# pf + cups/samba



## foo_daemon (May 10, 2009)

Hi all,

I'm having some trouble accomplishing port forwarding with pf for a samba print share.

Basically:
I have the apache/cups/samba services running in a jail.  When the user accesses the primary IP (192.168.0.101), I want it to forward requests on those ports to the jail's IP (192.168.0.101), and similarly have the primary IP appear in all replies, so that is completely unknown to the users that a jail is in use. 

Here is my pf.conf file (I am new to pf: this server is already behind a NAT'ed router, hence the very permissive ruleset)
/etc/pf.conf

```
lo_if="lo0"
lo_addr="127.0.0.1"

ext_if="rl0"
base_addr="{192.168.0.101/24, 127.0.0.1}"

jail_addr="192.168.0.103/32"

tcp_forwards = "{ www, netbios-ns, netbios-dgm, netbios-ssn, https, microsoft-ds, swat }"
udp_forwards = "{ www, netbios-ns, netbios-dgm, netbios-ssn, https, microsoft-ds }"

nat on $ext_if from $jail_addr to any -> $ext_if

rdr pass on $ext_if proto tcp from any to $base_addr port $tcp_forwards -> $jail_addr
rdr pass on $ext_if proto udp from any to any port $udp_forwards -> $jail_addr

pass in on $ext_if proto tcp from port $tcp_forwards to $ext_if flags S/SA keep state
pass in on $ext_if proto udp from port $udp_forwards to $ext_if keep state

pass in all
pass out all
```

The above works great for samba file shares, http/https and swat requests, but when I try to access the printer share, XP machine whines "This operation could not be completed.  Either the printer name was typed incorrectly, or the specified printer has lost its connection with the server."

If I use the jail's IP directly, though, I can access the print share (and all other services) and use it without problems.

Here is the pertinent samba log with log level 5:
http://pastebin.com/m50604197


```
[2009/05/09 23:16:30, 5] rpc_parse/parse_prs.c:prs_werror(830)
      0014 status code: WERR_INVALID_PRINTER_NAME
```

I appreciate any and all advice...


----------



## foo_daemon (May 10, 2009)

Jail's IP is 192.168.0.103; I made an early typo.  Don't have edit privileges yet, sry...


----------



## SirDice (May 11, 2009)

> so that is completely unknown to the users that a jail is in use.


The users won't be aware it's a jail anyway. For them it's just another machine.


----------

