From owner-freebsd-questions@FreeBSD.ORG Mon Feb 27 19:52:47 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7D20106566B for ; Mon, 27 Feb 2012 19:52:47 +0000 (UTC) (envelope-from chris_bender@cellularatsea.com) Received: from wireless.icgws.com (wireless.icgws.com [198.211.94.23]) by mx1.freebsd.org (Postfix) with ESMTP id 7720A8FC0A for ; Mon, 27 Feb 2012 19:52:47 +0000 (UTC) Received: by wireless.icgws.com (Postfix, from userid 1003) id 1D012180DDE; Mon, 27 Feb 2012 14:51:42 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on wireless.icgws.com X-Spam-Level: X-Spam-Status: No, score=-2.9 required=3.5 tests=ALL_TRUSTED,BAYES_00 autolearn=unavailable version=3.3.1 Received: from wmstp.corp.cellularatsea.com (unknown [10.200.250.42]) by wireless.icgws.com (Postfix) with SMTP id EBCD6180DD5; Mon, 27 Feb 2012 14:51:38 -0500 (EST) Received: from wmstp.corp.wms.cellularatsea.com (localhost [127.0.0.1]) by wmstp.corp.cellularatsea.com (Postfix) with SMTP id 21328B188FF; Mon, 27 Feb 2012 14:52:36 -0500 (EST) Received: from wmsexg01.corp.cellularatsea.com ([10.200.104.15] helo=wmsexg01.corp.cellularatsea.com) by wmstp.corp.wms.cellularatsea.com with SMTP (ASSP 1.9.1.1); 27 Feb 2012 14:52:36 -0500 X-Ninja-PIM: Scanned by Ninja X-MimeOLE: Produced By Microsoft Exchange V6.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-class: urn:content-classes:message x-vipre-scanned: 10BF5651002D4D10BF579E Date: Mon, 27 Feb 2012 14:52:35 -0500 Message-ID: In-Reply-To: <4F4BB8B8.509@radel.com> Thread-Topic: Email issues, relay failure Thread-Index: Acz1co+dmWcZVccXRjSUitNuLyJvWwAEulWw References: <863259E16B6C464DAD1E9DD10BB31154059CFBAE@wmsexg01.corp.cellularatsea.com> <4F48BAF6.9070204@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBE7@wmsexg01.corp.cellularatsea.com> <4F48EC21.7040805@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBEE@wmsexg01.corp.cellularatsea.com> <4F48F45F.4080304@ifdnrg.com> <863259E16B6C464DAD1E9DD10BB31154059CFBF4@wmsexg01.corp.cellularatsea.com> <4F492262.5090505@radel.com> <7409DAB4-F76A-493B-9A50-A663E6F6802E@cellularatsea.com> <4F4BB19A.8040005@radel.com> <863259E16B6C464DAD1E9DD10BB31154059CFDA4@wmsexg01.corp.cellularatsea.com> <4F4BB61A.1060600@radel.com> <863259E16B6C464DAD1E9DD10BB31154059CFDB1@wmsexg01.corp.cellularatsea.com> <4F4BB8B8.509@radel.com> From: "Bender, Chris" To: "Jon Radel" X-Assp-Whitelisted: Yes () X-Assp-Envelope-From: chris_bender@cellularatsea.com X-Assp-Intended-For: jon@radel.com X-Assp-Passing: 10.200.104.15 in acceptAllMail X-Assp-ID: wmstp.corp.wms.cellularatsea.com (33037-52381) X-Assp-Version: 1.9.1.1(1.0.00) Cc: freebsd-questions@freebsd.org Subject: RE: Email issues, relay failure X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2012 19:52:47 -0000 Hi Joe So from the rules below, I can see my network to and from in tables to . However when pfctl is enabled that traffic fails with .... # tcpdump -ni bge0 host 10.156.81.10 and port 25 =20 tcpdump: listening on bge0, link-type EN10MB 14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) win 64240 (DF) [tos 0xb8] 14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25: R 3154136674:3154136735(61) ack 1245040067 win 0 (DF) [tos 0xb8] 14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) win 64240 (DF) [tos 0xb8] 14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25: R 0:61(61) ack 1 win 0 (DF) [tos 0xb8] SO from traffic aboveon the inbound interface I can see this failed. OUCH. But I don't know what rule is killing it.=20 Here is table table { 10.200.82.16 , 10.200.104.15 , 172.19.4.41 , 198.211.94.23 } table { 10.13.0.0/21 , 10.13.224.0/21 , 10.13.226.0/23 , 10.150.0.0/16 , 10.156.0.0/16 , 10.158.0.0/16 , 10.166.0.0/16 , 10.196.0.0/16 , 10.198.0 .0/16 , 10.200.104.0/24 , 172.16.0.0/16 , 172.19.4.0/24 , 172.19.11.0/24 , 172.19.20.0/24 , 172.19.50.0/24 , 172.19.51.0/24 , 172.19.52.0/24 , 172.19.53.0/24 , 172.19.100.0/29 , 172.19.231.0/24 , 172.19.232.0/24 , 172.31.0.0/16= } Rest of pf.conf since you asked which I have removed confidential info The key is what is blocking SMTP. I am not sure yet? Thanks # # Prolog script # set loginterface bge0 set state-defaults pflow nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat-anchor "relayd/*" rdr-anchor "relayd/*" anchor "relayd/*" anchor "ftp-proxy/*" # # End of prolog script # set skip on bridge10 set skip on tun579 set skip on tun138 set skip on tun148 set skip on tun10 set skip on bridge138 set skip on bridge148 # # Scrub rules # match in all scrub (no-df ) match out all scrub (random-id max-mss 1460) # Tables: (26) table persist file "/home/admin/BlackList.txt" table persist file "/home/admin/BlackList-internet.txt" # Rule 0 (global) # BlackList Rule block in log quick inet from to any no state