From owner-freebsd-questions@FreeBSD.ORG Mon May 30 20:53:14 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA6D216A41C for ; Mon, 30 May 2005 20:53:14 +0000 (GMT) (envelope-from freebsd@orchid.homeunix.org) Received: from orchid.homeunix.org (awr84.neoplus.adsl.tpnet.pl [83.27.77.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BA1C43D54 for ; Mon, 30 May 2005 20:53:12 +0000 (GMT) (envelope-from freebsd@orchid.homeunix.org) Received: from [192.168.1.66] (blackacidevil.orchid.homeunix.org [192.168.1.66]) (authenticated bits=0) by orchid.homeunix.org (8.13.3/8.13.3) with ESMTP id j4UKrAa5027118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 30 May 2005 22:53:11 +0200 (CEST) (envelope-from freebsd@orchid.homeunix.org) Message-ID: <429B7D3A.7080205@orchid.homeunix.org> Date: Mon, 30 May 2005 22:53:14 +0200 From: Karol Kwiatkowski User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050326) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <199B60BD-1D20-492E-A278-21BD0CCF3475@maxify.com> <5843C5B4-AAA9-4A64-BEE2-9CB5E7476966@maxify.com> In-Reply-To: <5843C5B4-AAA9-4A64-BEE2-9CB5E7476966@maxify.com> X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.85.1/899/Mon May 30 08:57:01 2005 on orchid.homeunix.org X-Virus-Status: Clean Subject: issue with pf.conf (was: Re: Clients receive only first 4k (issue with pf.conf) -- ignore others) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@orchid.homeunix.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 20:53:14 -0000 Scott Stevenson wrote: > > On May 30, 2005, at 9:23 AM, Scott Stevenson wrote: > >> The problem is that if I use the version without "keep state," the >> machine can't send outbound mail, and I see messages like this in >> maillog: >> >> May 30 09:14:33 vertigo qmail: 1117469673.126013 delivery 639634: >> deferral >> Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ >> >> In fact, I tried to send this message to the list twice yesterday, >> but realized that mail packets were being filtered out. I looked at >> pflog0 while mail was being sent, but I wasn't able to find the >> bounced packets. Here's the relevant smtp line: >> >> pass in quick on $ext_if proto { tcp, udp } from any to any >> port 25 >> >> >> I'm much more familiar with the firewalls bundled with various linux >> distributions, so I'm really stumped. I've read through various >> sections of the PF faq, but I haven't found an answer to this. >> > > > Sorry to post *yet again* on this, but I think I finally figured out > what was wrong. I want to post a follow-up for the archives. The > solution to "partial page" Apache problem was to balance the "keep > state" directives. > > > Originally, the httpd line looked like this: > > pass in quick on $ext_if proto { tcp, udp } from any to any port 80 > > And the "out" line looked like this: > > pass out on $ext_if proto { tcp, udp } all keep state > > > The solution was to change the httpd line to this: > > pass in quick on $ext_if proto { tcp, udp } from any to any port > 80 keep state That 'keep state' turns on stateful inspection. Here's quick info from PF FAQ: <>[1] (emphasis mine) That means, you'll need to set up rules for originating packets only (the rest is handled automagically). > Does it make sense that I'd need "keep state" for both in and out, or > is this a PF bug? It depends on what you need. Does this machine run Apache only? Do you want your Apache to make _outgoing_ connections? If not, you'll most probably want to open incoming traffic only (keeping states): pass in quick on $ext_if proto { tcp, udp } from any to any port 80 keep state and do _not_ let outgoing connections with "pass out ...". But if you want to browse websites from that machine, you'll need the "pass out ... port 80 keep state", too. While we're here, do you really need UDP traffic to Apache server? You may also want to look at TCP Flags in FAQ[2]. Here's simple config I use for serving http: ====== set block-policy return scrub in all block in log all block out log all pass in quick on lo0 pass out quick on lo0 pass in log quick on $ext_if inet proto tcp from any to $ext_if port 80 flags S/SA keep state ====== > Should I add it to these as well? > > pass in quick on $ext_if proto { tcp, udp } from any to any port 25 > pass in quick on $ext_if proto { tcp, udp } from any to any port 53 Yes, if you want them visible from Internet. Looking at the "pass out" rule it's not clear to me what is the purpose of this machine. To receive more help please specify the setup (is this machine directly connected to Internet? what services are running? what do you want to pass inside/outside? pf.conf, etc.) And, of course, looking at PF's FAQ (http://www.openbsd.org/faq/pf/) might be a good idea. Hope that helps. Regards, Karol [1] http://www.openbsd.org/faq/pf/filter.html#state [2] http://www.openbsd.org/faq/pf/filter.html#tcpflags -- Karol Kwiatkowski