ipfw breaking smtp conversations

Alex Teslik whereisalext at gmail.com
Wed Nov 4 16:54:49 UTC 2009 

Hi List,

   I'm having trouble with mail deliveries. I'm getting lots of error
messages like:

timeout writing message to mx3.comcast.net.: Broken pipe
timeout writing message to mailserver2.telmex.net.co.: Resource temporarily
unavailable

After looking elsewhere I decided to try changing my ipfw.rules - the
problems went away immediately. Unfortunately, the change caused http
connections from outside to stall mid-conversation. So I changed it back.
But I'm clearly doing something wrong.

Here is what my network looks like (fairly basic):

Direct to Internet
   ^
   |
Dual-Homed Host (em0 external interface)
NAT,DHCP (sk0 internal interface)
 |
 v
Internal LAN

Here are my current rules:

#!/bin/sh
IPFW="ipfw -q add"
ipfw -q -f flush

$IPFW 10 allow all from any to any via sk0
$IPFW 20 allow all from any to any via lo0
$IPFW 30 divert natd ip from any to any in via em0
$IPFW 50 check-state
$IPFW 60 skipto 500 all from any to any out via em0 setup keep-state
$IPFW 70 allow all from any to me in via em0 setup limit src-addr 50
$IPFW 500 divert natd ip from any to any out via em0
$IPFW 600 allow ip from any to any
$IPFW 800 deny all from any to any


Here are the rules that fixed smtp, but broke http:

#!/bin/sh
IPFW="/sbin/ipfw -q add"
ipfw -q -f flush

$IPFW 990 divert natd ip from any to any in via em0
$IPFW 995 divert natd ip from any to any out via em0
$IPFW 1000 allow tcp from any to any established
$IPFW 1010 allow all from any to any via em0
$IPFW 1020 allow all from any to any via sk0
$IPFW 1030 allow all from any to any via lo0
$IPFW 1050 allow tcp from any to any out
$IPFW 1060 allow udp from any to any out
$IPFW 1070 allow udp from any to any frag
$IPFW 1090 allow ip from any to any
$IPFW 9999 deny all from any to any


Somewhere between these two sets is the right thing, but I'm not certain
where to look. In english, here is what (I think) I'm trying to do:

Allow all incoming traffic on all ports on em0
Allow all outbound traffic on all ports on em0
Divert incoming NAT'd packets on em0 to sk0
Divert outbound NAT'd packets on sk0 to em0

Thanks,
Alex

More information about the freebsd-questions mailing list