Date: Mon, 27 Feb 2012 14:52:35 -0500 From: "Bender, Chris" <chris_bender@cellularatsea.com> To: "Jon Radel" <jon@radel.com> Cc: freebsd-questions@freebsd.org Subject: RE: Email issues, relay failure Message-ID: <assp.040451e526.863259E16B6C464DAD1E9DD10BB31154059CFE33@wmsexg01.corp.cellularatsea.com> In-Reply-To: <4F4BB8B8.509@radel.com> References: <863259E16B6C464DAD1E9DD10BB31154059CFBAE@wmsexg01.corp.cellularatsea.com> <4F48BAF6.9070204@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBE7@wmsexg01.corp.cellularatsea.com> <4F48EC21.7040805@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBEE@wmsexg01.corp.cellularatsea.com> <4F48F45F.4080304@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBF4@wmsexg01.corp.cellularatsea.com> <4F492262.5090505@radel.com> <7409DAB4-F76A-493B-9A50-A663E6F6802E@cellularatsea.com> <4F4BB19A.8040005@radel.com> <863259E16B6C464DAD1E9DD10BB31154059CFDA4@wmsexg01.corp.cellularatsea.com> <4F4BB61A.1060600@radel.com> <863259E16B6C464DAD1E9DD10BB31154059CFDB1@wmsexg01.corp.cellularatsea.com> <4F4BB8B8.509@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Joe
So from the rules below, I can see my network to and from in tables
<tbl.r38.s> to <tbl.r37.s>.
However when pfctl is enabled that traffic fails with ....
# tcpdump -ni bge0 host 10.156.81.10 and port 25 =20
tcpdump: listening on bge0, link-type EN10MB
14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25: R
3154136674:3154136735(61) ack 1245040067 win 0 (DF) [tos 0xb8]
14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25: R 0:61(61) ack 1
win 0 (DF) [tos 0xb8]
SO from traffic aboveon the inbound interface I can see this failed.
OUCH. But I don't know what rule is killing it.=20
Here is table
table <tbl.r37.s> { 10.200.82.16 , 10.200.104.15 , 172.19.4.41 ,
198.211.94.23 }
table <tbl.r38.s> { 10.13.0.0/21 , 10.13.224.0/21 , 10.13.226.0/23 ,
10.150.0.0/16 , 10.156.0.0/16 , 10.158.0.0/16 , 10.166.0.0/16 ,
10.196.0.0/16 , 10.198.0
.0/16 , 10.200.104.0/24 , 172.16.0.0/16 , 172.19.4.0/24 , 172.19.11.0/24
, 172.19.20.0/24 , 172.19.50.0/24 , 172.19.51.0/24 , 172.19.52.0/24 ,
172.19.53.0/24
, 172.19.100.0/29 , 172.19.231.0/24 , 172.19.232.0/24 , 172.31.0.0/16=
}
Rest of pf.conf since you asked which I have removed confidential info
The key is what is blocking SMTP. I am not sure yet?
Thanks
#
# Prolog script
#
set loginterface bge0
set state-defaults pflow
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat-anchor "relayd/*"
rdr-anchor "relayd/*"
anchor "relayd/*"
anchor "ftp-proxy/*"
#
# End of prolog script
#
set skip on bridge10
set skip on tun579
set skip on tun138
set skip on tun148
set skip on tun10
set skip on bridge138
set skip on bridge148
#
# Scrub rules
#
match in all scrub (no-df )
match out all scrub (random-id max-mss 1460)
# Tables: (26)
table <BlackList> persist file "/home/admin/BlackList.txt"
table <BlackList-Internet> persist file
"/home/admin/BlackList-internet.txt"
# Rule 0 (global)
# BlackList Rule
block in log quick inet from <BlackList> to any no state label
"RULE 0 -- DROP "
block out log quick inet from <BlackList> to any no state label
"RULE 0 -- DROP "
#
# Rule 1 (global)
# BlackList Rule
block in log quick inet from any to <BlackList> no state label
"RULE 1 -- DROP "
block out log quick inet from any to <BlackList> no state label
"RULE 1 -- DROP "
#
# Rule 2 (global)
# BlackList Servers going to Internet
block in log quick inet from <BlackList-Internet> to 127.0.0.1 no
state label "RULE 2 -- DROP "
block out log quick inet from <BlackList-Internet> to 127.0.0.1 no
state label "RULE 2 -- DROP "
#
# Rule 3 (bge1)
# BlackList Servers going to Internet
block out log quick on bge1 inet from <BlackList-Internet> to any=
no
state label "RULE 3 -- DROP "
#
# Rule 4 (bge1)
# BlackList Internet Ports
block out log quick on bge1 inet proto tcp from any to any port {
