From owner-freebsd-pf@FreeBSD.ORG Sat Sep 22 03:03:10 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E35416A420 for ; Sat, 22 Sep 2007 03:03:10 +0000 (UTC) (envelope-from eric@mikestammer.com) Received: from smtp101.sbc.mail.re2.yahoo.com (smtp101.sbc.mail.re2.yahoo.com [68.142.229.104]) by mx1.freebsd.org (Postfix) with SMTP id CEFB013C458 for ; Sat, 22 Sep 2007 03:03:09 +0000 (UTC) (envelope-from eric@mikestammer.com) Received: (qmail 33612 invoked from network); 22 Sep 2007 02:36:29 -0000 Received: from unknown (HELO mail.mikestammer.com) (mikestammer@sbcglobal.net@71.147.41.29 with login) by smtp101.sbc.mail.re2.yahoo.com with SMTP; 22 Sep 2007 02:36:29 -0000 X-YMail-OSG: lJL6h2cVM1lDLsAH8TaT.3krgaxIVRisB2CpA81L3ylJPDTAYliheMNBETeWbbPxVzfFt2d_6.4Y7y6dm06Bm_G6NTN1DTsbiyW5hh6En3k8BcmHeWVjg0ACIKnwu_gShVL7uhCtJQqID2b6BIpZC5vNHN7fgOHQCho6SQErGufcnmLnhqvv Received: from localhost (localhost [127.0.0.1]) by mail.mikestammer.com (Postfix) with ESMTP id A9045B869 for ; Fri, 21 Sep 2007 21:36:28 -0500 (CDT) X-Virus-Scanned: amavisd-new at mikestammer.com Received: from mail.mikestammer.com ([127.0.0.1]) by localhost (gondolin.middleearth.mikestammer.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H9RWks5gfXdi for ; Fri, 21 Sep 2007 21:36:26 -0500 (CDT) Received: from [192.168.0.152] (unknown [192.168.0.152]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: eric) by mail.mikestammer.com (Postfix) with ESMTPSA id AE4DAB868 for ; Fri, 21 Sep 2007 21:36:26 -0500 (CDT) Message-ID: <46F48106.4030605@mikestammer.com> Date: Fri, 21 Sep 2007 21:42:14 -0500 From: Eric User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: cannot connect to SMTP from clients inside network except my own X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2007 03:03:10 -0000 my rules are at the bottom, but here is what i am seeing and I cannot figure it out. i have pf doing nat and redirecting several services to a server (gondolin). My domain is mikestammer.com. If i am on a client machine, I can telnet mikestammer.com 25 and i get the SMTP server prompt, but if I try to telnet to any other mail server it always times out. Mail to and from my domain using mikestammer.com works for sending and receiving email Can anyone see a reason for this in my rules? I did some captures from the client machine and was seeing things like this: 229 26.404238 192.168.0.152 68.73.91.210 TCP [TCP Previous segment lost] 3244 > smtp [SYN] Seq=5538293 Len=0 MSS=1460 230 26.406292 192.168.0.51 192.168.0.152 ICMP Destination unreachable (Host unreachable) 68.73.91.210 is the mail server I want to connect to i am not having any problem connecting to IMAP servers to get email, but trying to send via those servers has never worked properly. any other comments on my ruleset are appreciated as well Thanks Eric # # $FreeBSD$ # PF rule set for mpd under FreeBSD # # Network Configuration # # Kernel mode PPPoE with mpd # -----------[FreeBSD PF]---------------[Switch]------[192.168.0.0/24] # ADSL xl0 sk0(192.168.0.51) # # Macros ext_if="ng0" # replace with actual ext_ifernal int_iferface name i.e., dc0 int_if="sk0" # replace with actual int_ifernal int_iferface name i.e., dc1 wir_if="ath0" intnet = "192.168.0.0/24" # Adressspace of LAN gondolin = "192.168.0.51" # This machine isengard = "192.168.0.101" baraddur = "192.168.0.150" table const {0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 224.0.0.0/4, 240.0.0.0/4, 10.0.0.0/8, \ 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255, \ 127.0.0.1/8} # # hosts that can use this system as a gateway # table const {192.168.0.0/24} set loginterface ng0 set skip on lo0 ################################ # step 1: normalise packets # ################################ # Clean up fragmented and abnormal packets, defeat NAT detection too # max-mss is needed due to mpd's poor MSS handling scrub in all scrub out all random-id max-mss 1440 ################################ # step 2: NAT rules # ################################ # services provided to the outside world: rdr on $ext_if proto tcp from any to $ext_if port 22 -> $gondolin port 22 rdr on $ext_if proto tcp from any to $ext_if port 25 -> $gondolin port 25 rdr on $ext_if proto tcp from any to $ext_if port 80 -> $gondolin port 80 rdr on $ext_if proto tcp from any to $ext_if port 113 -> $gondolin port 113 rdr on $ext_if proto tcp from any to $ext_if port 143 -> $gondolin port 143 rdr on $ext_if proto tcp from any to $ext_if port 443 -> $gondolin port 443 rdr on $ext_if proto tcp from any to $ext_if port 993 -> $gondolin port 993 rdr on $ext_if proto tcp from any to $ext_if port 3389 -> $isengard port 3389 rdr on $ext_if proto udp from any to $ext_if port 30275 -> $baraddur port 30275 # all ordinary traffic: nat on $ext_if from $intnet to any -> $ext_if ################################ # step 3: Filtering # ################################ # Remember default rule for non-matching packets are passed!!! block out log on $ext_if all block in log on $ext_if all block return-rst out log on $ext_if proto tcp all block return-rst in log on $ext_if proto tcp all block return-icmp out log on $ext_if proto udp all block return-icmp in log on $ext_if proto udp all # allow lo0 interface packet pass in quick on lo0 all pass out quick on lo0 all # allow internal network traffic pass in on $int_if from any to pass out on $int_if from to any # # block spoofing attack # block in quick log on $ext_if from to any # Allow ICMP (ping) IN # pass out/in certain ICMP queries and keep state (ping) pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state #HTTP server pass in on $ext_if proto tcp from any to $gondolin port 80 label "HTTP" flags S/SA pass in on $ext_if proto tcp from any to $gondolin port 443 label "HTTPS" flags S/SA #ident service pass in on $ext_if proto tcp from any to $gondolin port 113 label "ident" flags S/SA #RDP to Isengard pass in on $ext_if proto tcp from any to $isengard port 3389 label "RDP" flags S/SA #Mail server (SMTP and IMAP) pass in on $ext_if proto tcp from any to $gondolin port 25 label "SMTP" flags S/SA pass in on $ext_if proto tcp from any to $gondolin port 143 label "IMAP" flags S/SA #pass in on $ext_if proto tcp from any to $gondolin port 993 label "IMAPS" flags S/SA #Hamachi pass in on $ext_if proto udp from any to $baraddur port 30275 label "Hamachi" #SSH server pass in on $ext_if proto tcp from any to $gondolin port 22 label "SSH" keep state #allow outbound #anything really pass out on $ext_if proto { tcp, udp, icmp } all keep state #open everything on internal ... if you don't trust that side of the network, you've got big probs pass in on $int_if all