Date: Tue, 25 Sep 2007 07:22:43 -0500 From: Eric <eric@mikestammer.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: cannot connect to SMTP from clients inside network except my own Message-ID: <46F8FD93.4060504@mikestammer.com>
next in thread | raw e-mail | index | archive | help
I sent this to the pf list and didnt get any replies. Hoping someone
here sees something amiss!
my rules are at the bottom, but here is what i am seeing and I cannot
figure it out.
i have pf doing nat and redirecting several services to a server
(gondolin). My domain is mikestammer.com. If i am on a client machine
inside my network, I
can telnet mikestammer.com 25 and i get the SMTP server prompt, but if I
try to telnet to any other mail server it always times out. Mail to and
from my domain using mikestammer.com works for sending and receiving
email from inside my network using mikestammer.com for hostname
Can anyone see a reason for this in my rules? I did some captures from
the client machine when trying to reach another mail server and was
seeing things like this:
229 26.404238 192.168.0.152 68.73.91.210 TCP [TCP Previous segment lost]
3244 > smtp [SYN] Seq=5538293 Len=0 MSS=1460
230 26.406292 192.168.0.51 192.168.0.152 ICMP Destination unreachable
(Host unreachable)
68.73.91.210 is the mail server I want to connect to
i am not having any problem connecting to IMAP servers to get email, but
trying to send via those servers has never worked properly from inside
my LAN.
any other comments on my ruleset are appreciated as well
Thanks
Eric
#
# $FreeBSD$
# PF rule set for mpd under FreeBSD
#
# Network Configuration
#
# Kernel mode PPPoE with mpd
# -----------[FreeBSD PF]---------------[Switch]------[192.168.0.0/24]
# ADSL xl0 sk0(192.168.0.51)
#
# Macros
ext_if="ng0" # replace with actual ext_ifernal int_iferface name
i.e., dc0
int_if="sk0" # replace with actual int_ifernal int_iferface name
i.e., dc1
intnet = "192.168.0.0/24" # Adressspace of LAN
gondolin = "192.168.0.51" # This machine
isengard = "192.168.0.101"
baraddur = "192.168.0.150"
table <badhost> const {0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
224.0.0.0/4, 240.0.0.0/4, 10.0.0.0/8, \
172.16.0.0/12, 192.168.0.0/16, 255.255.255.255, \
127.0.0.1/8}
#
# hosts that can use this system as a gateway
#
table <allowhost> const {192.168.0.0/24}
set loginterface ng0
set skip on lo0
################################
# step 1: normalise packets #
################################
# Clean up fragmented and abnormal packets, defeat NAT detection too
# max-mss is needed due to mpd's poor MSS handling
scrub in all
scrub out all random-id max-mss 1440
################################
# step 2: NAT rules #
################################
# services provided to the outside world:
rdr on $ext_if proto tcp from any to $ext_if port 22 -> $gondolin port 22
rdr on $ext_if proto tcp from any to $ext_if port 25 -> $gondolin port 25
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $gondolin port 80
rdr on $ext_if proto tcp from any to $ext_if port 113 -> $gondolin port 113
rdr on $ext_if proto tcp from any to $ext_if port 143 -> $gondolin port 143
rdr on $ext_if proto tcp from any to $ext_if port 443 -> $gondolin port 443
rdr on $ext_if proto tcp from any to $ext_if port 993 -> $gondolin port 993
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> $isengard port
3389
rdr on $ext_if proto udp from any to $ext_if port 30275 -> $baraddur
port 30275
# all ordinary traffic:
nat on $ext_if from $intnet to any -> $ext_if
################################
# step 3: Filtering #
################################
# Remember default rule for non-matching packets are passed!!!
block out log on $ext_if all
block in log on $ext_if all
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
# allow lo0 interface packet
pass in quick on lo0 all
pass out quick on lo0 all
# allow internal network traffic
pass in on $int_if from any to <allowhost>
pass out on $int_if from <allowhost> to any
#
# block spoofing attack
#
block in quick log on $ext_if from <badhost> to any
# Allow ICMP (ping) IN
# pass out/in certain ICMP queries and keep state (ping)
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
#HTTP server
pass in on $ext_if proto tcp from any to $gondolin port 80 label "HTTP"
flags S/SA
pass in on $ext_if proto tcp from any to $gondolin port 443 label
"HTTPS" flags S/SA
#ident service
pass in on $ext_if proto tcp from any to $gondolin port 113 label
"ident" flags S/SA
#RDP to Isengard
pass in on $ext_if proto tcp from any to $isengard port 3389 label "RDP"
flags S/SA
#Mail server (SMTP and IMAP)
pass in on $ext_if proto tcp from any to $gondolin port 25 label "SMTP"
flags S/SA
pass in on $ext_if proto tcp from any to $gondolin port 143 label "IMAP"
flags S/SA
pass in on $ext_if proto tcp from any to $gondolin port 993 label
"IMAPS" flags S/SA
#Hamachi
pass in on $ext_if proto udp from any to $baraddur port 30275 label
"Hamachi"
#SSH server
pass in on $ext_if proto tcp from any to $gondolin port 22 label "SSH"
keep state
#allow outbound
#anything really
pass out on $ext_if proto { tcp, udp, icmp } all keep state
#open everything on internal ... if you don't trust that side of the
network, you've got big probs
pass in on $int_if all
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46F8FD93.4060504>