From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 15:27:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 360B0106566B for ; Sat, 21 Nov 2009 15:27:53 +0000 (UTC) (envelope-from fullblaststorm@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id C62598FC1B for ; Sat, 21 Nov 2009 15:27:52 +0000 (UTC) Received: by fxm27 with SMTP id 27so4672540fxm.3 for ; Sat, 21 Nov 2009 07:27:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=52bhV8a87W9T1B0p2O5QKHzvuek2XknjNWey1aoE7ZI=; b=TS22ahzJM2HrZHi18Z5HEBT4pdJaTGdMV+KDafhaHyRSkRSI0CIltCGCANrhy0eYid GZKd45IWgDELai4w8aobXlOVsC6UmRfDR9JsapfTSujg9eGmHAklSLjZZP7hpyPieD3a wY2p3tFkDrZJr7uybG1Vz2lXe00DJdUm7E+qk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=iLQnqoF0Nx7FtlMeuIt1RT29/xCM1AYjYqaNLf3l381dqwct62PSK2GFyxF4PGnuzi Y2hJimBRXWqVd+Qhr/3BaoOiVmw7Kkgvp4spTH2LDXIYeQHffEcDM9IckLpJHWxF51Tc /vt2JdBnL2g/0Tyjf2gSPfWvSQpLWqscAT23Q= MIME-Version: 1.0 Received: by 10.239.139.32 with SMTP id r32mr266040hbr.86.1258816010930; Sat, 21 Nov 2009 07:06:50 -0800 (PST) Date: Sat, 21 Nov 2009 21:06:50 +0600 Message-ID: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> From: Victor Lyapunov To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 15:27:53 -0000 Hi all, I have production network with FreeBSD box acting as firewall. The problem emerge as soon as users send mail with attachments. (Sending mail without attachments always succeeds). Basically, when a user tries to send a message, only part of it transmitted before connection is interrupted and sending fails. The problem persists only when pf is enabled. My ruleset: scrub in all fragment reassemble block drop on em0 all pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA keep state pass proto udp from any to any port = domain keep state This is what i get from pfctl -si just after #/etc/rc.d/pf start # pfctl -si Status: Enabled for 0 days 00:00:09 Debug: Urgent State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s After I try to send some mail with attachments a couple of times(which always fail), i get this from pfctl -si: Status: Enabled for 0 days 00:02:58 Debug: Urgent State Table Total Rate current entries 48 searches 1313 7.4/s inserts 131 0.7/s removals 83 0.5/s Counters match 152 0.9/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 22 0.1/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Any suggestions/ideas would be appreciated, Best regards, Victor FreeBSD router 7.2-RELEASE FreeBSD 7.2-RELEASE #4: Sun May 3 23:29:04 2009 root@router:/usr/obj/usr/src/sys/GENERIC i386