From owner-freebsd-questions@FreeBSD.ORG Wed Nov 4 16:54:49 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 082E5106566C for ; Wed, 4 Nov 2009 16:54:49 +0000 (UTC) (envelope-from whereisalext@gmail.com) Received: from mail-px0-f190.google.com (mail-px0-f190.google.com [209.85.216.190]) by mx1.freebsd.org (Postfix) with ESMTP id C87DB8FC16 for ; Wed, 4 Nov 2009 16:54:48 +0000 (UTC) Received: by pxi28 with SMTP id 28so4755572pxi.7 for ; Wed, 04 Nov 2009 08:54:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=199ZHRijh6Gd7Go/83kr11MnRSKW7U2hPCvZLe4g7fY=; b=xYSFHFJdzEnwla0siwpBzGbCj9z9hEy+i74QmSQyIVxTyYBj6cmzmokIQQjlDotdtt dwXSJRMeNstDfSngSYhOKGbCzucZl7+UeSEAmSRuUjGsLkq38DTHlhm86UIlI6n19Rc/ FQ3xi15vI7PblbLq1fLAoAPOP+R/7/LNo1TKQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=jW8HbZgGRPJvlaXAUiht1/hdHuGCglUXxekzAivzfHuva/UAgbI3lO+Hvf5ieIpNr8 mYhrSg+9qyzYI/CALbxmxjSZhyFMQjdFPSj0zAG3dU2N8PFz2qoK+pR3enHkVK+0O4LF 9tOqnjCju7JVXpVuGp0ipeFuFAe9oCX1ysikc= MIME-Version: 1.0 Received: by 10.142.195.18 with SMTP id s18mr177296wff.50.1257352363249; Wed, 04 Nov 2009 08:32:43 -0800 (PST) Date: Wed, 4 Nov 2009 08:32:43 -0800 Message-ID: From: Alex Teslik To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw breaking smtp conversations X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2009 16:54:49 -0000 Hi List, I'm having trouble with mail deliveries. I'm getting lots of error messages like: timeout writing message to mx3.comcast.net.: Broken pipe timeout writing message to mailserver2.telmex.net.co.: Resource temporarily unavailable After looking elsewhere I decided to try changing my ipfw.rules - the problems went away immediately. Unfortunately, the change caused http connections from outside to stall mid-conversation. So I changed it back. But I'm clearly doing something wrong. Here is what my network looks like (fairly basic): Direct to Internet ^ | Dual-Homed Host (em0 external interface) NAT,DHCP (sk0 internal interface) | v Internal LAN Here are my current rules: #!/bin/sh IPFW="ipfw -q add" ipfw -q -f flush $IPFW 10 allow all from any to any via sk0 $IPFW 20 allow all from any to any via lo0 $IPFW 30 divert natd ip from any to any in via em0 $IPFW 50 check-state $IPFW 60 skipto 500 all from any to any out via em0 setup keep-state $IPFW 70 allow all from any to me in via em0 setup limit src-addr 50 $IPFW 500 divert natd ip from any to any out via em0 $IPFW 600 allow ip from any to any $IPFW 800 deny all from any to any Here are the rules that fixed smtp, but broke http: #!/bin/sh IPFW="/sbin/ipfw -q add" ipfw -q -f flush $IPFW 990 divert natd ip from any to any in via em0 $IPFW 995 divert natd ip from any to any out via em0 $IPFW 1000 allow tcp from any to any established $IPFW 1010 allow all from any to any via em0 $IPFW 1020 allow all from any to any via sk0 $IPFW 1030 allow all from any to any via lo0 $IPFW 1050 allow tcp from any to any out $IPFW 1060 allow udp from any to any out $IPFW 1070 allow udp from any to any frag $IPFW 1090 allow ip from any to any $IPFW 9999 deny all from any to any Somewhere between these two sets is the right thing, but I'm not certain where to look. In english, here is what (I think) I'm trying to do: Allow all incoming traffic on all ports on em0 Allow all outbound traffic on all ports on em0 Divert incoming NAT'd packets on em0 to sk0 Divert outbound NAT'd packets on sk0 to em0 Thanks, Alex