From owner-freebsd-questions@FreeBSD.ORG  Mon Feb 27 19:52:47 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B7D20106566B
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Feb 2012 19:52:47 +0000 (UTC)
	(envelope-from chris_bender@cellularatsea.com)
Received: from wireless.icgws.com (wireless.icgws.com [198.211.94.23])
	by mx1.freebsd.org (Postfix) with ESMTP id 7720A8FC0A
	for <freebsd-questions@freebsd.org>;
	Mon, 27 Feb 2012 19:52:47 +0000 (UTC)
Received: by wireless.icgws.com (Postfix, from userid 1003)
	id 1D012180DDE; Mon, 27 Feb 2012 14:51:42 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on wireless.icgws.com
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=3.5 tests=ALL_TRUSTED,BAYES_00
	autolearn=unavailable version=3.3.1
Received: from wmstp.corp.cellularatsea.com (unknown [10.200.250.42])
	by wireless.icgws.com (Postfix) with SMTP id EBCD6180DD5;
	Mon, 27 Feb 2012 14:51:38 -0500 (EST)
Received: from wmstp.corp.wms.cellularatsea.com (localhost [127.0.0.1])
	by wmstp.corp.cellularatsea.com (Postfix) with SMTP id 21328B188FF;
	Mon, 27 Feb 2012 14:52:36 -0500 (EST)
Received: from wmsexg01.corp.cellularatsea.com ([10.200.104.15]
	helo=wmsexg01.corp.cellularatsea.com) by
	wmstp.corp.wms.cellularatsea.com
	with SMTP (ASSP 1.9.1.1); 27 Feb 2012 14:52:36 -0500
X-Ninja-PIM: Scanned by Ninja
X-MimeOLE: Produced By Microsoft Exchange V6.5
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
x-vipre-scanned: 10BF5651002D4D10BF579E
Date: Mon, 27 Feb 2012 14:52:35 -0500
Message-ID: <assp.040451e526.863259E16B6C464DAD1E9DD10BB31154059CFE33@wmsexg01.corp.cellularatsea.com>
In-Reply-To: <4F4BB8B8.509@radel.com>
Thread-Topic: Email issues, relay failure
Thread-Index: Acz1co+dmWcZVccXRjSUitNuLyJvWwAEulWw
References: <863259E16B6C464DAD1E9DD10BB31154059CFBAE@wmsexg01.corp.cellularatsea.com>
	<4F48BAF6.9070204@ifdnrg.com>    
	<863259E16B6C464DAD1E9DD10BB31154059CFBE7@wmsexg01.corp.cellularatsea.com>
	<4F48EC21.7040805@ifdnrg.com>    
	<863259E16B6C464DAD1E9DD10BB31154059CFBEE@wmsexg01.corp.cellularatsea.com>
	<4F48F45F.4080304@ifdnrg.com>    
	<863259E16B6C464DAD1E9DD10BB31154059CFBF4@wmsexg01.corp.cellularatsea.com>
	<4F492262.5090505@radel.com>   
	<7409DAB4-F76A-493B-9A50-A663E6F6802E@cellularatsea.com>   
	<4F4BB19A.8040005@radel.com>  
	<863259E16B6C464DAD1E9DD10BB31154059CFDA4@wmsexg01.corp.cellularatsea.com>
	<4F4BB61A.1060600@radel.com> 
	<863259E16B6C464DAD1E9DD10BB31154059CFDB1@wmsexg01.corp.cellularatsea.com>
	<4F4BB8B8.509@radel.com>
From: "Bender, Chris" <chris_bender@cellularatsea.com>
To: "Jon Radel" <jon@radel.com>
X-Assp-Whitelisted: Yes ()
X-Assp-Envelope-From: chris_bender@cellularatsea.com
X-Assp-Intended-For: jon@radel.com
X-Assp-Passing: 10.200.104.15 in acceptAllMail
X-Assp-ID: wmstp.corp.wms.cellularatsea.com (33037-52381)
X-Assp-Version: 1.9.1.1(1.0.00)
Cc: freebsd-questions@freebsd.org
Subject: RE: Email issues, relay failure
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2012 19:52:47 -0000

Hi Joe

So from the rules below, I can see my network to and from in tables
<tbl.r38.s>  to <tbl.r37.s>.
However when pfctl is enabled that traffic fails with ....

