FreeBSD Mail Archives

Date:      Sun, 11 Sep 2011 21:03:04 -0700 (PDT)
From:      Ping Mai <pingmai@yahoo.com>
To:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: pf slow connect on smtp
Message-ID:  <1315800184.36016.YahooMailNeo@web121718.mail.ne1.yahoo.com>
In-Reply-To: <1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com>
References:  <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com> <1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com>

the problem was SYN was coming in at one ext IF and ACK going out another.=
=A0 thanks to my friend tcpdump.=0A=0Athis is not as restrictive as i would=
 like but at least access to internal services is working on both ext IF.=
=A0 =0A=0Anow i want to configure load balancing on outbound traffic.=A0 he=
lp anyone?=0A=0A=0A#----------- pf.conf ----------------=0A=0Aset require-o=
rder yes=0Ascrub in all=0Anat on $dsl_if from <internal> -> $dsl_if=0Anat o=
n $com_if from <internal> -> $com_if=0Ardr on $dsl_if proto tcp from any to=
 $dsl_if port $tcp_services -> $iserver=0Ardr pass on $com_if proto tcp fro=
m any to $com_if port $tcp_services -> $iserver=0Ablock out log all=0Ablock=
 in log all=0Apass quick on lo0=0Aantispoof quick for { lo0 $dsl_if $com_if=
 $dmz_if $int_if}=0Apass out log on $dsl_if keep state=0Apass out log on $c=
om_if keep state=0Apass log on $int_if keep state=0Apass log on $dmz_if fro=
m any to ! $int_if:network keep state=0Apass in log on $dsl_if proto tcp to=
 $dsl_if port { smtp, smtps }=0Apass in log on $com_if proto tcp to $com_if=
 port { smtp, smtps }=0Apass in on $dsl_if proto { tcp, udp } to $dsl_if po=
rt {domain}=0Apass in on $com_if proto { tcp, udp } to $com_if port {domain=
}=0Apass in on $com_if proto { tcp, udp } to port {bootpc}=0Apass in inet p=
roto icmp all icmp-type $icmp_types=0Apass out log on $dsl_if route-to ($co=
m_if $com_gw) from $com_if=0Apass out log on $com_if route-to ($dsl_if $dsl=
_gw) from $dsl_if keep state=0Apass in quick on $dsl_if reply-to ($dsl_if $=
dsl_gw ) flags S/SA keep state=0A=0A=0A=0A________________________________=
=0AFrom: Ping Mai <pingmai@yahoo.com>=0ATo: "freebsd-pf@freebsd.org" <freeb=
sd-pf@freebsd.org>=0ASent: Sunday, September 11, 2011 7:35 PM=0ASubject: pf=
 slow connect on smtp=0A=0A=0Aadded this line at the end and incoming smtp =
is working on both external interfaces:=0A=0Apass in quick on $dsl_if reply=
-to ($dsl_if $dsl_gw ) flags S/SA keep state=0A=0A=0A______________________=
__________=0AFrom: Ping Mai <pingmai@yahoo.com>=0ATo: "freebsd-pf@freebsd.o=
rg" <freebsd-pf@freebsd.org>=0ASent: Sunday, September 11, 2011 3:27 PM=0AS=
ubject: slow=0A=0A=0AHi, =0A=0AI'm new to pf.=A0 hoping for some help with =
pf.conf.=0A=0AFreeBSD 5.5 router.=A0 2 external interfaces, $com_if and $ds=
l_if.=A0 The default route is set to $com_if.=0A=0Aincoming smtp to $com_if=
 seems to work fine.=0A=0A=0Aincoming smtp to $dsl_if is the problem.=A0 co=
nnect to tcp/25 is fast.=A0 but after I issue a 'ehlo ...'=A0 there's a del=
ay of ~1 minute before the reply comes back.=A0 from that point on the exch=
ange works just fine.=0AThe problem is most MTA don't wait that long.=A0 th=
