Date: Thu, 16 Aug 2007 22:45:37 +0200 From: Reinhold <freebsd@violetlan.net> To: freebsd-stable@freebsd.org Subject: mail problems was Re: apache problems Message-ID: <20070816224537.45e193d8@khumuleka.berlin-computer-solutions.com> In-Reply-To: <20070816191835.GB23955@eos.sc1.parodius.com> References: <55620.212.99.207.3.1187285304.squirrel@www.violetlan.net> <20070816180710.GA22257@eos.sc1.parodius.com> <46C4A270.2090704@quip.cz> <20070816191835.GB23955@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Thanks for the tips on postfix but they don't work for me. I have my mail server behind a pf firewall box on a local ip I have attached my pf.conf file so that you can see what it looks like, I also have to tell spamd to use the hostname of the mail sever but when I use the -h flag is sops working. thanks for all the help On Thu, 16 Aug 2007 12:18:35 -0700 Jeremy Chadwick <koitsu@FreeBSD.org> wrote: > On Thu, Aug 16, 2007 at 09:16:00PM +0200, Miroslav Lachman wrote: > > Jeremy Chadwick wrote: > > [...] > >>> I'm also getting this error when I do a gracful restart of apache > >>> [Thu Aug 16 05:12:16 2007] [warn] (22)Invalid argument: Failed to > >>> enable the 'httpready' Accept Filter > >>> [Thu Aug 16 05:12:16 2007] [warn] (22)Invalid argument: Failed to > >>> enable the 'httpready' Accept Filter > >>> > >>> and in my /boot/loader.conf I have added > >>> accf_data_load="YES" > >>> accf_http_load="YES" > >> Remove those. Here's why: > >> The apache rc.d startup script automatically will load > >> accf_http.ko. I also believe if that fails, Apache will try to > >> load it. From my experiences kldload/kldunload with accf_* is not > >> very friendly; I've seen where you can double-load the modules, > >> and where you can't unload the modules despite nothing using > >> them. If you have them built-in to your kernel, it gets even > >> worse. > > > > It is not always possible to load modules after OS startup is done > > - when securelevel is 1 or above, you can not load kernel modules. > > Okay, then the apache rc.d script needs to take this into account, > regardless of what rc.conf apache22_http_accept_enable is set to. > > That shouldn't be too hard to fix. > [-- Attachment #2 --] # $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $ # # pf.conf for my firewall # # The default gateway doing NAT for my home network, using queues for extended ackpri. # # Mostly configured from http://www.benzedrine.cx/pf.conf # # The external interface is fxp0, with a single routable address 192.168.1.16. # The internal interface is rl0, address 192.168.100.11 in network 192.168.0.0/16. # =========================================================================== # # Macros, Lists, Options and Tables # # =========================================================================== # # macros # ext_if = "rl0" int_if = "rl1" unfiltered = "{ lo0, enc0 }" unroutable = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }" #unroutable = "{ 127.0.0.0/8, 172.16.0.0/12, 255.255.255.255/32 }" # All my IPs are from 80.81.242.5 to 80.81.242.14 # host amanzi # used for ns1.violetlan.net and firewall # The external IP = 80.81.242.5 # The internal IP = 10.0.100.1 # amanzi_int = "10.0.100.1" amanzi_ext = "80.81.242.5" # host scurvy # used for DNS2 and email # # IPs for ns2.violetlan.net scurvy_int = "10.0.100.110" scurvy_ext = "80.81.242.6" # IPs address for mail.violetlan.net scurvy_int1 = "10.0.100.111" scurvy_ext1 = "80.81.242.7" # host mbali # # IP address for www.violetlan.net mbali_int = "10.0.100.150" mbali_ext = "80.81.242.8" # IPs address for gallery.violetlan.net mbali_int1 = "10.0.100.151" mbali_ext1 = "80.81.242.9" proxy = "80.81.242.5" # ports # all_services = "{ ssh, smtp, smtps, domain, auth, http, https, imap, imaps, pop3, pop3s }" local_ports = "{ ssh, domain, auth }" http_ports = "{ http, https }" mail_ports = "{ smtp, smtps, imap, imaps, pop3, pop3s }" domain_ports = "{ domain }" # allowed incoming ICMP types # icmp_types = "{ echoreq, timex, paramprob, unreach code needfrag }" # options # set block-policy drop set optimization aggressive set loginterface $ext_if set limit { states 100000, src-nodes 100000, frags 60000 } set fingerprints "/etc/pf.os" # tables # table <bruteforce> persist table <spamd-white> persist table <my_spamd_white> persist file "/usr/local/etc/spamd/my_spamd_white" # normalization # scrub in on $ext_if all fragment reassemble scrub out on $ext_if all random-id fragment reassemble # =========================================================================== # # Queues, NAT and ftp-proxy # # =========================================================================== # # queues # # - ssh has maximum priority, so the host is always managable. # - dns has high priority. # - outgoing tcp connections have priority over incoming ones. # - outgoing http has priority over other outgoing tcp # (the mailing list generates bursts of outgoing smtp) # # effect: even while the web server is under heavy load and the # mailing list is delivering mails, I can still use www/icb/irc. # altq on rl0 priq bandwidth 100Mb queue { q_max, q_hig, q_def, q_low } queue q_max priority 7 queue q_hig priority 5 queue q_def priority 3 queue q_low priority 1 priq(default) # translations # no nat on $unfiltered from any to any no rdr on $unfiltered from any to any # nat private network to single routable address # nat on $ext_if inet from 10.0.0.0/8 to any -> ($ext_if) # ftp proxy nat-anchor "pftpx/*" # =========================================================================== # # Redirect Rules # # =========================================================================== # ############# # amanzi # ############# # ftp proxy rdr-anchor "pftpx/*" rdr pass on $int_if proto tcp from 10.0.0.0/8 to $proxy port 21 -> 127.0.0.1 port 8021 #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 ############# # scurvy # ############# # DNS2 # rdr on $ext_if inet proto { tcp, udp } from any to $scurvy_ext port $domain_ports -> $scurvy_int # obspamd # rdr pass inet proto tcp from <my_spamd_white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 rdr pass inet proto tcp from <spamd-white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 #rdr on $ext_if inet proto tcp from <my_spamd_white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 #rdr on $ext_if inet proto tcp from <spamd-white> to $scurvy_ext1 port $mail_ports -> $scurvy_int1 rdr pass inet proto tcp from any to $scurvy_ext1 port { smtp, smtps } -> 127.0.0.1 port spamd # ssh # rdr on $ext_if inet proto tcp from any to $scurvy_ext port ssh -> $scurvy_int ############# # mbali # ############# # http redirection # rdr on $ext_if inet proto tcp from any to $mbali_ext port $http_ports -> $mbali_int rdr on $ext_if inet proto tcp from any to $mbali_ext1 port $http_ports -> $mbali_int1 # mail # #rdr on $ext_if inet proto tcp from any to $mbali_ext port $mail_ports -> $mbali_int # ssh # rdr on $ext_if inet proto tcp from any to $mbali_ext port ssh -> $mbali_int # =========================================================================== # # filter rules (default block/pass) # # =========================================================================== # # pass on unfiltered interfaces # pass quick on $unfiltered pass quick on $int_if # silently drop TCP non-SYN packets, the remaining ruleset only deals with # TCP SYNs, which always create state when passed. the ruleset basically # deals with 'connections', not packets, beyond this point. # block return-rst quick proto tcp all flags /S block return-rst quick proto tcp all flags A/A # block and log everything by default # block log block return-rst log inet proto tcp block return-icmp log inet proto udp # =========================================================================== # # external interface (all external IPv4 traffic) # # =========================================================================== # # silently drop broadcasts (ADSL noise) # block in quick on $ext_if inet from any to 255.255.255.255 # bruteforce # block quick from <bruteforce> to any # block some known-bad ports without logging # block return-rst in quick on $ext_if proto tcp from any to any port { 111, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if proto udp from any to any port { 137, 138, 139, 1434 } # block and log incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). # block in log quick on $ext_if inet from $unroutable to any # block and log outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and not send out garbage. # block out log quick on $ext_if inet from !($ext_if) to any # =========================================================================== # # TCP UDP in/out # # =========================================================================== # ############# # amanzi # ############# pass out on $ext_if inet proto udp from any to any keep state queue (q_def) pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue (q_def, q_max) pass out on $ext_if inet proto tcp from ($ext_if) to any port $http_ports flags S/SA keep state queue (q_hig, q_max) ############# # scurvy # ############# # mail server # pass in log on $ext_if proto tcp from any to any port $mail_ports flags S/SA synproxy state queue (q_def, q_max) pass out quick log on $ext_if proto tcp from $scurvy_ext1 to any port { smtp, smtps } flags S/SA synproxy state queue (q_def, q_max) ############# # mbali # ############# # webserver # pass in on $ext_if inet proto tcp from any to any port $http_ports flags S/SA keep state queue (q_low, q_max) #pass in log on $ext_if inet proto tcp from any to any port $http_ports flags S/SA keep state (max 1024, max-src-conn 100, max-src-conn-rate 15/5, tcp.first 10, tcp.opening 10, overload <bruteforce> flush global) queue (q_low, q_max) ############# # all hosts # ############# # ftp proxy anchor "pftpx/*" pass out log proto tcp from $proxy to any port 21 flags S/SA keep state # ICMP # pass out inet proto icmp all keep state queue (q_low) pass in inet proto icmp all icmp-type $icmp_types keep state queue (q_max) # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state queue (q_low) # DNS # pass out log on $ext_if inet proto { tcp, udp } from any to any port domain keep state queue (q_hig) #pass in log on $ext_if inet proto {tcp, udp } from any to ($ext_if) port domain keep state (max 512) queue (q_hig) pass in log on $ext_if inet proto {tcp, udp } from any to any port domain keep state (max 512) queue (q_hig) # ssh pass log inet proto tcp from any to any port ssh flags S/SA keep state (max 1024, max-src-conn 15, max-src-conn-rate 5/3, tcp.first 10, tcp.opening 10, overload <bruteforce> flush global) queue (q_hig, q_max) # =========================================================================== # # antispoof # # =========================================================================== # antispoof for $ext_if antispoof for $int_if antispoof for $unfiltered
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070816224537.45e193d8>