From owner-freebsd-questions@FreeBSD.ORG  Wed Nov  4 20:45:07 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1DD1C1065670
	for <freebsd-questions@freebsd.org>;
	Wed,  4 Nov 2009 20:45:07 +0000 (UTC)
	(envelope-from kraduk@googlemail.com)
Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.188])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B3678FC08
	for <freebsd-questions@freebsd.org>;
	Wed,  4 Nov 2009 20:45:06 +0000 (UTC)
Received: by gv-out-0910.google.com with SMTP id p33so688415gvf.39
	for <freebsd-questions@freebsd.org>;
	Wed, 04 Nov 2009 12:45:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:message-id:subject:from:to:cc:content-type;
	bh=4mOJELhXYZRU6U5OZESGqRMlbW4jNW3K2H1ocPF/hlk=;
	b=ZmmlOsqQMthc/lhxpeS64shZC6umOfPnaG5ITFKZtZU0Is7go2XsEmoHAGSyzxDpBu
	AP0jOqytRAZaFFPrAG36eOYrh8ymAtaW2M1zyYetSelXvJ5t+TiUnmskzKV5DOIATrzC
	1V0GONymN20v2QIdwEKx+oSd6idm43kPV0ARo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	b=YB3HzRKp69hqkM3c/uRMH5l+8USi3xopdPO2PkOtMpSREGEbJV33uIyh5mgNOaPCGu
	vIa/pxCFR1HPOq740guXAdSnd131LVv5t0xRxDIkBjb0BXF1MxIpwwBTppEN/thXQvBu
	XMrcBbwO9YPYUChg8H+iJ7ZE82q0QtUtyV/ec=
MIME-Version: 1.0
Received: by 10.239.168.220 with SMTP id l28mr206471hbe.117.1257367504614; 
	Wed, 04 Nov 2009 12:45:04 -0800 (PST)
In-Reply-To: <d24a9c160911040832kced14bmd77b36c0b8988b4@mail.gmail.com>
References: <d24a9c160911040832kced14bmd77b36c0b8988b4@mail.gmail.com>
Date: Wed, 4 Nov 2009 20:45:04 +0000
Message-ID: <d36406630911041245t72d06ab2j53b1289984a3516e@mail.gmail.com>
From: krad <kraduk@googlemail.com>
To: Alex Teslik <whereisalext@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw breaking smtp conversations
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2009 20:45:07 -0000

2009/11/4 Alex Teslik <whereisalext@gmail.com>

> Hi List,
>
>   I'm having trouble with mail deliveries. I'm getting lots of error
> messages like:
>
> timeout writing message to mx3.comcast.net.: Broken pipe
> timeout writing message to mailserver2.telmex.net.co.: Resource
> temporarily
> unavailable
>
> After looking elsewhere I decided to try changing my ipfw.rules - the
> problems went away immediately. Unfortunately, the change caused http
> connections from outside to stall mid-conversation. So I changed it back.
> But I'm clearly doing something wrong.
>
> Here is what my network looks like (fairly basic):
>
> Direct to Internet
>   ^
>   |
> Dual-Homed Host (em0 external interface)
> NAT,DHCP (sk0 internal interface)
>  |
>  v
> Internal LAN
>
> Here are my current rules:
>
> #!/bin/sh
> IPFW="ipfw -q add"
> ipfw -q -f flush
>
> $IPFW 10 allow all from any to any via sk0
> $IPFW 20 allow all from any to any via lo0
> $IPFW 30 divert natd ip from any to any in via em0
> $IPFW 50 check-state
> $IPFW 60 skipto 500 all from any to any out via em0 setup keep-state
> $IPFW 70 allow all from any to me in via em0 setup limit src-addr 50
> $IPFW 500 divert natd ip from any to any out via em0
> $IPFW 600 allow ip from any to any
> $IPFW 800 deny all from any to any
>
>
> Here are the rules that fixed smtp, but broke http:
>
> #!/bin/sh
> IPFW="/sbin/ipfw -q add"
> ipfw -q -f flush
>
> $IPFW 990 divert natd ip from any to any in via em0
> $IPFW 995 divert natd ip from any to any out via em0
> $IPFW 1000 allow tcp from any to any established
> $IPFW 1010 allow all from any to any via em0
> $IPFW 1020 allow all from any to any via sk0
> $IPFW 1030 allow all from any to any via lo0
> $IPFW 1050 allow tcp from any to any out
> $IPFW 1060 allow udp from any to any out
> $IPFW 1070 allow udp from any to any frag
> $IPFW 1090 allow ip from any to any
> $IPFW 9999 deny all from any to any
>
>
> Somewhere between these two sets is the right thing, but I'm not certain
> where to look. In english, here is what (I think) I'm trying to do:
>
> Allow all incoming traffic on all ports on em0
> Allow all outbound traffic on all ports on em0
> Divert incoming NAT'd packets on em0 to sk0
> Divert outbound NAT'd packets on sk0 to em0
>
> Thanks,
> Alex
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>

I'm not sure what the problem is but if you are freebsd 5+, which I assume
you will be as its be out for years, I would highly recommend switching to
pf. The rule sets are really easy and you can do a lot more far more easily
than ipfw. I always found getting the rule order a bit fidgety in ipfw, not
the case with pf