious here but I don't see what it is.

I made a trimmed down copy of my script that removes everything except the rules affecting the Samba jail and the host in an attempt to figure out why the connection is failing. I added every samba-related port and every incoming and outgoing rule I could think of, and there was no change. I also tried a version of the trimmed down script that passed icmp to the jail and the host, and removed the `quick` from every rule in case either of those mattered, but there was no change so I switched them back so I could run the ping test below.

The test ruleset has only two block actions and both are logged, and neither appears to be catching anything when I attempt to run a Time Machine backup. In this example I ran a couple of pings from the client to the host and to the jail to see that blocks were actually captured. 172.18.100.214 that I pinged from here is also the macbook I'm trying to connect to Samba with. This output was captured while the rules were set to block incoming icmp.

root@host:~ # tcpdump -n -e -ttt -i pflog0 host 172.18.100.123 or 172.18.100.127
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), snapshot length 262144 bytes
 00:00:00.000000 rule 6/0(match): block in on bge0: 172.18.100.214 > 172.18.100.127: ICMP echo request, id 53582, seq 0, length 64
 00:00:01.002666 rule 6/0(match): block in on bge0: 172.18.100.214 > 172.18.100.127: ICMP echo request, id 53582, seq 1, length 64
 00:02:54.469190 rule 0/0(match): block in on bge0: 172.18.100.214 > 172.18.100.123: ICMP echo request, id 5711, seq 0, length 64
 00:00:01.001180 rule 0/0(match): block in on bge0: 172.18.100.214 > 172.18.100.123: ICMP echo request, id 5711, seq 1, length 64
 00:00:01.003659 rule 0/0(match): block in on bge0: 172.18.100.214 > 172.18.100.123: ICMP echo request, id 5711, seq 2, length 64

Here is the script, with rules added to allow ICMP

root@host:~ # cat /usr/local/etc/smbtest.pf
#!/bin/sh
samba_tcp = "{ 137 138 139 445 5353 5354 }"
samba_udp = "{ 137 138 139 445 5353 5354 }"

samba_jail="172.18.100.127"
host_ip="172.18.100.123"
home_subnet="172.18.100.0/24"

# Default block
block log all

# Allow ICMP
pass out proto icmp

# DNS
pass out proto udp to port domain

# NTP
pass out proto udp to port ntp
pass out proto tcp to port ntp

# Host
pass in proto tcp to $host_ip port ssh
pass in proto icmp to $host_ip

# Samba
block in log to $samba_jail
pass in proto icmp to $samba_jail
pass in proto tcp to $samba_jail port $samba_tcp
pass in proto udp to $samba_jail port $samba_udp
pass in proto tcp to $host_ip port $samba_tcp
pass in proto udp to $host_ip port $samba_udp
pass out proto tcp from $host_ip port $samba_tcp
pass out proto udp from $host_ip port $samba_udp
pass out proto tcp from $samba_jail port $samba_tcp
pass out proto udp from $samba_jail port $samba_udp

And here is the actual ruleset it shows when it's loaded (with the above changes allowing ICMP)