# tcpdump -ni bge0 host 10.156.81.10 and port 25    =20
tcpdump: listening on bge0, link-type EN10MB
14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25: R
3154136674:3154136735(61) ack 1245040067 win 0 (DF) [tos 0xb8]
14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25: R 0:61(61) ack 1
win 0 (DF) [tos 0xb8]

SO from traffic aboveon the inbound interface I can see this failed.
OUCH. But I don't know what rule is killing it.=20

Here is table
table <tbl.r37.s> { 10.200.82.16 , 10.200.104.15 , 172.19.4.41 ,
198.211.94.23 }
table <tbl.r38.s> { 10.13.0.0/21 , 10.13.224.0/21 , 10.13.226.0/23 ,
10.150.0.0/16 , 10.156.0.0/16 , 10.158.0.0/16 , 10.166.0.0/16 ,
10.196.0.0/16 , 10.198.0
.0/16 , 10.200.104.0/24 , 172.16.0.0/16 , 172.19.4.0/24 , 172.19.11.0/24
, 172.19.20.0/24 , 172.19.50.0/24 , 172.19.51.0/24 , 172.19.52.0/24 ,
172.19.53.0/24
 , 172.19.100.0/29 , 172.19.231.0/24 , 172.19.232.0/24 , 172.31.0.0/16=
 }

Rest of pf.conf since you asked which I have removed confidential info

The key is what is blocking SMTP. I am not sure yet?

Thanks




#
# Prolog script
#
set loginterface bge0
set state-defaults pflow

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat-anchor "relayd/*"
rdr-anchor "relayd/*"

anchor "relayd/*"
anchor "ftp-proxy/*"

#
# End of prolog script
#

set skip on bridge10
set skip on tun579
set skip on tun138
set skip on tun148
set skip on tun10
set skip on bridge138
set skip on bridge148

#
# Scrub rules
#
match in all scrub (no-df )
match out all scrub (random-id max-mss  1460)


# Tables: (26)
table <BlackList> persist file "/home/admin/BlackList.txt"
table <BlackList-Internet> persist file
"/home/admin/BlackList-internet.txt"


