From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 02:35:25 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 330D0106564A for ; Mon, 12 Sep 2011 02:35:25 +0000 (UTC) (envelope-from pingmai@yahoo.com) Received: from nm8-vm4.bullet.mail.ne1.yahoo.com (nm8-vm4.bullet.mail.ne1.yahoo.com [98.138.91.168]) by mx1.freebsd.org (Postfix) with SMTP id CF7458FC08 for ; Mon, 12 Sep 2011 02:35:24 +0000 (UTC) Received: from [98.138.90.52] by nm8.bullet.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 02:35:24 -0000 Received: from [98.138.89.248] by tm5.bullet.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 02:35:24 -0000 Received: from [127.0.0.1] by omp1040.mail.ne1.yahoo.com with NNFMP; 12 Sep 2011 02:35:24 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 167691.38720.bm@omp1040.mail.ne1.yahoo.com Received: (qmail 1480 invoked by uid 60001); 12 Sep 2011 02:35:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1315794924; bh=wgYZP14tq/FsEmn9hYFFjvMhsMmJxo9l+7l+MH5dUMU=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=tsi8En7mZTH58GWxKrgueQ6cuAd/hgw9GinTuMBLAZAA+geEmFgoUt5MxZbPDgHpNzRlQdzL3PTj5JW81bzelVAljZcYC5w1x1yjqoCZR06fuzF5II1o+EWFiaA61JGr1aMNPfqqPytEH09JWsQyjbEgHJywNJZ3Qeql3lc0ljU= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=UkPud74+ORUOsoUPId4EI2Xnqt3//Bu/CLZjhyKZfVymiKM/LJprUqe+y1l020urYQPPWWJBMDQpCRTng5KnGyftD+kpe7ljjBEZoHQ2VY8OEjwwltje1Xd+h3kwSs7xrroeppH1z9q5aeTtR65qckDwdvVFQt0J8H3OCZyIZlk=; X-YMail-OSG: fmPBVLgVM1kqbu48RpRLW6XXeX4Oq99sQ7_OupAjKDqR1P9 eZwPqi42nBPvhPYwJbRZ.u5IcvTuaRP6tV1Uri72.DxmUG2jMw.xE0a3J3UI TucAnaWtXP7_XbMBpEyhreH.CKIVFR4FAOb9JGsVaTrgb0NndERmjYz_yYah yBivGI2dZppy9cCDPjrBSjPCWfLShMP7rtmO5Z.GjMTGoMH40umPoAUEYGQF L78NnuijggeGnHCuWkw8l5hBZdfxGaV9OOSV6ma1RHvsgb_bSnXD1f3CbXxf lwHiasFOKw37lrTu_rENv67UVcX4YmGoGTiSFVR33a6LxrzW42Vm.027iIcX JmGtrjYUel3TWqv5YJdijI67MADg1Og79Q3H6vVgMEFLmPDLQ_K6WUc1I34W vGwP9OGEMWjnSMzQQER7SKHc2FFdUCC7XvnfkGrw_QllFDCE0aptlKo2l7Pq MAwuv5ph3CH5BtJq8temWddLQPvdBlzNMDK2YQ24zr4stOvkf39u2Sw4h..9 y619mUZBt1b2BaQewpYgVrjZUMd8qxserJXqEaLqvUc4YpZgrEMOM9pnFhkS UgTUy.XXZ7cUfuvVH9Og9WAvtsc09uJ4anEGsEdTqJFz09t5ljKALyfGE6A- - Received: from [67.180.178.51] by web121718.mail.ne1.yahoo.com via HTTP; Sun, 11 Sep 2011 19:35:23 PDT X-Mailer: YahooMailWebService/0.8.113.315625 References: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com> Message-ID: <1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com> Date: Sun, 11 Sep 2011 19:35:23 -0700 (PDT) From: Ping Mai To: "freebsd-pf@freebsd.org" In-Reply-To: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf slow connect on smtp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ping Mai List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 02:35:25 -0000 added this line at the end and incoming smtp is working on both external in= terfaces:=0A=0Apass in quick on $dsl_if reply-to ($dsl_if $dsl_gw ) flags S= /SA keep state=0A=0A=0A=0A________________________________=0AFrom: Ping Mai= =0ATo: "freebsd-pf@freebsd.org" =0ASent: Sunday, September 11, 2011 3:27 PM=0ASubject: slow=0A=0A=0AHi, = =0A=0AI'm new to pf.=A0 hoping for some help with pf.conf.=0A=0AFreeBSD 5.5= router.=A0 2 external interfaces, $com_if and $dsl_if.