cannot connect to SMTP from clients inside network except my own

Eric eric at mikestammer.com
Tue Sep 25 05:22:49 PDT 2007 

I sent this to the pf list and didnt get any replies. Hoping someone 
here sees something amiss!


my rules are at the bottom, but here is what i am seeing and I cannot
figure it out.

i have pf doing nat and redirecting several services to a server
(gondolin). My domain is mikestammer.com. If i am on a client machine 
inside my network, I
can telnet mikestammer.com 25 and i get the SMTP server prompt, but if I
try to telnet to any other mail server it always times out.  Mail to and
from my domain using mikestammer.com works for sending and receiving 
email from inside my network using mikestammer.com for hostname

Can anyone see a reason for this in my rules? I did some captures from
the client machine when trying to reach another mail server and was 
seeing things like this:

229	26.404238	192.168.0.152	68.73.91.210	TCP	[TCP Previous segment lost]
3244 > smtp [SYN] Seq=5538293 Len=0 MSS=1460

230	26.406292	192.168.0.51	192.168.0.152	ICMP	Destination unreachable
(Host unreachable)

68.73.91.210 is the mail server I want to connect to

i am not having any problem connecting to IMAP servers to get email, but
trying to send via those servers has never worked properly from inside 
my LAN.


any other comments on my ruleset are appreciated as well

Thanks

Eric

#
# $FreeBSD$
# PF rule set for mpd under FreeBSD
#
# Network Configuration
#
#      Kernel mode PPPoE with mpd
# -----------[FreeBSD PF]---------------[Switch]------[192.168.0.0/24]
#  ADSL    xl0      sk0(192.168.0.51)
#

# Macros
ext_if="ng0"    # replace with actual ext_ifernal int_iferface name
i.e., dc0
int_if="sk0"    # replace with actual int_ifernal int_iferface name
i.e., dc1


intnet = "192.168.0.0/24" # Adressspace of LAN
gondolin = "192.168.0.51" # This machine
isengard = "192.168.0.101"
baraddur = "192.168.0.150"

table <badhost> const {0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                         224.0.0.0/4, 240.0.0.0/4, 10.0.0.0/8, \
                         172.16.0.0/12, 192.168.0.0/16, 255.255.255.255, \
                         127.0.0.1/8}

#
# hosts that can use this system as a gateway
#
table <allowhost> const {192.168.0.0/24}

set loginterface ng0
set skip on lo0

################################
# step 1: normalise packets #
################################
# Clean up fragmented and abnormal packets, defeat NAT detection too
# max-mss is needed due to mpd's poor MSS handling
scrub in all
scrub out all random-id max-mss 1440

################################
# step 2: NAT rules #
################################

# services provided to the outside world:
rdr on $ext_if proto tcp from any to $ext_if port 22 -> $gondolin port 22
rdr on $ext_if proto tcp from any to $ext_if port 25 -> $gondolin port 25
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $gondolin port 80
rdr on $ext_if proto tcp from any to $ext_if port 113 -> $gondolin port 113
rdr on $ext_if proto tcp from any to $ext_if port 143 -> $gondolin port 143
rdr on $ext_if proto tcp from any to $ext_if port 443 -> $gondolin port 443
rdr on $ext_if proto tcp from any to $ext_if port 993 -> $gondolin port 993

rdr on $ext_if proto tcp from any to $ext_if port 3389 -> $isengard port
3389
rdr on $ext_if proto udp from any to $ext_if port 30275 -> $baraddur
port 30275


# all ordinary traffic:
nat on $ext_if from $intnet to any -> $ext_if


################################
# step 3: Filtering #
################################

# Remember default rule for non-matching packets are passed!!!
block             out log on $ext_if           all
block             in  log on $ext_if           all
block return-rst  out log on $ext_if proto tcp all
block return-rst  in  log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in  log on $ext_if proto udp all

# allow lo0 interface packet
pass in quick on lo0 all
pass out quick on lo0 all

# allow internal network traffic
pass in on $int_if from any to <allowhost>
pass out on $int_if from <allowhost> to any


#
# block spoofing attack
#
block in quick log on $ext_if from <badhost> to any

# Allow ICMP (ping) IN
# pass out/in certain ICMP queries and keep state (ping)
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

#HTTP server
pass in on $ext_if proto tcp from any to $gondolin port 80 label "HTTP"
flags S/SA
pass in on $ext_if proto tcp from any to $gondolin port 443 label
"HTTPS" flags S/SA

#ident service
pass in on $ext_if proto tcp from any to $gondolin port 113 label
"ident" flags S/SA

#RDP to Isengard
pass in on $ext_if proto tcp from any to $isengard port 3389 label "RDP"
flags S/SA

#Mail server (SMTP and IMAP)
pass in on $ext_if proto tcp from any to $gondolin port 25 label "SMTP"
flags S/SA
pass in on $ext_if proto tcp from any to $gondolin port 143 label "IMAP"
flags S/SA
pass in on $ext_if proto tcp from any to $gondolin port 993 label
"IMAPS" flags S/SA

#Hamachi
pass in on $ext_if proto udp from any to $baraddur port 30275 label
"Hamachi"

#SSH server
pass  in  on $ext_if proto tcp from any to $gondolin port 22 label "SSH"
keep state

#allow outbound
#anything really
pass out on $ext_if proto { tcp, udp, icmp } all keep state


#open everything on internal ... if you don't trust that side of the
network, you've got big probs
pass in on $int_if all

_______________________________________________
freebsd-pf at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list