# Rule  0 (global)
# BlackList Rule
block in   log  quick inet  from <BlackList>  to any no state  label
"RULE 0 -- DROP "
block out  log  quick inet  from <BlackList>  to any no state  label
"RULE 0 -- DROP "
#
# Rule  1 (global)
# BlackList Rule
block in   log  quick inet  from any  to <BlackList> no state  label
"RULE 1 -- DROP "
block out  log  quick inet  from any  to <BlackList> no state  label
"RULE 1 -- DROP "
#
# Rule  2 (global)
# BlackList Servers going to Internet
block in   log  quick inet  from <BlackList-Internet>  to 127.0.0.1 no
state  label "RULE 2 -- DROP "
block out  log  quick inet  from <BlackList-Internet>  to 127.0.0.1 no
state  label "RULE 2 -- DROP "
#
# Rule  3 (bge1)
# BlackList Servers going to Internet
block out  log  quick on bge1 inet  from <BlackList-Internet>  to any=
 no
state  label "RULE 3 -- DROP "
#
# Rule  4 (bge1)
# BlackList Internet Ports
block out  log  quick on bge1 inet proto tcp  from any  to any port {
25, 465 } no state  label "RULE 4 -- DROP "
#
# Rule  5 (global)
BLOCKED FOR CONFIIDENTIALITY
# Rule  6 (bge1,bge0)
# FTP Proxy Loopback Pule
pass in   log  quick on { bge0 bge1 } inet proto tcp  from any  to
127.0.0.1 port 8021 flags any modulate state ( pflow ) label "RULE 6 --
ACCEPT "
#
# Rule  7 (bge0,vlan579)
 pass in   log  quick on { bge0 vlan579 } inet proto tcp  from <tbl.r2>
to 127.0.0.1 port 2021 flags any modulate state ( pflow ) label "RULE=
 7
-- ACCEPT "
#
# Rule  8 (bge0,vlan579)
pass in   log  quick on { bge0 vlan579 } inet proto tcp  from <tbl.r2>
to 127.0.0.1 port 3128 flags any modulate state ( pflow ) label "RULE=
 8
-- ACCEPT "
#
# Rule  9 (global)
pass in   log  quick inet  from any  to any tagged FTPPROXY  keep state
( pflow ) label "RULE 9 -- ACCEPT "
pass out  log  quick inet  from any  to any tagged FTPPROXY  keep state
( pflow ) label "RULE 9 -- ACCEPT "
#
# Rule  10 (bge1)
# Allow ESP, AH, IKE and NAT-T for IPSEC
#
# Rule  11 (bge1)
# BLOCKED FOR CONFIDENTIALITY
#
# Rule  12 (bge1)
# PPTP Traffic
BLOCKED FOR CONFIDENTIALITY
#
# Rule  13 (bge1)
# PPTP Traffic BLOCKED FOR CONFIDENTIALITY#
# Rule  14 (bge1)
# PPTP Traffic
pass out  log  quick on bge1 inet proto 47  from 172.19.231.128/27  to
any  label "RULE 14 -- ACCEPT "
#
# Rule  15 (global)
Blocked for confidentiality
#
# Rule  16 (bge0)
=20
pass in   log  quick on bge0 inet proto tcp  from <tbl.r16.s>  to
172.19.231.149 port 1723 flags any modulate state  label "RULE 16 --
ACCEPT "
pass in   log  quick on bge0 inet proto 47  from <tbl.r16.s>  to
172.19.231.149  label "RULE 16 -- ACCEPT "
#
# Rule  17 (global)
=20
pass in   log  quick inet  from <tbl.r17.s>  to 10.10.11.0/24  label
"RULE 17 -- ACCEPT "
pass out  log  quick inet  from <tbl.r17.s>  to 10.10.11.0/24  label
"RULE 17 -- ACCEPT "
#
# Rule  18 (global)
=20
pass in   log  quick inet proto udp  from 172.19.231.128/27  to
212.9.21.214 port { 500, 4500 }  label "RULE 18 -- ACCEPT "
pass in   log  quick inet proto 50  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
pass in   log  quick inet proto 51  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
pass out  log  quick inet proto udp  from 172.19.231.128/27  to
212.9.21.214 port { 500, 4500 }  label "RULE 18 -- ACCEPT "
pass out  log  quick inet proto 50  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
pass out  log  quick inet proto 51  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
#
# Rule  19 (global)
# =20
pass in   log  quick inet proto udp  from 172.19.64.0/24  to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
pass out  log  quick inet proto udp  from 172.19.64.0/24  to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
#
# Rule  20 (global)
=20
pass in   log  quick inet proto udp  from 172.19.64.0/24  to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass in   log  quick inet proto 115  from 172.19.64.0/24  to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out  log  quick inet proto udp  from 172.19.64.0/24  to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out  log  quick inet proto 115  from 172.19.64.0/24  to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
#
=20
#
#   state ( pflow ) label "RULE 35 -- ACCEPT "
#
# Rule  36 (global)
# Allow ME to Any
pass out  log  quick inet  from <tbl.r0.d>  to any keep state ( pflow=
 )
label "RULE 36 -- ACCEPT "
#
# Rule  37 (global)
# SMTP Servers Access to SMTP
pass in   log  quick inet proto tcp  from <tbl.r37.s>  to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
pass out  log  quick inet proto tcp  from <tbl.r37.s>  to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
#
# Rule  38 (global)
# Access to SMTP Servers
pass in   log  quick inet proto tcp  from <tbl.r38.s>  to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
pass out  log  quick inet proto tcp  from <tbl.r38.s>  to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
#
# Rule  39 (global)
# Restrict SMTP To Internal Networks
block in   log  quick inet proto tcp  from any  to <tbl.r25.s> port 25
no state  label "RULE 39 -- DROP "
block out  log  quick inet proto tcp  from any  to <tbl.r25.s> port 25
no state  label "RULE 39 -- DROP "
#
=20
=20