Site Navigation

Date:      Mon, 27 Feb 2012 14:52:35 -0500
From:      "Bender, Chris" <chris_bender@cellularatsea.com>
To:        "Jon Radel" <jon@radel.com>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: Email issues, relay failure
Message-ID:  <assp.040451e526.863259E16B6C464DAD1E9DD10BB31154059CFE33@wmsexg01.corp.cellularatsea.com>
In-Reply-To: <4F4BB8B8.509@radel.com>
References:  <863259E16B6C464DAD1E9DD10BB31154059CFBAE@wmsexg01.corp.cellularatsea.com> <4F48BAF6.9070204@ifdnrg.com>     <863259E16B6C464DAD1E9DD10BB31154059CFBE7@wmsexg01.corp.cellularatsea.com> <4F48EC21.7040805@ifdnrg.com>     <863259E16B6C464DAD1E9DD10BB31154059CFBEE@wmsexg01.corp.cellularatsea.com> <4F48F45F.4080304@ifdnrg.com>     <863259E16B6C464DAD1E9DD10BB31154059CFBF4@wmsexg01.corp.cellularatsea.com> <4F492262.5090505@radel.com>    <7409DAB4-F76A-493B-9A50-A663E6F6802E@cellularatsea.com>    <4F4BB19A.8040005@radel.com>   <863259E16B6C464DAD1E9DD10BB31154059CFDA4@wmsexg01.corp.cellularatsea.com> <4F4BB61A.1060600@radel.com>  <863259E16B6C464DAD1E9DD10BB31154059CFDB1@wmsexg01.corp.cellularatsea.com> <4F4BB8B8.509@radel.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Hi Joe

So from the rules below, I can see my network to and from in tables
<tbl.r38.s>  to <tbl.r37.s>.
However when pfctl is enabled that traffic fails with ....

# tcpdump -ni bge0 host 10.156.81.10 and port 25    =20
tcpdump: listening on bge0, link-type EN10MB
14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25: R
3154136674:3154136735(61) ack 1245040067 win 0 (DF) [tos 0xb8]
14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S
3154136673:3154136673(0) win 64240 <mss
1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
(DF) [tos 0xb8]
14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25: R 0:61(61) ack 1
win 0 (DF) [tos 0xb8]

SO from traffic aboveon the inbound interface I can see this failed.
OUCH. But I don't know what rule is killing it.=20

Here is table
table <tbl.r37.s> { 10.200.82.16 , 10.200.104.15 , 172.19.4.41 ,
198.211.94.23 }
table <tbl.r38.s> { 10.13.0.0/21 , 10.13.224.0/21 , 10.13.226.0/23 ,
10.150.0.0/16 , 10.156.0.0/16 , 10.158.0.0/16 , 10.166.0.0/16 ,
10.196.0.0/16 , 10.198.0
.0/16 , 10.200.104.0/24 , 172.16.0.0/16 , 172.19.4.0/24 , 172.19.11.0/24
, 172.19.20.0/24 , 172.19.50.0/24 , 172.19.51.0/24 , 172.19.52.0/24 ,
172.19.53.0/24
 , 172.19.100.0/29 , 172.19.231.0/24 , 172.19.232.0/24 , 172.31.0.0/16=
 }

Rest of pf.conf since you asked which I have removed confidential info

The key is what is blocking SMTP. I am not sure yet?

Thanks




#
# Prolog script
#
set loginterface bge0
set state-defaults pflow

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat-anchor "relayd/*"
rdr-anchor "relayd/*"

anchor "relayd/*"
anchor "ftp-proxy/*"

#
# End of prolog script
#

set skip on bridge10
set skip on tun579
set skip on tun138
set skip on tun148
set skip on tun10
set skip on bridge138
set skip on bridge148

#
# Scrub rules
#
match in all scrub (no-df )
match out all scrub (random-id max-mss  1460)


# Tables: (26)
table <BlackList> persist file "/home/admin/BlackList.txt"
table <BlackList-Internet> persist file
"/home/admin/BlackList-internet.txt"


