From owner-freebsd-questions@FreeBSD.ORG Sat Nov 21 15:27:23 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A63D1065670 for ; Sat, 21 Nov 2009 15:27:23 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from dd12710.kasserver.com (dd12710.kasserver.com [85.13.134.233]) by mx1.freebsd.org (Postfix) with ESMTP id 076168FC1A for ; Sat, 21 Nov 2009 15:27:22 +0000 (UTC) Received: from current.Sisis.de (ppp-93-104-57-13.dynamic.mnet-online.de [93.104.57.13]) by dd12710.kasserver.com (Postfix) with ESMTP id A2B0718352DCF; Sat, 21 Nov 2009 16:27:21 +0100 (CET) Received: (from guru@localhost) by current.Sisis.de (8.14.3/8.14.3/Submit) id nALFRKDe003925; Sat, 21 Nov 2009 16:27:20 +0100 (CET) (envelope-from guru@unixarea.de) X-Authentication-Warning: current.Sisis.de: guru set sender to guru@unixarea.de using -f Date: Sat, 21 Nov 2009 16:27:20 +0100 From: Matthias Apitz To: Victor Lyapunov Message-ID: <20091121152720.GA3878@current.Sisis.de> References: <6c51dbb10911210659t2e7b87dcg66d71544312d4172@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <6c51dbb10911210659t2e7b87dcg66d71544312d4172@mail.gmail.com> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.0-CURRENT (i386) Cc: FreeBSD Mailing List Subject: Re: sending mail with attachments always fail (FreeBSD/pf) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Apitz List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 15:27:23 -0000 El día Saturday, November 21, 2009 a las 08:59:12PM +0600, Victor Lyapunov escribió: > Hi all, > > I have production network with FreeBSD box acting as firewall. The > problem emerge as soon as users send mail with attachments. (Sending > mail without attachments always succeeds). Basically, when a user > tries to send a message, only part of it transmitted before connection > is interrupted and sending fails. The problem persists only when pf is > enabled. I think concerning TCP/IP there is no diff between a mail with or w/o attachment, it is just talking SMTP to a remote server and only the size, i.e, the number of IP pkgs, differs; the content is anyway; > My ruleset: > scrub in all fragment reassemble > block drop on em0 all > pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA > keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA > keep state > pass proto udp from any to any port = domain keep state I never used S/SA as flags in my rules, only S. More I can' see. HIH (if not watch with some tcpdump(1) what's going on between the NIC and the remote server). matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ Vote NO to EU The Lisbon Treaty: http://www.no-means-no.eu