[PC-BSD Testing] Testing Digest, Vol 33, Issue 20
kris at pcbsd.org
Tue Oct 20 08:28:56 PDT 2009
On Mon, 19 Oct 2009, Ian Robinson wrote:
> Dru Lavigne said:
> >When sharing with Samba, the current firewall rules are blocking smb as I had to disable the firewall in order to use smb:/
> >However, I still could not see the shares, so there are additional Samba settings required.
> I had the same problems with NFS & Samba several versions ago and reported this on Ticket #6 ( http://trac.pcbsd.org/ticket/6 ). I
> determined that pf was creating a blocking problem and that the default Samba configuration file needed some adjustments.
> 1. PF Solution:
> I posted the pf solution at http://forums.pcbsd.org/viewtopic.php?f=1&t=12998&hilit=+NFS , where I said:
> "I had wrestled for a long time trying to connect client computers to my pcbsd server using NFS and Samba. The problem was that the
> client computers could not penetrate the server's pf firewall. I had to disable the firewall until I figured it out.
> Finally, I learned preserve the protection of a firewall while letting network traffic pass in and out. I discussed this near the end of
> the topic labeled "Quick and not so dirty way to use NFS and Samba to which I referred you at viewtopic.php?f=24&t=10362
> pf.conf needed only two critical lines identifying the name of the network interface card, the tcp/ip address and netmask of the network.
> One line lets information "pass in" through the firewall. The other line lets information "pass out".
> Here is the relevant excerpt about modifications to pf.conf on the server side:
> Part 2. ========= Modify /etc/pf.conf (SERVER) ===========
> # at the top of the file, define a macro variable to identify the local network
> lan = "192.168.1.0/24"
> At the end of the file, add lines to pass all traffic to/from local network.
> Notice the local network is identified here as the macro variable $lan.
> Here, xl0 is the network interface card (NIC)
> pass in on xl0 from $lan to any keep state
> pass out on xl0 from any to $lan keep state
> I'm guessing that that you are having the same problem. So, edit the original pf.conf to put in those three lines of code"
> 2. Samba Solution:
> I published the Samba adjustments at http://forums.pcbsd.org/viewtopic.php?f=24&t=10362&hilit=+NFS where I said:
> "Part 5. =================== Modify /usr/local/etc/smb.conf (Server) ======================
> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
> workgroup = MYGROUP <------------------------------------ (change to your Windows workgroup)
> # server string is the equivalent of the NT Description field
> server string = Samba Server <---------------------------(change to meet your naming needs)
> # Security mode. Defines in which mode Samba will operate. Possible
> # values are share, user, server, domain and ads. Most people will want
> # user level security. See the Samba-HOWTO-Collection for details.
> security = user <------------------------------------ (change to security = share )
> # This option is important for security.. It allows you to restrict
> # connections to machines which are on your local network. The
> # following example restricts access to two C class networks and
> # the "loopback" interface. For more examples of the syntax see
> # the smb.conf man page
> ; hosts allow = 192.168.1. 127. <-----------(change to match the 1st three parts of your network tcp address, keep 127. )
> * * *
> comment = Home Directories
> browseable = no
> writable = yes
> * * *
> comment = All Printers
> path = /usr/spool/samba
> browseable = no
> # Set public = yes to allow user 'guest account' to print
> guest ok = no
> printable = yes
> # >>> Custom Additions to Locate Files and Permit Access <<<==============================
> [FK_SERVER] <------------------- Section Label, here w/ my server's name
> comment = general user documents and files
> path = /server_files <------------------ Path to location of the files you want to share
> public = yes
> read only = no
> writeable = yes
> browseable = yes
> guest ok = yes
> available = yes
> guest account = nobody
> force group = nogroup
> force user = nobody
> create mask = 0777
> directory mask = 0777
> nt acl support = No
> # End Samba Changes"
> Dru probably nailed down all these things a few moments after her post since it was years ago she helped me focus in on some nuances of
> NFS and the need to pass through the firewall while keeping state, but I thought I try to pinpoint the problem and the inelegant but
> effective work-around that I concocted.
> Ian Robinson
> Salem, OH
I've commited some additional open-ports to the default firewall, and also added a new "NFS" module to the services tab
for the next alpha, will you be willing to re-test these in the next ISO? I'm not a big NFS fan/user here, so I'd welcome
some folks to give these things a try and let me know of any issues :)
More information about the Testing