From owner-freebsd-pf@FreeBSD.ORG Thu Oct 25 05:44:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF09F16A418 for ; Thu, 25 Oct 2007 05:44:23 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 200B713C49D for ; Thu, 25 Oct 2007 05:44:22 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail invoked by alias); 25 Oct 2007 05:44:20 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.30]) [194.231.39.124] by mail.gmx.net (mp052) with SMTP; 25 Oct 2007 07:44:20 +0200 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX19anBgLo01apByE+rm4fQUxuU7zqP/kvUIwP5qION HbMOfDlBlDjCUF Message-ID: <47202D27.1050001@gmx.de> Date: Thu, 25 Oct 2007 07:44:07 +0200 From: Olli Hauer User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: dssampson@yahoo.com References: <101025.43337.qm@web35812.mail.mud.yahoo.com> In-Reply-To: <101025.43337.qm@web35812.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: freebsd-pf@freebsd.org Subject: Re: spamd nonfunctioning due to power outage in SD X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2007 05:44:23 -0000 dssampson@yahoo.com wrote: >> dssampson@yahoo.com wrote: >>> I had a power outage to our building due to the fires in San >> Diego >> > and it crashed those without UPSes. One of them is the spamd >> machine. >> > I've brought it back up and ran fsck on all volumes. However, mail >> will >> > not come into our mailboxes from outside but mail can be delivered >> to >> > outside recipients. I can telnet into the spamd machine and send >> mail >> > externally and internally. Postfix seems to be ok. When I stop pf, >> mail >> > from the outside of our LAN come pouring in. When I start up pf, >> inbound >> > mail comes to a stop. In the spamd log, I see all kinds of >> connections >> > being blacklisted and greylisted but still not one mail is >> being >> > delivered. I am using spamd-mywhite as my whitelist and put all known GMail >> IP >> > addresses on it. I then send an email from my GMail account to >> this >> > machine. It gets greylisted and eventually sits in the greylist for >> quite >> > a while. I also see ports 25 open on both external and internal >> NICs >> > and port 8025 open on the localhost interface. >>> I need assistance in troubleshooting this. Running spamd 4.1.2 >> on >> > FreeBSD 6.2. We average 800 valid mail per day and so far in the last >> 24 >> > hours, not one mail has come through using the existing >> spamd >> > configuration. >>> mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf >>> ext_if = "rl0" >>> int_if = "xl0" >>> internal_net = "192.168.1.1/24" >>> external_addr = "216.70.250.4" >>> vpn_net = "10.8.0.0/24" >>> icmp_types = "echoreq" >>> NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 >> 10.0.0.0/8 >> > }" >>> webserver1 = "192.168.1.4" >>> set skip on { lo0 } >>> set skip on { gif0 } >>> @0 scrub in all fragment reassemble >>> @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin >>> @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin >>> @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http >> -> >> > 192.168.1.4 port 80 >>> table persist >>> table persist >>> table persist >> file >> > "/usr/local/etc/spamd/spamd-mywhite" >>> @4 rdr inet proto tcp from to 216.70.250.4 port >> = >> > smtp -> 127.0.0.1 port 25 >>> @5 rdr inet proto tcp from to 216.70.250.4 port >> = >> > smtp -> 127.0.0.1 port 25 >>> @6 rdr pass inet proto tcp from to 216.70.250.4 port = >> smtp >> > -> 127.0.0.1 port 8025 >>> @7 rdr pass inet proto tcp from ! to >> 216.70.250.4 >> > port = smtp -> 127.0.0.1 port 8025 >>> @8 pass in log inet proto tcp from any to 216.70.250.4 port = >> smtp >> > flags S/SA synproxy state >>> @9 pass out log inet proto tcp from 216.70.250.4 to any port = >> smtp >> > flags S/SA synproxy state >>> @10 pass in log inet proto tcp from 192.168.1.0/24 to >> 192.168.1.25 >> > port = smtp flags S/SA synproxy state >>> @11 block drop in log all >>> @12 pass in log quick on xl0 inet proto tcp from any to >> 192.168.1.25 >> > port = ssh flags S/SA synproxy state >>> @13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any >>> @14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any >>> @15 block drop in log quick on rl0 inet >from 172.16.0.0/12 to any >>> @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any >>> @17 block drop out log quick on rl0 inet from any to 127.0.0.0/8 >>> @18 block drop out log quick on rl0 inet from any to 192.168.0.0/16 >>> @19 block drop out log quick on rl0 inet from any to 172.16.0.0/12 >>> @20 block drop out log quick on rl0 inet from any to 10.0.0.0/8 >>> @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any >>> @22 block drop in log quick inet from 192.168.1.25 to any >>> @23 pass in on xl0 inet from 192.168.1.0/24 to any >>> @24 pass out log on xl0 inet from any to 192.168.1.0/24 >>> @25 pass out log quick on xl0 inet from any to 10.8.0.0/24 >>> @26 pass out on rl0 proto tcp all flags S/SA modulate state >>> @27 pass out on rl0 proto udp all keep state >>> @28 pass out on rl0 proto icmp all keep state >>> @29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = >> http >> > flags S/SA synproxy state >>> @30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = >> ssh >> > keep state >>> warning: macro 'icmp_types' not used >>> mailfilter-root@/usr/ports# >>> >>> What's the quickest way to recover from this? Any >> other >> > troubleshooting techniques? >>> ~Doug >>> >> with rule @11 (log) you can do a >> tcpdump -net -i pflog0 and look at the block rule number. > > This is what I am seeing: > 303784 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 > 1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 > 157399 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 > 1. 139142 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 > 199803 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 > 039859 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) win 65535 > 101924 rule 3/0(match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 1996496288:1996496288(0) win 65535 > 295669 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 > 192006 rule 3/0(match): block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 1648209710:1648209710(0) win 5840 > 639961 rule 3/0(match): block in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 490829265:490829265(0) win 5840 > 391948 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 > 042299 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 > 025190 rule 3/0(match): block in on rl0: 209.11.60.21.14104 > 127.0.0.1.25: S 598584256:598584256(0) win 16384 > 1. 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 > 214949 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 > 038980 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) w > > Which of the rules above does rule 3/0(match) refer to? It's easier to count the rules this way Nat/rdr rules: # pfctl -sn filter rues: # pfctl -sr => now look at the 3'rd line > @8 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state > @9 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state > @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state > @11 block drop in log all There is no quick keyword, so please place @11 before @8 reload the pf rules and post the output of 1) pfctl -sn 2) pfctl -sr 3) now take again a look with tcpdump -i pflog0 this makes things easier to count and refer > Also, > mailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/pflog port 8025 > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > mailfilter-root@/usr/ports# > > No forwarding to port 8025 is occurring at this point, or so it seems. > >> also do a sockstat -4 -p 25 and look if your mailserver listen >> at 127.0.0.1:25 otherwise rule @4 and @5 have no effect > > > mailfilter-root@/usr/ports# sockstat -4 -p 25 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > root master 841 11 tcp4 *:25 *:* > OK, so we are shure postfix is listening