sending mail with attachments always fail (FreeBSD/pf)

Victor Lyapunov fullblaststorm at gmail.com
Sat Nov 21 14:59:14 UTC 2009 

Hi all,

I have production network with FreeBSD box acting as firewall. The
problem emerge as soon as users send mail with attachments. (Sending
mail without attachments always succeeds). Basically, when a user
tries to send a message, only part of it transmitted before connection
is interrupted and sending fails. The problem persists only when pf is
enabled.

My ruleset:
scrub in all fragment reassemble
block drop on em0 all
pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state
pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state
pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state
pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA
keep state
pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA
keep state
pass proto udp from any to any port = domain keep state


This is what i get from pfctl -si just after  #/etc/rc.d/pf start
# pfctl -si
Status: Enabled for 0 days 00:00:09           Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s



After I try to send some mail with attachments a couple of times(which
always fail), i get this from pfctl -si:
Status: Enabled for 0 days 00:02:58           Debug: Urgent

State Table                          Total             Rate
  current entries                       48
  searches                            1313            7.4/s
  inserts                              131            0.7/s
  removals                              83            0.5/s
Counters
  match                                152            0.9/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                        22            0.1/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

Any suggestions/ideas would be appreciated,
Best regards,
Victor

FreeBSD router 7.2-RELEASE FreeBSD 7.2-RELEASE #4: Sun May  3 23:29:04
2009     root at router:/usr/obj/usr/src/sys/GENERIC  i386

More information about the freebsd-questions mailing list