From owner-freebsd-pf@FreeBSD.ORG Wed Oct 24 21:01:35 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8609116A419 for ; Wed, 24 Oct 2007 21:01:35 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: from web35812.mail.mud.yahoo.com (web35812.mail.mud.yahoo.com [66.163.179.181]) by mx1.freebsd.org (Postfix) with SMTP id 482AE13C481 for ; Wed, 24 Oct 2007 21:01:35 +0000 (UTC) (envelope-from dssampson@yahoo.com) Received: (qmail 44129 invoked by uid 60001); 24 Oct 2007 21:01:26 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=hwCh8tzu6ZSIKhnbMgMOlRdqhDHTb1v7X+V1dqFwVqfQWAkEnTg9ani4m7MV2s2VG4UQyAXAiDBefmsKFgaJEgwdDnNwGVxORz9ZVhSrhKzXvmwtwYBQ21iieRXDFs1NZZhWPzRPBNYJ5NearN0OqooLlSBzumc7HcPvO2Adpls=; X-YMail-OSG: AE4urF0VM1kjKnF20uvdORXGMnTqwqE6rkOGpsV6ay47CARQYASL2.Q8HxyI.hH73xWN_PdUFDN.i9jriixQGc8NtTiJOs2NM_IflfHyzlYGLY9dNWc.RFP4t1MTB_tCAUi4wY60dAZ0JA..D3Yfhh7JdieoYJqtYoE- Received: from [216.70.250.2] by web35812.mail.mud.yahoo.com via HTTP; Wed, 24 Oct 2007 14:01:25 PDT X-Mailer: YahooMailRC/814.06 YahooMailWebService/0.7.134.12 Date: Wed, 24 Oct 2007 14:01:25 -0700 (PDT) From: dssampson@yahoo.com To: Olli Hauer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-ID: <101025.43337.qm@web35812.mail.mud.yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Oct 2007 21:01:35 -0000 > dssampson@yahoo.com wrote:=0A> > I had a power outage to our building due= to the fires in San=0A> Diego=0A> =0A and it crashed those without UPSes. = One of them is the spamd=0A> machine.=0A> =0A I've brought it back up and r= an fsck on all volumes. However, mail=0A> will=0A> =0A not come into our ma= ilboxes from outside but mail can be delivered=0A> to=0A> =0A outside recip= ients. I can telnet into the spamd machine and send=0A> mail=0A> =0A extern= ally and internally. Postfix seems to be ok. When I stop pf,=0A> mail=0A> = =0A from the outside of our LAN come pouring in. When I start up pf,=0A> in= bound=0A> =0A mail comes to a stop. In the spamd log, I see all kinds of=0A= > connections=0A> =0A being blacklisted and greylisted but still not one ma= il is=0A> being=0A> =0A delivered. I am using spamd-mywhite as my whitelist= and put all known GMail=0A> IP=0A> =0A addresses on it. I then send an ema= il from my GMail account to=0A> this=0A> =0A machine. It gets greylisted an= d eventually sits in the greylist for=0A> quite=0A> =0A a while. I also see= ports 25 open on both external and internal=0A> NICs=0A> =0A and port 8025= open on the localhost interface.=0A> > =0A> > I need assistance in trouble= shooting this. Running spamd 4.1.2=0A> on=0A> =0A FreeBSD 6.2. We average 8= 00 valid mail per day and so far in the last=0A> 24=0A> =0A hours, not one = mail has come through using the existing=0A> spamd=0A> =0A configuration.= =0A> > =0A> > mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf=0A> > ex= t_if =3D "rl0"=0A> > int_if =3D "xl0"=0A> > internal_net =3D "192.168.1.1/2= 4"=0A> > external_addr =3D "216.70.250.4"=0A> > vpn_net =3D "10.8.0.0/24"= =0A> > icmp_types =3D "echoreq"=0A> > NoRouteIPs =3D "{ 127.0.0.0/8 192.168= .0.0/16 172.16.0.0/12=0A> 10.0.0.0/8=0A> =0A }"=0A> > webserver1 =3D "192.1= 68.1.4"=0A> > set skip on { lo0 }=0A> > set skip on { gif0 }=0A> > @0 scrub= in all fragment reassemble=0A> > @1 nat on rl0 inet from 192.168.1.0/24 to= any -> (rl0) round-robin=0A> > @2 nat on rl0 inet from 10.8.0.0/24 to any = -> (rl0) round-robin=0A> > @3 rdr on rl0 inet proto tcp from any to 216.70.= 250.4 port =3D http=0A> ->=0A> =0A 192.168.1.4 port 80=0A> > table persist= =0A> > table persist=0A> > table persist=0A> file=0A> =0A "/usr/local/etc= /spamd/spamd-mywhite"=0A> > @4 rdr inet proto tcp from to 216.70.250.4 por= t=0A> =3D=0A> =0A smtp -> 127.0.0.1 port 25=0A> > @5 rdr inet proto tcp fro= m to 216.70.250.4 port=0A> =3D=0A> =0A smtp -> 127.0.0.1 port 25=0A> > @6 = rdr pass inet proto tcp from to 216.70.250.4 port =3D=0A> smtp=0A> =0A -> = 127.0.0.1 port 8025=0A> > @7 rdr pass inet proto tcp from ! to=0A> 216.70.