25, 465 } no state label "RULE 4 -- DROP "
#
# Rule 5 (global)
BLOCKED FOR CONFIIDENTIALITY
# Rule 6 (bge1,bge0)
# FTP Proxy Loopback Pule
pass in log quick on { bge0 bge1 } inet proto tcp from any to
127.0.0.1 port 8021 flags any modulate state ( pflow ) label "RULE 6 --
ACCEPT "
#
# Rule 7 (bge0,vlan579)
pass in log quick on { bge0 vlan579 } inet proto tcp from <tbl.r2>
to 127.0.0.1 port 2021 flags any modulate state ( pflow ) label "RULE=
7
-- ACCEPT "
#
# Rule 8 (bge0,vlan579)
pass in log quick on { bge0 vlan579 } inet proto tcp from <tbl.r2>
to 127.0.0.1 port 3128 flags any modulate state ( pflow ) label "RULE=
8
-- ACCEPT "
#
# Rule 9 (global)
pass in log quick inet from any to any tagged FTPPROXY keep state
( pflow ) label "RULE 9 -- ACCEPT "
pass out log quick inet from any to any tagged FTPPROXY keep state
( pflow ) label "RULE 9 -- ACCEPT "
#
# Rule 10 (bge1)
# Allow ESP, AH, IKE and NAT-T for IPSEC
#
# Rule 11 (bge1)
# BLOCKED FOR CONFIDENTIALITY
#
# Rule 12 (bge1)
# PPTP Traffic
BLOCKED FOR CONFIDENTIALITY
#
# Rule 13 (bge1)
# PPTP Traffic BLOCKED FOR CONFIDENTIALITY#
# Rule 14 (bge1)
# PPTP Traffic
pass out log quick on bge1 inet proto 47 from 172.19.231.128/27 to
any label "RULE 14 -- ACCEPT "
#
# Rule 15 (global)
Blocked for confidentiality
#
# Rule 16 (bge0)
=20
pass in log quick on bge0 inet proto tcp from <tbl.r16.s> to
172.19.231.149 port 1723 flags any modulate state label "RULE 16 --
ACCEPT "
pass in log quick on bge0 inet proto 47 from <tbl.r16.s> to
172.19.231.149 label "RULE 16 -- ACCEPT "
#
# Rule 17 (global)
=20
pass in log quick inet from <tbl.r17.s> to 10.10.11.0/24 label
"RULE 17 -- ACCEPT "
pass out log quick inet from <tbl.r17.s> to 10.10.11.0/24 label
"RULE 17 -- ACCEPT "
#
# Rule 18 (global)
=20
pass in log quick inet proto udp from 172.19.231.128/27 to
212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT "
pass in log quick inet proto 50 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
pass in log quick inet proto 51 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
pass out log quick inet proto udp from 172.19.231.128/27 to
212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT "
pass out log quick inet proto 50 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
pass out log quick inet proto 51 from 172.19.231.128/27 to
212.9.21.214 label "RULE 18 -- ACCEPT "
#
# Rule 19 (global)
# =20
pass in log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
pass out log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
#
# Rule 20 (global)
=20
pass in log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass in log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
#
=20
#
# state ( pflow ) label "RULE 35 -- ACCEPT "
#
# Rule 36 (global)
# Allow ME to Any
pass out log quick inet from <tbl.r0.d> to any keep state ( pflow=
)
label "RULE 36 -- ACCEPT "
#
# Rule 37 (global)
# SMTP Servers Access to SMTP
pass in log quick inet proto tcp from <tbl.r37.s> to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
pass out log quick inet proto tcp from <tbl.r37.s> to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
#
# Rule 38 (global)
# Access to SMTP Servers
pass in log quick inet proto tcp from <tbl.r38.s> to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
pass out log quick inet proto tcp from <tbl.r38.s> to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
#
# Rule 39 (global)
# Restrict SMTP To Internal Networks
block in log quick inet proto tcp from any to <tbl.r25.s> port 25
no state label "RULE 39 -- DROP "
block out log quick inet proto tcp from any to <tbl.r25.s> port 25
no state label "RULE 39 -- DROP "
#
=20
=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?assp.040451e526.863259E16B6C464DAD1E9DD10BB31154059CFE33>