root@host:~ # pfctl -s rules
block drop log all
pass out proto udp from any to any port = domain keep state
pass out proto udp from any to any port = ntp keep state
pass out proto icmp all keep state
pass out proto tcp from any to any port = ntp flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.123 port = ssh flags S/SA keep state
pass in inet proto icmp from any to 172.18.100.123 keep state
block drop in log inet from any to 172.18.100.127
pass in inet proto tcp from any to 172.18.100.127 port = netbios-ns flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.127 port = netbios-dgm flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.127 port = netbios-ssn flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.127 port = microsoft-ds flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.127 port = mdns flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.127 port = mdnsresponder flags S/SA keep state
pass in inet proto udp from any to 172.18.100.127 port = netbios-ns keep state
pass in inet proto udp from any to 172.18.100.127 port = netbios-dgm keep state
pass in inet proto udp from any to 172.18.100.127 port = netbios-ssn keep state
pass in inet proto udp from any to 172.18.100.127 port = microsoft-ds keep state
pass in inet proto udp from any to 172.18.100.127 port = mdns keep state
pass in inet proto udp from any to 172.18.100.127 port = mdnsresponder keep state
pass in inet proto icmp from any to 172.18.100.127 keep state
pass in inet proto tcp from any to 172.18.100.123 port = netbios-ns flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.123 port = netbios-dgm flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.123 port = netbios-ssn flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.123 port = microsoft-ds flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.123 port = mdns flags S/SA keep state
pass in inet proto tcp from any to 172.18.100.123 port = mdnsresponder flags S/SA keep state
pass in inet proto udp from any to 172.18.100.123 port = netbios-ns keep state
pass in inet proto udp from any to 172.18.100.123 port = netbios-dgm keep state
pass in inet proto udp from any to 172.18.100.123 port = netbios-ssn keep state
pass in inet proto udp from any to 172.18.100.123 port = microsoft-ds keep state
pass in inet proto udp from any to 172.18.100.123 port = mdns keep state
pass in inet proto udp from any to 172.18.100.123 port = mdnsresponder keep state
pass out inet proto tcp from 172.18.100.123 port = netbios-ns to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.123 port = netbios-dgm to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.123 port = netbios-ssn to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.123 port = microsoft-ds to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.123 port = mdns to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.123 port = mdnsresponder to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.127 port = netbios-ns to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.127 port = netbios-dgm to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.127 port = netbios-ssn to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.127 port = microsoft-ds to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.127 port = mdns to any flags S/SA keep state
pass out inet proto tcp from 172.18.100.127 port = mdnsresponder to any flags S/SA keep state
pass out inet proto udp from 172.18.100.123 port = netbios-ns to any keep state
pass out inet proto udp from 172.18.100.123 port = netbios-dgm to any keep state
pass out inet proto udp from 172.18.100.123 port = netbios-ssn to any keep state
pass out inet proto udp from 172.18.100.123 port = microsoft-ds to any keep state
pass out inet proto udp from 172.18.100.123 port = mdns to any keep state
pass out inet proto udp from 172.18.100.123 port = mdnsresponder to any keep state
pass out inet proto udp from 172.18.100.127 port = netbios-ns to any keep state
pass out inet proto udp from 172.18.100.127 port = netbios-dgm to any keep state
pass out inet proto udp from 172.18.100.127 port = netbios-ssn to any keep state
pass out inet proto udp from 172.18.100.127 port = microsoft-ds to any keep state
pass out inet proto udp from 172.18.100.127 port = mdns to any keep state
pass out inet proto udp from 172.18.100.127 port = mdnsresponder to any keep state

So yeah, I'm at a loss as to what is going on here.

 

[SirDice]

Forget about ports 137, 138 and 139. SMB/CIFS only needs TCP/445. Ports 137, 138 and 139 were used by Windows 9x, from Windows 2000 onward it only used TCP/445.

# Allow ICMP 
pass out quick proto icmp

There's no rule allowing incoming ICMP. You have a default block all, so nothing is going to respond to an incoming ICMP echo request.

 

[puppydog]

Forget about ports 137, 138 and 139. SMB/CIFS only needs TCP/445. Ports 137, 138 and 139 were used by Windows 9x, from Windows 2000 onward it only used TCP/445.

Thanks, I'll remove the 137/138/139 ports once I've got the script to a point that everything is actually working.

There's no rule allowing incoming ICMP. You have a default block all, so nothing is going to respond to an incoming ICMP echo request.

There was originally but it wasn't making a difference in behavior so I removed it. Though I will go ahead and add them to the script and reload the rules, and update the above post with those added.

 

[puppydog]

Playing with it some more, I removed the default block option and noticed that the block in log to $samba_jail rule isn't actually blocking anything. I verified the IP on the jail and the actual rule using pfctl -s rules several times to make sure there was no fatfingering, but it all looks correct.

The only explanation I can think of is that this might be due to the fact that I set all my jail IPs by just assigning an IP in /etc/jail.conf and there are no vnets or anything, and maybe that's confusing pf somehow. Is that possible?