= 250.4=0A> =0A port =3D smtp -> 127.0.0.1 port 8025=0A> > @8 pass in log ine= t proto tcp from any to 216.70.250.4 port =3D=0A> smtp=0A> =0A flags S/SA s= ynproxy state=0A> > @9 pass out log inet proto tcp from 216.70.250.4 to any= port =3D=0A> smtp=0A> =0A flags S/SA synproxy state=0A> > @10 pass in log = inet proto tcp from 192.168.1.0/24 to=0A> 192.168.1.25=0A> =0A port =3D smt= p flags S/SA synproxy state=0A> > @11 block drop in log all=0A> > @12 pass = in log quick on xl0 inet proto tcp from any to=0A> 192.168.1.25=0A> =0A por= t =3D ssh flags S/SA synproxy state=0A> > @13 block drop in log quick on rl= 0 inet from 127.0.0.0/8 to any=0A> > @14 block drop in log quick on rl0 ine= t from 192.168.0.0/16 to any=0A> > @15 block drop in log quick on rl0 inet = from 172.16.0.0/12 to any=0A> > @16 block drop in log quick on rl0 inet fro= m 10.0.0.0/8 to any=0A> > @17 block drop out log quick on rl0 inet from any= to 127.0.0.0/8=0A> > @18 block drop out log quick on rl0 inet from any to = 192.168.0.0/16=0A> > @19 block drop out log quick on rl0 inet from any to 1= 72.16.0.0/12=0A> > @20 block drop out log quick on rl0 inet from any to 10.= 0.0.0/8=0A> > @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24= to any=0A> > @22 block drop in log quick inet from 192.168.1.25 to any=0A>= > @23 pass in on xl0 inet from 192.168.1.0/24 to any=0A> > @24 pass out lo= g on xl0 inet from any to 192.168.1.0/24=0A> > @25 pass out log quick on xl= 0 inet from any to 10.8.0.0/24=0A> > @26 pass out on rl0 proto tcp all flag= s S/SA modulate state=0A> > @27 pass out on rl0 proto udp all keep state=0A= > > @28 pass out on rl0 proto icmp all keep state=0A> > @29 pass in on rl0 = inet proto tcp from any to 192.168.1.4 port =3D=0A> http=0A> =0A flags S/SA= synproxy state=0A> > @30 pass in on xl0 inet proto tcp from any to 192.168= .1.25 port =3D=0A> ssh=0A> =0A keep state=0A> > warning: macro 'icmp_types'= not used=0A> > mailfilter-root@/usr/ports# =0A> > =0A> > What's the quicke= st way to recover from this? Any=0A> other=0A> =0A troubleshooting techniqu= es?=0A> > =0A> > ~Doug=0A> > =0A> =0A> with rule @11 (log) you can do a=0A>= tcpdump -net -i pflog0 and look at the block rule number.=0A=0AThis is wha= t I am seeing:=0A303784 rule 3/0(match): block in on rl0: 66.218.67.246.308= 33 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 =0A1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 >= 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 =0A157399 rul= e 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 40159= 67731:4015967731(0) win 5840 =0A1. 139142 = rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 423= 7450357:4237450357(0) win 65535 =0A199803 rul= e 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 239020= 5679:2390205679(0) win 65535 =0A039859 rule 3= /0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 180204626= 7:1802046267(0) win 65535 =0A101924 rule 3/0(= match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 1996496288:1= 996496288(0) win 65535 =0A295669 rule 3/0(mat= ch): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:86304= 9525(0) win 65535 =0A192006 rule 3/0(match): = block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 1648209710:164820971= 0(0) win 5840 =0A639961 rule 3/0(match): b= lock in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 490829265:490829265(= 0) win 5840 =0A391948 rule 3/0(match): blo= ck in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(= 0) win 5840 =0A042299 rule 3/0(match): blo= ck in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) = win 57344 =0A025190 rule 3/0(match): block in on rl0: 209.11.60.2= 1.14104 > 127.0.0.1.25: S 598584256:598584256(0) win 16384 =0A1. = 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25= : S 4237450357:4237450357(0) win 65535 =0A214949 rule = 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 23902056= 79:2390205679(0) win 65535 =0A038980 rule 3/0= (match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:= 1802046267(0) w=0A=0AWhich of the rules above does rule 3/0(match) refer to= ?=0A=0AAlso,=0Amailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/p= flog port 8025=0Areading from file /var/log/pflog, link-type PFLOG (OpenBSD= pflog file)=0Amailfilter-root@/usr/ports# =0A=0ANo forwarding to port 8025= is occurring at this point, or so it seems.=0A=0A> =0A> also do a sockstat= -4 -p 25 and look if your mailserver listen=0A> at 127.0.0.1:25 otherwise = rule @4 and @5 have no effect=0A =0A=0Amailfilter-root@/usr/ports# sockstat= -4 -p 25=0AUSER COMMAND PID FD PROTO LOCAL ADDRESS FOREI= GN ADDRESS =0Aroot master 841 11 tcp4 *:25 = *:*=0A=0AI should mention that this is a relay for our internal Exchange = server. I'm going to test if Postfix is relaying correctly. From all indica= tions it does seem to relay correctly but I need to make sure it does!=0A= =0A~Doug=0A=0A=0A__________________________________________________=0ADo Yo= u Yahoo!?=0ATired of spam? Yahoo! Mail has the best spam protection around= =0Ahttp://mail.yahoo.com