label "RULE 0 -- DROP " block out log quick inet from to any no state label "RULE 0 -- DROP " # # Rule 1 (global) # BlackList Rule block in log quick inet from any to no state label "RULE 1 -- DROP " block out log quick inet from any to no state label "RULE 1 -- DROP " # # Rule 2 (global) # BlackList Servers going to Internet block in log quick inet from to 127.0.0.1 no state label "RULE 2 -- DROP " block out log quick inet from to 127.0.0.1 no state label "RULE 2 -- DROP " # # Rule 3 (bge1) # BlackList Servers going to Internet block out log quick on bge1 inet from to any= no state label "RULE 3 -- DROP " # # Rule 4 (bge1) # BlackList Internet Ports block out log quick on bge1 inet proto tcp from any to any port { 25, 465 } no state label "RULE 4 -- DROP " # # Rule 5 (global) BLOCKED FOR CONFIIDENTIALITY # Rule 6 (bge1,bge0) # FTP Proxy Loopback Pule pass in log quick on { bge0 bge1 } inet proto tcp from any to 127.0.0.1 port 8021 flags any modulate state ( pflow ) label "RULE 6 -- ACCEPT " # # Rule 7 (bge0,vlan579) pass in log quick on { bge0 vlan579 } inet proto tcp from to 127.0.0.1 port 2021 flags any modulate state ( pflow ) label "RULE= 7 -- ACCEPT " # # Rule 8 (bge0,vlan579) pass in log quick on { bge0 vlan579 } inet proto tcp from to 127.0.0.1 port 3128 flags any modulate state ( pflow ) label "RULE= 8 -- ACCEPT " # # Rule 9 (global) pass in log quick inet from any to any tagged FTPPROXY keep state ( pflow ) label "RULE 9 -- ACCEPT " pass out log quick inet from any to any tagged FTPPROXY keep state ( pflow ) label "RULE 9 -- ACCEPT " # # Rule 10 (bge1) # Allow ESP, AH, IKE and NAT-T for IPSEC # # Rule 11 (bge1) # BLOCKED FOR CONFIDENTIALITY # # Rule 12 (bge1) # PPTP Traffic BLOCKED FOR CONFIDENTIALITY # # Rule 13 (bge1) # PPTP Traffic BLOCKED FOR CONFIDENTIALITY# # Rule 14 (bge1) # PPTP Traffic pass out log quick on bge1 inet proto 47 from 172.19.231.128/27 to any label "RULE 14 -- ACCEPT " # # Rule 15 (global) Blocked for confidentiality # # Rule 16 (bge0) =20 pass in log quick on bge0 inet proto tcp from to 172.19.231.149 port 1723 flags any modulate state label "RULE 16 -- ACCEPT " pass in log quick on bge0 inet proto 47 from to 172.19.231.149 label "RULE 16 -- ACCEPT " # # Rule 17 (global) =20 pass in log quick inet from to 10.10.11.0/24 label "RULE 17 -- ACCEPT " pass out log quick inet from to 10.10.11.0/24 label "RULE 17 -- ACCEPT " # # Rule 18 (global) =20 pass in log quick inet proto udp from 172.19.231.128/27 to 212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT " pass in log quick inet proto 50 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " pass in log quick inet proto 51 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " pass out log quick inet proto udp from 172.19.231.128/27 to 212.9.21.214 port { 500, 4500 } label "RULE 18 -- ACCEPT " pass out log quick inet proto 50 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " pass out log quick inet proto 51 from 172.19.231.128/27 to 212.9.21.214 label "RULE 18 -- ACCEPT " # # Rule 19 (global) # =20 pass in log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125 port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT " pass out log quick inet proto udp from 172.19.64.0/24 to 10.13.6.125 port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT " # # Rule 20 (global) =20 pass in log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6 port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT " pass in log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6 keep state ( pflow ) label "RULE 20 -- ACCEPT " pass out log quick inet proto udp from 172.19.64.0/24 to 172.31.1.6 port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT " pass out log quick inet proto 115 from 172.19.64.0/24 to 172.31.1.6 keep state ( pflow ) label "RULE 20 -- ACCEPT " # =20 # # state ( pflow ) label "RULE 35 -- ACCEPT " # # Rule 36 (global) # Allow ME to Any pass out log quick inet from to any keep state ( pflow= ) label "RULE 36 -- ACCEPT " # # Rule 37 (global) # SMTP Servers Access to SMTP pass in log quick inet proto tcp from to any port 25 flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT " pass out log quick inet proto tcp from to any port 25 flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT " # # Rule 38 (global) # Access to SMTP Servers pass in log quick inet proto tcp from to port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT " pass out log quick inet proto tcp from to port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT " # # Rule 39 (global) # Restrict SMTP To Internal Networks block in log quick inet proto tcp from any to port 25 no state label "RULE 39 -- DROP " block out log quick inet proto tcp from any to port 25 no state label "RULE 39 -- DROP " # =20 =20