Date: Wed, 4 Nov 2009 20:45:04 +0000 From: krad <kraduk@googlemail.com> To: Alex Teslik <whereisalext@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw breaking smtp conversations Message-ID: <d36406630911041245t72d06ab2j53b1289984a3516e@mail.gmail.com> In-Reply-To: <d24a9c160911040832kced14bmd77b36c0b8988b4@mail.gmail.com> References: <d24a9c160911040832kced14bmd77b36c0b8988b4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/11/4 Alex Teslik <whereisalext@gmail.com> > Hi List, > > I'm having trouble with mail deliveries. I'm getting lots of error > messages like: > > timeout writing message to mx3.comcast.net.: Broken pipe > timeout writing message to mailserver2.telmex.net.co.: Resource > temporarily > unavailable > > After looking elsewhere I decided to try changing my ipfw.rules - the > problems went away immediately. Unfortunately, the change caused http > connections from outside to stall mid-conversation. So I changed it back. > But I'm clearly doing something wrong. > > Here is what my network looks like (fairly basic): > > Direct to Internet > ^ > | > Dual-Homed Host (em0 external interface) > NAT,DHCP (sk0 internal interface) > | > v > Internal LAN > > Here are my current rules: > > #!/bin/sh > IPFW="ipfw -q add" > ipfw -q -f flush > > $IPFW 10 allow all from any to any via sk0 > $IPFW 20 allow all from any to any via lo0 > $IPFW 30 divert natd ip from any to any in via em0 > $IPFW 50 check-state > $IPFW 60 skipto 500 all from any to any out via em0 setup keep-state > $IPFW 70 allow all from any to me in via em0 setup limit src-addr 50 > $IPFW 500 divert natd ip from any to any out via em0 > $IPFW 600 allow ip from any to any > $IPFW 800 deny all from any to any > > > Here are the rules that fixed smtp, but broke http: > > #!/bin/sh > IPFW="/sbin/ipfw -q add" > ipfw -q -f flush > > $IPFW 990 divert natd ip from any to any in via em0 > $IPFW 995 divert natd ip from any to any out via em0 > $IPFW 1000 allow tcp from any to any established > $IPFW 1010 allow all from any to any via em0 > $IPFW 1020 allow all from any to any via sk0 > $IPFW 1030 allow all from any to any via lo0 > $IPFW 1050 allow tcp from any to any out > $IPFW 1060 allow udp from any to any out > $IPFW 1070 allow udp from any to any frag > $IPFW 1090 allow ip from any to any > $IPFW 9999 deny all from any to any > > > Somewhere between these two sets is the right thing, but I'm not certain > where to look. In english, here is what (I think) I'm trying to do: > > Allow all incoming traffic on all ports on em0 > Allow all outbound traffic on all ports on em0 > Divert incoming NAT'd packets on em0 to sk0 > Divert outbound NAT'd packets on sk0 to em0 > > Thanks, > Alex > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > I'm not sure what the problem is but if you are freebsd 5+, which I assume you will be as its be out for years, I would highly recommend switching to pf. The rule sets are really easy and you can do a lot more far more easily than ipfw. I always found getting the rule order a bit fidgety in ipfw, not the case with pf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d36406630911041245t72d06ab2j53b1289984a3516e>