[PC-BSD Testing] Trac Ticket # 6

Ian Robinson fitchkendall at gmail.com
Fri Feb 27 13:10:02 PST 2009 

Hey Kris --

http://trac.pcbsd.org/ticket/6 still lingers.

If you are having trouble getting Ticket #6 fixed, I think the problem boils
down to penetrating the excellent pf firewall.  pf excludes outside access
via NFS, Samba, and even Network Folder Wizard (KNetAttach/Fish) unless the
firewall is opened.  Try it.  You'll see.  The changes are simple.

These are the instructions and the three lines of code:

==================== Modify /etc/pf.conf ===========================
At the top of the default pf.conf file, define a macro variable to identify
the local network. Here, my router is 192.168.1.1, so my network is
192.168.1.0. Replace the string with your network:

At the end of the default /etc/pf.conf, you must add two lines to pass all
traffic to/from local network. (Notice the local network you identified
above is now identified in the following lines as the macro variable
"$lan".) But, bear in mind the pf rule that the "last entry controls", you
might add them sooner in the file if you have previously customized
/etc/pf.conf.

*Code:*
#
lan = "192.168.1.0/24"
#
*
Code:*
#
pass in on xl0 from $lan to any keep state
pass out on xl0 from any to $lan keep state
#
================ End Modifications to /etc/pf.conf ========================

Comments:

 -- the first line (lan = ) is not necessary since you can replace the $lan
in lines 2 and 3 with the actual tcp/ip address/net mask.

-- xl0 is a network interface card (NIC), so substitute your NIC's name.

Also the last two lines are not identical. They are reciprocal.  The first
says "pass in"; the second says "pass out". The first is from "$lan to any";
the second is the opposite from "any to $lan".



Conclusion:

This could be an easy fix.  Your installation and startup scripts have
already probed the network settings to identify the NIC drivers, tcp/ip
addresses, netmask, etc.   So, you already have the critical information to
put into pf.conf.  You could either (1) construct the necessary lines in
/etc/pf.conf as the system default (causing outrage that it is a default
setting), (2) construct the necessary lines "commented out" for the user to
activate, (3) set up a script to activate/deactivate the changes, or (4) put
the necessary information into the Quick Guide.

Reference:  http://forums.pcbsd.org/viewtopic.php?f=24&t=10362  (especially
near the end)

Ian Robinson
Salem, Ohio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pcbsd.org/pipermail/testing/attachments/20090227/66520d5c/attachment.html

More information about the Testing mailing list