Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 31 Jul 2002 17:59:55 -0400
From:      "Ilya" <mail@krel.org>
To:        <freebsd-ipfw@freebsd.org>
Subject:   ruleset q-n
Message-ID:  <015c01c238dd$a8bc8450$0100a8c0@ilya>
next in thread | raw e-mail | index | archive | help 

I have a problem, with smtp traffic, in my ipfw.log i see alot of 65534 denied packets either from foreign_ip port 25, or to my internet_ip port 25, even though all emails seem to go through.
here is my ruleset:

00100     0 0 divert 8668 ip from any to any via $ineternet_if setup
00200     0 0 check-state
00300     0 0 allow ip from $LAN to any keep-state via $lan_if
00400     0 0 allow ip from $inetern_ip to any keep-state via $internet_if
00500     0 0 allow tcp from any to $internet_ip 25 keep-state via $ineternet_if setup
00600     0 0 check-state
00700     0 0 allow udp from any 53 to $ineternet_ip 53 via $ineternet_if setup
00800     0 0 allow udp from any 1024-65535 to $ineternet_ip 53 via $ineternet_if setup
00900     0 0 allow udp from any 53 to $ineternet_ip 53 via $ineternet_if setup
01000     0 0 allow udp from any 1024-65535 to $ineternet_ip 53 via $ineternet_if setup
01100     0 0 allow udp from any 53 to $ineternet_ip 1024-65535 via $ineternet_if setup
01200     0 0 allow udp from any 53 to $ineternet_ip 1024-65535 via $ineternet_if setup
01300     0 0 allow icmp from any to any icmptype 3,4,11,12
01400     0 0 allow tcp from any to $ineternet_ip 443 via $ineternet_if setup setup
01500     0 0 allow ip from any to any via lo0
65534     0 0 deny log logamount 200 ip from any to any in recv $ineternet_if setup
65535     0 0 allow ip from any to any

i had same problem with DNS and solved  it by specifically alowing DNS traffic in all directions, but i dont think thats the right way.
Why would smtp traffic hit the last deny rule at all?
for example this is an entry from log:
Jul 31 17:52:57 mybox ipfw: 65534 Deny TCP 216.136.204.119:20028 $internet_ip:25 in via ed0
but the email did came through. it almost looks like the connection is closed, and than mx2.FreeBSD.org tries to connect to port 25 again. 
why wouldnt it be able to do so? why didnt this packet hit rule 500 ? and instead hit 65534?

I even added check_state in two places, but that didnt help.

thanks a lot in advance

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?015c01c238dd$a8bc8450$0100a8c0>