Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Nov 2009 16:27:20 +0100
From:      Matthias Apitz <guru@unixarea.de>
To:        Victor Lyapunov <fullblaststorm@gmail.com>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: sending mail with attachments always fail (FreeBSD/pf)
Message-ID:  <20091121152720.GA3878@current.Sisis.de>
In-Reply-To: <6c51dbb10911210659t2e7b87dcg66d71544312d4172@mail.gmail.com>
References:  <6c51dbb10911210659t2e7b87dcg66d71544312d4172@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
El día Saturday, November 21, 2009 a las 08:59:12PM +0600, Victor Lyapunov escribió:

> Hi all,
> 
> I have production network with FreeBSD box acting as firewall. The
> problem emerge as soon as users send mail with attachments. (Sending
> mail without attachments always succeeds). Basically, when a user
> tries to send a message, only part of it transmitted before connection
> is interrupted and sending fails. The problem persists only when pf is
> enabled.

I think concerning TCP/IP there is no diff between a mail with or w/o
attachment, it is just talking SMTP to a remote server and only the
size, i.e, the number of IP pkgs, differs; the content is anyway;

> My ruleset:
> scrub in all fragment reassemble
> block drop on em0 all
> pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state
> pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state
> pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state
> pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA
> keep state
> pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA
> keep state
> pass proto udp from any to any port = domain keep state

I never used S/SA as flags in my rules, only S. More I can' see.
HIH (if not watch with some tcpdump(1) what's going on between the NIC
and the remote server).

	matthias

-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <guru@unixarea.de> - w http://www.unixarea.de/
Vote NO to EU The Lisbon Treaty: http://www.no-means-no.eu

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091121152720.GA3878>