# Rule  0 (global)
# BlackList Rule
block in   log  quick inet  from <BlackList>  to any no state  label
"RULE 0 -- DROP "
block out  log  quick inet  from <BlackList>  to any no state  label
"RULE 0 -- DROP "
#
# Rule  1 (global)
# BlackList Rule
block in   log  quick inet  from any  to <BlackList> no state  label
"RULE 1 -- DROP "
block out  log  quick inet  from any  to <BlackList> no state  label
"RULE 1 -- DROP "
#
# Rule  2 (global)
# BlackList Servers going to Internet
block in   log  quick inet  from <BlackList-Internet>  to 127.0.0.1 no
state  label "RULE 2 -- DROP "
block out  log  quick inet  from <BlackList-Internet>  to 127.0.0.1 no
state  label "RULE 2 -- DROP "
#
# Rule  3 (bge1)
# BlackList Servers going to Internet
block out  log  quick on bge1 inet  from <BlackList-Internet>  to any=
 no
state  label "RULE 3 -- DROP "
#
# Rule  4 (bge1)
# BlackList Internet Ports
block out  log  quick on bge1 inet proto tcp  from any  to any port {
25, 465 } no state  label "RULE 4 -- DROP "
#
# Rule  5 (global)
BLOCKED FOR CONFIIDENTIALITY
# Rule  6 (bge1,bge0)
# FTP Proxy Loopback Pule
pass in   log  quick on { bge0 bge1 } inet proto tcp  from any  to
127.0.0.1 port 8021 flags any modulate state ( pflow ) label "RULE 6 --
ACCEPT "
#
# Rule  7 (bge0,vlan579)
 pass in   log  quick on { bge0 vlan579 } inet proto tcp  from <tbl.r2>
to 127.0.0.1 port 2021 flags any modulate state ( pflow ) label "RULE=
 7
-- ACCEPT "
#
# Rule  8 (bge0,vlan579)
pass in   log  quick on { bge0 vlan579 } inet proto tcp  from <tbl.r2>
to 127.0.0.1 port 3128 flags any modulate state ( pflow ) label "RULE=
 8
-- ACCEPT "
#
# Rule  9 (global)
pass in   log  quick inet  from any  to any tagged FTPPROXY  keep state
( pflow ) label "RULE 9 -- ACCEPT "
pass out  log  quick inet  from any  to any tagged FTPPROXY  keep state
( pflow ) label "RULE 9 -- ACCEPT "
#
# Rule  10 (bge1)
# Allow ESP, AH, IKE and NAT-T for IPSEC
#
# Rule  11 (bge1)
# BLOCKED FOR CONFIDENTIALITY
#
# Rule  12 (bge1)
# PPTP Traffic
BLOCKED FOR CONFIDENTIALITY
#
# Rule  13 (bge1)
# PPTP Traffic BLOCKED FOR CONFIDENTIALITY#
# Rule  14 (bge1)
# PPTP Traffic
pass out  log  quick on bge1 inet proto 47  from 172.19.231.128/27  to
any  label "RULE 14 -- ACCEPT "
#
# Rule  15 (global)
Blocked for confidentiality
#
# Rule  16 (bge0)
=20
pass in   log  quick on bge0 inet proto tcp  from <tbl.r16.s>  to
172.19.231.149 port 1723 flags any modulate state  label "RULE 16 --
ACCEPT "
pass in   log  quick on bge0 inet proto 47  from <tbl.r16.s>  to
172.19.231.149  label "RULE 16 -- ACCEPT "
#
# Rule  17 (global)
=20
pass in   log  quick inet  from <tbl.r17.s>  to 10.10.11.0/24  label
"RULE 17 -- ACCEPT "
pass out  log  quick inet  from <tbl.r17.s>  to 10.10.11.0/24  label
"RULE 17 -- ACCEPT "
#
# Rule  18 (global)
=20
pass in   log  quick inet proto udp  from 172.19.231.128/27  to
212.9.21.214 port { 500, 4500 }  label "RULE 18 -- ACCEPT "
pass in   log  quick inet proto 50  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
pass in   log  quick inet proto 51  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
pass out  log  quick inet proto udp  from 172.19.231.128/27  to
212.9.21.214 port { 500, 4500 }  label "RULE 18 -- ACCEPT "
pass out  log  quick inet proto 50  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
pass out  log  quick inet proto 51  from 172.19.231.128/27  to
212.9.21.214  label "RULE 18 -- ACCEPT "
#
# Rule  19 (global)
# =20
pass in   log  quick inet proto udp  from 172.19.64.0/24  to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
pass out  log  quick inet proto udp  from 172.19.64.0/24  to 10.13.6.125
port 123 keep state ( pflow ) label "RULE 19 -- ACCEPT "
#
# Rule  20 (global)
=20
pass in   log  quick inet proto udp  from 172.19.64.0/24  to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass in   log  quick inet proto 115  from 172.19.64.0/24  to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out  log  quick inet proto udp  from 172.19.64.0/24  to 172.31.1.6
port 162 keep state ( pflow ) label "RULE 20 -- ACCEPT "
pass out  log  quick inet proto 115  from 172.19.64.0/24  to 172.31.1.6
keep state ( pflow ) label "RULE 20 -- ACCEPT "
#
=20
#
#   state ( pflow ) label "RULE 35 -- ACCEPT "
#
# Rule  36 (global)
# Allow ME to Any
pass out  log  quick inet  from <tbl.r0.d>  to any keep state ( pflow=
 )
label "RULE 36 -- ACCEPT "
#
# Rule  37 (global)
# SMTP Servers Access to SMTP
pass in   log  quick inet proto tcp  from <tbl.r37.s>  to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
pass out  log  quick inet proto tcp  from <tbl.r37.s>  to any port 25
flags any modulate state ( pflow ) label "RULE 37 -- ACCEPT "
#
# Rule  38 (global)
# Access to SMTP Servers
pass in   log  quick inet proto tcp  from <tbl.r38.s>  to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
pass out  log  quick inet proto tcp  from <tbl.r38.s>  to <tbl.r37.s>
port 25 flags any modulate state ( pflow ) label "RULE 38 -- ACCEPT "
#
# Rule  39 (global)
# Restrict SMTP To Internal Networks
block in   log  quick inet proto tcp  from any  to <tbl.r25.s> port 25
no state  label "RULE 39 -- DROP "
block out  log  quick inet proto tcp  from any  to <tbl.r25.s> port 25
no state  label "RULE 39 -- DROP "
#
=20
=20

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?assp.040451e526.863259E16B6C464DAD1E9DD10BB31154059CFE33>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact