Date: Mon, 23 Nov 2009 16:17:18 -0600 From: "David DeSimone" <fox@verio.net> To: <freebsd-pf@freebsd.org> Subject: Re: sending mail with attachments always fails (FreeBSD/pf) Message-ID: <20091123221718.GR2392@verio.net> In-Reply-To: <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> <1de79840911211023n165ecbd0h1051aaada4acefb@mail.gmail.com> <20091122022346.GK2392@verio.net> <6c51dbb10911220036x55bc9753m421f4641d5f9e871@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Victor Lyapunov <fullblaststorm@gmail.com> wrote: > > After that i tried to send mail to a server that does not require ssl > and i got this: > > rule 1/0(match): pass in on em0: 192.168.0.5.2035 > 94.100.177.1.25: S > 237079791:237079791(0) win 65535 <mss 1460,nop,nop,sackOK> > rule 1/0(match): pass out on em0: 192.168.0.5.2035 > 94.100.177.1.25: > S 237079791:237079791(0) win 65535 <mss 1460,nop,nop,sackOK> > 2 packets captured > 2 packets received by filter > 0 packets dropped by kernel This doesn't appear to be the same problem you originally submitted, about SMTP connections with no attachments working fine, but with attachments they fail. Seems like you are now describing that SMTP doesn't work at all. > 192.168.0.1 -- Router > 192.168.0.3 -- The FreeBSD box > 192.168.0.5 -- Windows machine with default gateway set to 192.168.0.3 This is probably the source of your problems. Your router and your firewall and your firewalled client are all on the same subnet together. There is nothing preventing the router from sending packets directly back to the Windows box, bypassing your firewall. As such, the firewall cannot see any of the reply traffic, and so it cannot follow the TCP state correctly, so eventually it begins to block the traffic. If you turn on logging with "pfctl -x loud" you will probably see a lot of messages about TCP state mismatches. The proper way to fix this is to rearchitect your network so that your firewall has two interfaces, one public, one private. The public interface connects only to your router, while the private interface connects to all your firewall clients. This forces the firewall to be the only path to and from the network, giving enhanced security. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091123221718.GR2392>