=A0 The default rout= e is set to $com_if.=0A=0Aincoming smtp to $com_if seems to work fine.=0A= =0A=0Aincoming smtp to $dsl_if is the problem.=A0 connect to tcp/25 is fast= .=A0 but after I issue a 'ehlo ...'=A0 there's a delay of ~1 minute before = the reply comes back.=A0 from that point on the exchange works just fine.= =0AThe problem is most MTA don't wait that long.=A0 they simply drop the co= nnection.=0A=0Atcpdump of pflog0 sees the incoming tcp/25, outgoing from tc= p/25 gets routed to $dsl_if (dc3).=A0 after that, looks like it does an 'id= ent' and a DNS lookup. then it just sits there for minutes.=0A=0Awhat's wro= ng with my pf.conf?=0A=0A#----------------- tcpdump ------------------=0A= =0A000000 rule 16/0(match): pass in on dc3: IP 100.100.100.153.63225 > 12.3= 4.56.40.25: S 743439640:743439640(0) win 65535 =0A000083 rule 28/0(match): pass out on dc0: IP 12.34.56.40.25 > 100.100.= 100.153.63225: S 2206509942:2206509942(0) ack 743439641 win 65535 =0A000023 rule 12/0(match): pass out on dc3: IP 12.34.= 56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 = win 65535 =0A080881 rule 28/0(match): pass ou= t on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:14684815= 50(0) win 65535 =0A000027 rule 12/0(match):= pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:= 1468481550(0) win 65535 =0A082959 rule 1= 3/0(match): pass out on dc0: IP 23.45.67.51.62568 > 23.45.57.182.53:=A0 503= 36+ [1au][|domain]=A0 =0A=0A#------------------ pf.conf -------------------= -----------------------------------=0Aint_if =3D "dc1"=0A=0Adsl_if =3D "dc3= "=0Acom_if =3D "dc0"=0Admz_if =3D "dc2"=0Aint_net =3D "10.1.100.0/24"=0Admz= _net =3D "10.1.101.0/24"=0Adsl_gw=3D"12.34.56.1"=0A=0Acom_gw=3D"23.45.67.1"= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # default rout= e=0A=0Aiserver=3D"10.1.100.99"=0A=0Atcp_services=3D"{ http https }"=0A=0Aic= mp_types=3D"echoreq"=0A=0Atable { $int_net, $dmz_net }=0A=0Aset = loginterface $dsl_if=0Aset loginterface $com_if=0Aset optimization normal= =0Aset block-policy return=0Aset require-order yes=0A=0A=0Ascrub in all=0An= at on $dsl_if from -> $dsl_if=0Anat on $com_if from -= > $com_if=0A=0Ardr pass on $dsl_if proto tcp from any to $dsl_if port $tcp_= services -> $iserver=0Ardr pass on $com_if proto tcp from any to $com_if=0A= port $tcp_services -> $iserver=0A=0Ablock out log all=0Ablock in log all= =0Apass quick on lo0=0A=0Aantispoof quick for { lo0 $dsl_if $com_if $dmz_if= $int_if}=0A=0Apass out log on $dsl_if=0Apass out log on $com_if=0A=0Apass = log on $int_if keep state=0Apass log on $dmz_if from any to ! $int_if:netwo= rk keep state=0A=0Apass in log on $dsl_if proto tcp to $dsl_if port { smtp,= smtps }=0Apass in log on $com_if proto tcp to $com_if port { smtp, smtps }= =0Apass in on $dsl_if proto { tcp, udp } to $dsl_if port {domain}=0Apass in= on $com_if proto { tcp, udp } to $com_if port {domain}=0Apass in on $com_i= f proto { tcp, udp } to port {bootpc}=0A=0Apass in inet proto icmp all icmp= -type $icmp_types=0A=0Apass out log on $dsl_if route-to ($com_if $com_gw) f= rom $com_if=0Apass out log on $com_if route-to ($dsl_if $dsl_gw) from=0A $d= sl_if=0A#------------------------------------------------------------------= ------