ey simply drop the connection.=0A=0Atcpdump of pflog0 sees the incoming tcp=
/25, outgoing from tcp/25 gets routed to $dsl_if (dc3).=A0 after that, look=
s like it does an 'ident' and a DNS lookup. then it just sits there for min=
utes.=0A=0Awhat's wrong with my pf.conf?=0A=0A#----------------- tcpdump --=
----------------=0A=0A000000 rule 16/0(match): pass in on dc3: IP 100.100.1=
00.153.63225 > 12.34.56.40.25: S 743439640:743439640(0) win 65535 <mss 1460=
,nop,wscale 3,[|tcp]>=0A000083 rule 28/0(match): pass out on dc0: IP 12.34.=
56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 =
win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A000023 rule 12/0(match): pass ou=
t on dc3: IP 12.34.56.40.25 > 100.100.100.153.63225: S 2206509942:220650994=
2(0) ack 743439641 win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A080881 rule 2=
8/0(match): pass out on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S =
1468481550:1468481550(0) win 65535 <mss 1460,nop,nop,sackOK,[|tcp]>=0A00002=
7 rule 12/0(match): pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153=
.113: S 1468481550:1468481550(0) win 65535 <mss=0A 1460,nop,nop,sackOK,[|tc=
p]>=0A082959 rule 13/0(match): pass out on dc0: IP 23.45.67.51.62568 > 23.4=
5.57.182.53:=A0 50336+ [1au][|domain]=A0 =0A=0A#------------------ pf.conf =
------------------------------------------------------=0Aint_if =3D "dc1"=
=0A=0Adsl_if =3D "dc3"=0Acom_if =3D "dc0"=0Admz_if =3D "dc2"=0Aint_net =3D =
"10.1.100.0/24"=0Admz_net =3D "10.1.101.0/24"=0Adsl_gw=3D"12.34.56.1"=0A=0A=
com_gw=3D"23.45.67.1"=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0 # default route=0A=0Aiserver=3D"10.1.100.99"=0A=0Atcp_services=3D"{ =
http https }"=0A=0Aicmp_types=3D"echoreq"=0A=0Atable <internal> { $int_net,=
 $dmz_net }=0A=0Aset loginterface $dsl_if=0Aset loginterface $com_if=0Aset =
optimization normal=0Aset block-policy return=0Aset require-order yes=0A=0A=
=0Ascrub in all=0Anat on $dsl_if from <internal> -> $dsl_if=0Anat on $com_i=
f from <internal> -> $com_if=0A=0Ardr pass on $dsl_if proto tcp from any to=
 $dsl_if port $tcp_services -> $iserver=0Ardr pass on $com_if proto=0A tcp =
from any to $com_if=0A port $tcp_services -> $iserver=0A=0Ablock out log al=
l=0Ablock in log all=0Apass quick on lo0=0A=0Aantispoof quick for { lo0 $ds=
l_if $com_if $dmz_if $int_if}=0A=0Apass out log on $dsl_if=0Apass out log o=
n $com_if=0A=0Apass log on $int_if keep state=0Apass log on $dmz_if from an=
y to ! $int_if:network keep state=0A=0Apass in log on $dsl_if proto tcp to =
$dsl_if port { smtp, smtps }=0Apass in log on $com_if proto tcp to $com_if =
port { smtp, smtps }=0Apass in on $dsl_if proto { tcp, udp } to $dsl_if por=
t {domain}=0Apass in on $com_if proto { tcp, udp } to $com_if port {domain}=
=0Apass in on $com_if proto { tcp, udp } to port {bootpc}=0A=0Apass in inet=
 proto icmp all icmp-type $icmp_types=0A=0Apass out log on $dsl_if route-to=
 ($com_if $com_gw) from $com_if=0Apass out log on $com_if route-to ($dsl_if=
 $dsl_gw) from=0A $dsl_if=0A#----------------------------------------------=
--------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1315800184.36016.YahooMailNeo>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation