Email issues, relay failure
Bender, Chris
chris_bender at cellularatsea.com
Mon Feb 27 19:52:47 UTC 2012
Hi Joe
So from the rules below, I can see my network to and from in tables
<tbl.r38.s> to <tbl.r37.s>.
However when pfctl is enabled that traffic fails with ....
# tcpdump -ni bge0 host 10.156.81.10 and port 25
tcpdump: listening on bge0, link-type EN10MB
14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25: R
3154136674:3154136735(61) ack 1245040067 win 0 (DF) [tos 0xb8]
14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25: R 0:61(61) ack 1
win 0 (DF) [tos 0xb8]
SO from traffic aboveon the inbound interface I can see this failed.
OUCH. But I don't know what rule is killing it.
Here is table
table <tbl.r37.s> { 10.200.82.16 , 10.200.104.15 , 172.19.4.41 ,
198.211.94.23 }
table <tbl.r38.s> { 10.13.0.0/21 , 10.13.224.0/21 , 10.13.226.0/23 ,
10.150.0.0/16 , 10.156.0.0/16 , 10.158.0.0/16 , 10.166.0.0/16 ,
10.196.0.0/16 , 10.198.0
.0/16 , 10.200.104.0/24 , 172.16.0.0/16 , 172.19.4.0/24 , 172.19.11.0/24
, 172.19.20.0/24 , 172.19.50.0/24 , 172.19.51.0/24 , 172.19.52.0/24 ,
172.19.53.0/24
, 172.19.100.0/29 , 172.19.231.0/24 , 172.19.232.0/24 , 172.31.0.0/16 }
Rest of pf.conf since you asked which I have removed confidential info
The key is what is blocking SMTP. I am not sure yet?
Thanks
#
# Prolog script
#
set loginterface bge0
set state-defaults pflow
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat-anchor "relayd/*"
rdr-anchor "relayd/*"
anchor "relayd/*"
anchor "ftp-proxy/*"
#
# End of prolog script
#
set skip on bridge10
set skip on tun579
set skip on tun138
set skip on tun148
set skip on tun10
set skip on bridge138
set skip on bridge148
#
# Scrub rules
#
match in all scrub (no-df )
match out all scrub (random-id max-mss 1460)
# Tables: (26)
table <BlackList> persist file "/home/admin/BlackList.txt"
table <BlackList-Internet> persist file
"/home/admin/BlackList-internet.txt"
# Rule 0 (global)
# BlackList Rule
block in log quick inet from <BlackList> to any no state label
"RULE 0 -- DROP "
block out log quick inet from <BlackList> to any no state label
"RULE 0 -- DROP "
#
# Rule 1 (global)
# BlackList Rule
block in log quick inet from any to <BlackList> no state label
"RULE 1 -- DROP "
block out log quick inet from any to <BlackList> no state label
"RULE 1 -- DROP "
#
# Rule 2 (global)
# BlackList Servers going to Internet
block in log quick inet from <BlackList-Internet> to 127.0.0.1 no
state label "RULE 2 -- DROP "
block out log quick inet from <BlackList-Internet> to 127.0.0.1 no
state label "RULE 2 -- DROP "
#
# Rule 3 (bge1)
# BlackList Servers going to Internet
block out log quick on bge1 inet from <BlackList-Internet> to any no
state label "RULE 3 -- DROP "
#
# Rule 4 (bge1)
# BlackList Internet Ports
block out log quick on bge1 inet proto tcp from any to any port {
25, 465 } no state label "RULE 4 -- DROP "
#
# Rule 5 (global)
BLOCKED FOR CONFIIDENTIALITY
# Rule 6 (bge1,bge0)
# FTP Proxy Loopback Pule
pass in log quick on { bge0 bge1 } inet proto tcp from any to
127.0.0.1 port 8021 flags any modulate state ( pflow ) label "RULE 6 --
ACCEPT "
#
# Rule 7 (bge0,vlan579)
pass in log quick on { bge0 vlan579 } inet proto tcp from <tbl.r2>
to 127.0.0.1 port 2021 flags any modulate state ( pflow ) label "RULE 7
-- ACCEPT "
#
# Rule 8 (bge0,vlan579)
pass in log quick on { bge0 vlan579 } inet proto tcp from <tbl.r2>
to 127.0.0.1 port 3128 flags any modulate state ( pflow ) label "RULE 8
-- ACCEPT "
#
# Rule 9 (global)
pass in log quick inet from any to any tagged FTPPROXY keep state
( pflow ) label "RULE 9 -- ACCEPT "
pass out log quick inet from any to any tagged FTPPROXY keep state
( pflow ) label "RULE 9 -- ACCEPT "
#
# Rule 10 (bge1)
# Allow ESP, AH, IKE and NAT-T for IPSEC
#
# Rule 11 (bge1)
# BLOCKED FOR CONFIDENTIALITY
#
# Rule 12 (bge1)
# PPTP Traffic
BLOCKED FOR CONFIDENTIALITY
#
# Rule 13 (bge1)
# PPTP Traffic BLOCKED FOR CONFIDENTIALITY#
# Rule 14 (bge1)
# PPTP Traffic
pass out log quick on bge1 inet proto 47 from 172.19.231.128/27 to
any label "RULE 14 -- ACCEPT "
#
# Rule 15 (global)
Blocked for confidentiality
#
# Rule 16 (bge0)
pass in log quick on bge0 inet proto tcp from <tbl.r16.s> to
172.19.231.149 port 1723 flags any modulate state label "RULE 16 --
ACCEPT "
pass in log quick on bge0 inet proto 47 from <tbl.r16.s> to
172.19.231.149 label "RULE 16 -- ACCEPT "
#
# Rule 17 (global)
pass in log quick inet from <tbl.r17.s> to 10.10.11.0/24 label
"RULE 17 -- ACCEPT "
pass out log quick inet from <tbl.r17.s> to 10.10.11.0/24 label
"RULE 17 -- ACCEPT "
#
# Rule 18 (global)
pass in log quick inet proto udp from 172.19.231.128/27 to
212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT "
pass in log quick inet proto 50 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
pass in log quick inet proto 51 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
pass out log quick inet proto udp from 172.19.231.128/27 to
212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT "
pass out log quick inet proto 50 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
pass out log quick inet proto 51 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
#
# Rule 19 (global)
#
pass in log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
pass out log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
#
# Rule 20 (global)
pass in log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass in log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
#
#
# state ( pflow ) label "RULE 35 -- ACCEPT "
#
# Rule 36 (global)
# Allow ME to Any
pass out log quick inet from <tbl.r0.d> to any keep state ( pflow )
label "RULE 36 -- ACCEPT "
#
# Rule 37 (global)
# SMTP Servers Access to SMTP
pass in log quick inet proto tcp from <tbl.r37.s> to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
pass out log quick inet proto tcp from <tbl.r37.s> to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
#
# Rule 38 (global)
# Access to SMTP Servers
pass in log quick inet proto tcp from <tbl.r38.s> to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
pass out log quick inet proto tcp from <tbl.r38.s> to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
#
# Rule 39 (global)
# Restrict SMTP To Internal Networks
block in log quick inet proto tcp from any to <tbl.r25.s> port 25
no state label "RULE 39 -- DROP "
block out log quick inet proto tcp from any to <tbl.r25.s> port 25
no state label "RULE 39 -- DROP "
#
More information about the freebsd-questions
mailing list