From owner-freebsd-questions@FreeBSD.ORG Fri Jul 2 23:36:07 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B6291065672 for ; Fri, 2 Jul 2010 23:36:07 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id EDFDC8FC26 for ; Fri, 2 Jul 2010 23:36:06 +0000 (UTC) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 9710550; Fri, 02 Jul 2010 19:36:05 -0400 Received: from [192.168.43.221] (account jon@radel.com HELO braeburn.local) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP-TLS id 9710548 for freebsd-questions@freebsd.org; Fri, 02 Jul 2010 19:35:49 -0400 Message-ID: <4C2E77D5.5030402@radel.com> Date: Fri, 02 Jul 2010 19:35:49 -0400 From: Jon Radel User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201007022325.AA132710676@mail.Go2France.com> In-Reply-To: <201007022325.AA132710676@mail.Go2France.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms000206070903010601080708" X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Subject: pf: pass in quick to port 25 still getting some blocks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jul 2010 23:36:07 -0000 This is a cryptographically signed message in MIME format. --------------ms000206070903010601080708 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable On 7/2/10 5:25 PM, Len Conrad wrote: > setting up pf on fbsd 7.2 for host security on a mail gateway. > > the only rule for port 25 is: > > pass in quick on em0 inet proto tcp from any to $ext_if port =3D smtp f= lags S/SA keep state > > and then last rule: > > block drop in log on em0 inet from any to $ext_if > > while 1000s of connections to port 25 are getting through with the pass= rule, several 100 connections are getting blocked with the default block= rule, bypassing the pass rule. > > I can't see how pf is selecting these connections to be blocked. > > =20 In what sense are the packets that are getting blocked part of a=20 connection? Are you sure the blocked packets are actually a legitimate=20 first packet, with the appropriate flags set, or is the "flags S/SA"=20 portion of your rule not matching? --=20 --Jon Radel jon@radel.com --------------ms000206070903010601080708--