Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Oct 2007 07:44:07 +0200
From:      Olli Hauer <ohauer@gmx.de>
To:        dssampson@yahoo.com
Cc:        freebsd-pf@freebsd.org
Subject:   Re: spamd nonfunctioning due to power outage in SD
Message-ID:  <47202D27.1050001@gmx.de>
In-Reply-To: <101025.43337.qm@web35812.mail.mud.yahoo.com>
References:  <101025.43337.qm@web35812.mail.mud.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
dssampson@yahoo.com wrote:
>> dssampson@yahoo.com wrote:
>>> I had a power outage to our building due to the fires in San
>> Diego
>>
>  and it crashed those without UPSes. One of them is the spamd
>> machine.
>>
>  I've brought it back up and ran fsck on all volumes. However, mail
>> will
>>
>  not come into our mailboxes from outside but mail can be delivered
>> to
>>
>  outside recipients. I can telnet into the spamd machine and send
>> mail
>>
>  externally and internally. Postfix seems to be ok. When I stop pf,
>> mail
>>
>  from the outside of our LAN come pouring in. When I start up pf,
>> inbound
>>
>  mail comes to a stop. In the spamd log, I see all kinds of
>> connections
>>
>  being blacklisted and greylisted but still not one mail is
>> being
>>
>  delivered. I am using spamd-mywhite as my whitelist and put all known GMail
>> IP
>>
>  addresses on it. I then send an email from my GMail account to
>> this
>>
>  machine. It gets greylisted and eventually sits in the greylist for
>> quite
>>
>  a while. I also see ports 25 open on both external and internal
>> NICs
>>
>  and port 8025 open on the localhost interface.
>>> I need assistance in troubleshooting this. Running spamd 4.1.2
>> on
>>
>  FreeBSD 6.2. We average 800 valid mail per day and so far in the last
>> 24
>>
>  hours, not one mail has come through using the existing
>> spamd
>>
>  configuration.
>>> mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf
>>> ext_if = "rl0"
>>> int_if = "xl0"
>>> internal_net = "192.168.1.1/24"
>>> external_addr = "216.70.250.4"
>>> vpn_net = "10.8.0.0/24"
>>> icmp_types = "echoreq"
>>> NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12
>> 10.0.0.0/8
>>
>  }"
>>> webserver1 = "192.168.1.4"
>>> set skip on { lo0 }
>>> set skip on { gif0 }
>>> @0 scrub in all fragment reassemble
>>> @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
>>> @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
>>> @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http
>> ->
>>
>  192.168.1.4 port 80
>>> table  persist
>>> table  persist
>>> table  persist
>> file
>>
>  "/usr/local/etc/spamd/spamd-mywhite"
>>> @4 rdr inet proto tcp from  to 216.70.250.4 port
>> =
>>
>  smtp -> 127.0.0.1 port 25
>>> @5 rdr inet proto tcp from  to 216.70.250.4 port
>> =
>>
>  smtp -> 127.0.0.1 port 25
>>> @6 rdr pass inet proto tcp from  to 216.70.250.4 port =
>> smtp
>>
>  -> 127.0.0.1 port 8025
>>> @7 rdr pass inet proto tcp from !  to
>> 216.70.250.4
>>
>  port = smtp -> 127.0.0.1 port 8025
>>> @8 pass in log inet proto tcp from any to 216.70.250.4 port =
>> smtp
>>
>  flags S/SA synproxy state
>>> @9 pass out log inet proto tcp from 216.70.250.4 to any port =
>> smtp
>>
>  flags S/SA synproxy state
>>> @10 pass in log inet proto tcp from 192.168.1.0/24 to
>> 192.168.1.25
>>
>  port = smtp flags S/SA synproxy state
>>> @11 block drop in log all
>>> @12 pass in log quick on xl0 inet proto tcp from any to
>> 192.168.1.25
>>
>  port = ssh flags S/SA synproxy state
>>> @13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
>>> @14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
>>> @15 block drop in log quick on rl0 inet >from 172.16.0.0/12 to any
>>> @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
>>> @17 block drop out log quick on rl0 inet from any to 127.0.0.0/8
>>> @18 block drop out log quick on rl0 inet from any to 192.168.0.0/16
>>> @19 block drop out log quick on rl0 inet from any to 172.16.0.0/12
>>> @20 block drop out log quick on rl0 inet from any to 10.0.0.0/8
>>> @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
>>> @22 block drop in log quick inet from 192.168.1.25 to any
>>> @23 pass in on xl0 inet from 192.168.1.0/24 to any
>>> @24 pass out log on xl0 inet from any to 192.168.1.0/24
>>> @25 pass out log quick on xl0 inet from any to 10.8.0.0/24
>>> @26 pass out on rl0 proto tcp all flags S/SA modulate state
>>> @27 pass out on rl0 proto udp all keep state
>>> @28 pass out on rl0 proto icmp all keep state
>>> @29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port =
>> http
>>
>  flags S/SA synproxy state
>>> @30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port =
>> ssh
>>
>  keep state
>>> warning: macro 'icmp_types' not used
>>> mailfilter-root@/usr/ports# 
>>>
>>> What's the quickest way to recover from this? Any
>> other
>>
>  troubleshooting techniques?
>>> ~Doug
>>>
>> with rule @11 (log) you can do a
>> tcpdump -net -i pflog0 and look at the block rule number.
> 
> This is what I am seeing:
> 303784 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 <mss 1460>
> 157399 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
> 1. 139142 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 199803 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 039859 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 101924 rule 3/0(match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 1996496288:1996496288(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 295669 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 192006 rule 3/0(match): block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 1648209710:1648209710(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
> 639961 rule 3/0(match): block in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 490829265:490829265(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
> 391948 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
> 042299 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 <mss 1460>
> 025190 rule 3/0(match): block in on rl0: 209.11.60.21.14104 > 127.0.0.1.25: S 598584256:598584256(0) win 16384 <mss 1380>
> 1. 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 <mss 1460,sackOK,eol>
> 214949 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
> 038980 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) w
> 
> Which of the rules above does rule 3/0(match) refer to?

It's easier to count the rules this way
Nat/rdr rules:
  # pfctl -sn
filter rues:
  # pfctl -sr  => now look at the 3'rd line

 > @8 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state
 > @9 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state
 > @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state
 > @11 block drop in log all

There is no quick keyword, so please place @11 before @8 reload the pf rules and post the output of
1) pfctl -sn
2) pfctl -sr
3) now take again a look with tcpdump -i pflog0
this makes things easier to count and refer



> Also,
> mailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/pflog port 8025
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> mailfilter-root@/usr/ports# 
> 
> No forwarding to port 8025 is occurring at this point, or so it seems.
> 
>> also do a sockstat -4 -p 25 and look if your mailserver listen
>> at 127.0.0.1:25 otherwise rule @4 and @5 have no effect
>  
> 
> mailfilter-root@/usr/ports# sockstat -4 -p 25
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
> root     master     841   11 tcp4   *:25                  *:*
> 

OK, so we are shure postfix is listening





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47202D27.1050001>