[PC-BSD Testing] Testing Digest, Vol 33, Issue 20

Kris Moore kris at pcbsd.org
Tue Oct 20 08:28:56 PDT 2009 


On Mon, 19 Oct 2009, Ian Robinson wrote:

> 
> Dru Lavigne said:
> 
> >When sharing with Samba, the current firewall rules are blocking smb as I had to disable the firewall in order to use smb:/ 
> >However, I still could not see the shares, so there are additional Samba settings required.
> 
> ==================================================
> 
> I had the same problems with NFS & Samba several versions ago and reported this on Ticket #6 ( http://trac.pcbsd.org/ticket/6 ).  I
> determined that pf was creating a blocking problem and that the default Samba configuration file needed some adjustments. 
> 
> 1.  PF Solution: 
> 
> I posted the pf solution at http://forums.pcbsd.org/viewtopic.php?f=1&t=12998&hilit=+NFS , where I said:
> 
> "I had wrestled for a long time trying to connect client computers to my pcbsd server using NFS and Samba. The problem was that the
> client computers could not penetrate the server's pf firewall. I had to disable the firewall until I figured it out.
> 
> Finally, I learned preserve the protection of a firewall while letting network traffic pass in and out. I discussed this near the end of
> the topic labeled "Quick and not so dirty way to use NFS and Samba to which I referred you at viewtopic.php?f=24&t=10362
> 
> pf.conf needed only two critical lines identifying the name of the network interface card, the tcp/ip address and netmask of the network.
> One line lets information "pass in" through the firewall. The other line lets information "pass out".
> 
> Here is the relevant excerpt about modifications to pf.conf on the server side:
> Quote:
> Part 2. ========= Modify /etc/pf.conf (SERVER) ===========
> # at the top of the file, define a macro variable to identify the local network
> Code:
> #
> lan = "192.168.1.0/24"
> #
> 
> At the end of the file, add lines to pass all traffic to/from local network.
> Notice the local network is identified here as the macro variable $lan.
> Here, xl0 is the network interface card (NIC)
> 
> Code:
> #
> pass in on xl0 from $lan to any keep state
> pass out on xl0 from any to $lan keep state
> #
> I'm guessing that that you are having the same problem. So, edit the original pf.conf to put in those three lines of code"
> 
> 2.  Samba Solution:
> 
> I published the Samba adjustments at http://forums.pcbsd.org/viewtopic.php?f=24&t=10362&hilit=+NFS where I said:
> 
> "Part 5. =================== Modify /usr/local/etc/smb.conf (Server) ======================
> 
> Code:
> [global]
> 
> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
>    workgroup = MYGROUP  <------------------------------------ (change to your Windows workgroup)
> 
> # server string is the equivalent of the NT Description field
>    server string = Samba Server   <---------------------------(change to meet your naming needs)
> 
> # Security mode. Defines in which mode Samba will operate. Possible
> # values are share, user, server, domain and ads. Most people will want
> # user level security. See the Samba-HOWTO-Collection for details.
>    security = user   <------------------------------------ (change to security = share )
> 
> # This option is important for security.. It allows you to restrict
> # connections to machines which are on your local network. The
> # following example restricts access to two C class networks and
> # the "loopback" interface. For more examples of the syntax see
> # the smb.conf man page
> ;   hosts allow = 192.168.1.  127.    <-----------(change to match the 1st three parts of your network tcp address, keep 127. )
> 
>                  * * *
> 
> [homes]
> 
>    comment = Home Directories
>    browseable = no
>    writable = yes
> 
>               * * *
> 
> [printers]
> comment = All Printers
> path = /usr/spool/samba
> browseable = no
> # Set public = yes to allow user 'guest account' to print
> guest ok = no
> printable = yes
> #
> # >>> Custom Additions to Locate Files and Permit Access <<<==============================
> #
> [FK_SERVER]                   <------------------- Section Label, here w/ my server's name
>     comment = general user documents and files
>     path = /server_files         <------------------ Path to location of the files you want to share
>     public = yes
>     read only = no
>     writeable = yes
>     browseable = yes
>     guest ok = yes
>     available = yes
>     guest account = nobody
>     force group = nogroup
>     force user = nobody
>     create mask = 0777
>     directory mask = 0777
>     nt acl support = No
> #
> #  End Samba Changes"
> 
> 
> Dru probably nailed down all these things a few moments after her post since it was years ago she helped me focus in on some nuances of
> NFS and the need to pass through the firewall while keeping state, but I thought I try to pinpoint the problem and the inelegant but
> effective work-around that I concocted.
> 
> Ian Robinson
> Salem, OH
>

I've commited some additional open-ports to the default firewall, and also added a new "NFS" module to the services tab
for the next alpha, will you be willing to re-test these in the next ISO? I'm not a big NFS fan/user here, so I'd welcome
some folks to give these things a try and let me know of any issues :)


--
Kris Moore
PC-BSD Software

More information about the Testing mailing list