Date: Mon, 27 Feb 2012 14:52:35 -0500 From: "Bender, Chris" <chris_bender@cellularatsea.com> To: "Jon Radel" <jon@radel.com> Cc: freebsd-questions@freebsd.org Subject: RE: Email issues, relay failure Message-ID: <assp.040451e526.863259E16B6C464DAD1E9DD10BB31154059CFE33@wmsexg01.corp.cellularatsea.com> In-Reply-To: <4F4BB8B8.509@radel.com> References: <863259E16B6C464DAD1E9DD10BB31154059CFBAE@wmsexg01.corp.cellularatsea.com> <4F48BAF6.9070204@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBE7@wmsexg01.corp.cellularatsea.com> <4F48EC21.7040805@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBEE@wmsexg01.corp.cellularatsea.com> <4F48F45F.4080304@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBF4@wmsexg01.corp.cellularatsea.com> <4F492262.5090505@radel.com> <7409DAB4-F76A-493B-9A50-A663E6F6802E@cellularatsea.com> <4F4BB19A.8040005@radel.com> <863259E16B6C464DAD1E9DD10BB31154059CFDA4@wmsexg01.corp.cellularatsea.com> <4F4BB61A.1060600@radel.com> <863259E16B6C464DAD1E9DD10BB31154059CFDB1@wmsexg01.corp.cellularatsea.com> <4F4BB8B8.509@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Joe So from the rules below, I can see my network to and from in tables <tbl.r38.s> to <tbl.r37.s>. However when pfctl is enabled that traffic fails with .... # tcpdump -ni bge0 host 10.156.81.10 and port 25 =20 tcpdump: listening on bge0, link-type EN10MB 14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) win 64240 <mss 1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0xb8] 14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25: R 3154136674:3154136735(61) ack 1245040067 win 0 (DF) [tos 0xb8] 14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) win 64240 <mss 1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos 0xb8] 14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25: R 0:61(61) ack 1 win 0 (DF) [tos 0xb8] SO from traffic aboveon the inbound interface I can see this failed. OUCH. But I don't know what rule is killing it.=20 Here is table table <tbl.r37.s> { 10.200.82.16 , 10.200.104.15 , 172.19.4.41 , 198.211.94.23 } table <tbl.r38.s> { 10.13.0.0/21 , 10.13.224.0/21 , 10.13.226.0/23 , 10.150.0.0/16 , 10.156.0.0/16 , 10.158.0.0/16 , 10.166.0.0/16 , 10.196.0.0/16 , 10.198.0 .0/16 , 10.200.104.0/24 , 172.16.0.0/16 , 172.19.4.0/24 , 172.19.11.0/24 , 172.19.20.0/24 , 172.19.50.0/24 , 172.19.51.0/24 , 172.19.52.0/24 , 172.19.53.0/24 , 172.19.100.0/29 , 172.19.231.0/24 , 172.19.232.0/24 , 172.31.0.0/16= } Rest of pf.conf since you asked which I have removed confidential info The key is what is blocking SMTP. I am not sure yet? Thanks # # Prolog script # set loginterface bge0 set state-defaults pflow nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat-anchor "relayd/*" rdr-anchor "relayd/*" anchor "relayd/*" anchor "ftp-proxy/*" # # End of prolog script # set skip on bridge10 set skip on tun579 set skip on tun138 set skip on tun148 set skip on tun10 set skip on bridge138 set skip on bridge148 # # Scrub rules # match in all scrub (no-df ) match out all scrub (random-id max-mss 1460) # Tables: (26) table <BlackList> persist file "/home/admin/BlackList.txt" table <BlackList-Internet> persist file "/home/admin/BlackList-internet.txt" # Rule 0 (global) # BlackList Rule block in log quick inet from <BlackList> to any no state label "RULE 0 -- DROP " block out log quick inet from <BlackList> to any no state label "RULE 0 -- DROP " # # Rule 1 (global) # BlackList Rule block in log quick inet from any to <BlackList> no state label "RULE 1 -- DROP " block out log quick inet from any to <BlackList> no state label "RULE 1 -- DROP " # # Rule 2 (global) # BlackList Servers going to Internet block in log quick inet from <BlackList-Internet> to 127.0.0.1 no state label "RULE 2 -- DROP " block out log quick inet from <BlackList-Internet> to 127.0.0.1 no state label "RULE 2 -- DROP " # # Rule 3 (bge1) # BlackList Servers going to Internet block out log quick on bge1 inet from <BlackList-Internet> to any= no state label "RULE 3 -- DROP " # # Rule 4 (bge1) # BlackList Internet Ports block out log quick on bge1 inet proto tcp from any to any port { 25, 465 } no state label "RULE 4 -- DROP " # # Rule 5 (global) BLOCKED FOR CONFIIDENTIALITY # Rule 6 (bge1,bge0) # FTP Proxy Loopback Pule pass in log quick on { bge0 bge1 } inet proto tcp from any to 127.0.0.1 port 8021 flags any modulate state ( pflow ) label "RULE 6 -- ACCEPT " # # Rule 7 (bge0,vlan579) pass in log quick on { bge0 vlan579 } inet proto tcp from <tbl.r2> to 127.0.0.1 port 2021 flags any modulate state ( pflow ) label "RULE= 7 -- ACCEPT " # # Rule 8 (bge0,vlan579) pass in log quick on { bge0 vlan579 } inet proto tcp from <tbl.r2> to 127.0.0.1 port 3128 flags any modulate state ( pflow ) label "RULE= 8 -- ACCEPT " # # Rule 9 (global) pass in log quick inet from any to any tagged FTPPROXY keep state ( pflow ) label "RULE 9 -- ACCEPT " pass out log quick inet from any to any tagged FTPPROXY keep state ( pflow ) label "RULE 9 -- ACCEPT " # # Rule 10 (bge1) # Allow ESP, AH, IKE and NAT-T for IPSEC # # Rule 11 (bge1) # BLOCKED FOR CONFIDENTIALITY # # Rule 12 (bge1) # PPTP Traffic BLOCKED FOR CONFIDENTIALITY # # Rule 13 (bge1) # PPTP Traffic BLOCKED FOR CONFIDENTIALITY# # Rule 14 (bge1) # PPTP Traffic pass out log quick on bge1 inet proto 47 from 172.19.231.128/27 to any label "RULE 14 -- ACCEPT " # # Rule 15 (global) Blocked for confidentiality # # Rule 16 (bge0) =20 pass in log quick on bge0 inet proto tcp from <tbl.r16.s> to 172.19.231.149 port 1723 flags any modulate state label "RULE 16 -- ACCEPT " pass in log quick on bge0 inet proto 47 from <tbl.r16.s> to 172.19.231.149 label "RULE 16 -- ACCEPT " # # Rule 17 (global) =20 pass in log quick inet from <tbl.r17.s> to 10.10.11.0/24 label "RULE 17 -- ACCEPT " pass out log quick inet from <tbl.r17.s> to 10.10.11.0/24 label "RULE 17 -- ACCEPT " # # Rule 18 (global) =20 pass in log quick inet proto udp from 172.19.231.128/27 to 212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT " pass in log quick inet proto 50 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " pass in log quick inet proto 51 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " pass out log quick inet proto udp from 172.19.231.128/27 to 212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT " pass out log quick inet proto 50 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " pass out log quick inet proto 51 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " # # Rule 19 (global) # =20 pass in log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125 port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT " pass out log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125 port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT " # # Rule 20 (global) =20 pass in log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6 port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT " pass in log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6 keep state ( pflow ) label "RULE 20 -- ACCEPT " pass out log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6 port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT " pass out log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6 keep state ( pflow ) label "RULE 20 -- ACCEPT " # =20 # # state ( pflow ) label "RULE 35 -- ACCEPT " # # Rule 36 (global) # Allow ME to Any pass out log quick inet from <tbl.r0.d> to any keep state ( pflow= ) label "RULE 36 -- ACCEPT " # # Rule 37 (global) # SMTP Servers Access to SMTP pass in log quick inet proto tcp from <tbl.r37.s> to any port 25 flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT " pass out log quick inet proto tcp from <tbl.r37.s> to any port 25 flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT " # # Rule 38 (global) # Access to SMTP Servers pass in log quick inet proto tcp from <tbl.r38.s> to <tbl.r37.s> port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT " pass out log quick inet proto tcp from <tbl.r38.s> to <tbl.r37.s> port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT " # # Rule 39 (global) # Restrict SMTP To Internal Networks block in log quick inet proto tcp from any to <tbl.r25.s> port 25 no state label "RULE 39 -- DROP " block out log quick inet proto tcp from any to <tbl.r25.s> port 25 no state label "RULE 39 -- DROP " # =20 =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?assp.040451e526.863259E16B6C464DAD1E9DD10BB31154059CFE33>