From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 17:54:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD6D3106566B for ; Sat, 21 Nov 2009 17:54:12 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 1491F8FC13 for ; Sat, 21 Nov 2009 17:54:11 +0000 (UTC) Received: (qmail invoked by alias); 21 Nov 2009 17:27:31 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO [172.20.1.100]) [194.231.39.124] by mail.gmx.net (mp068) with SMTP; 21 Nov 2009 18:27:31 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1/yoURH/hzyRaY6aHatZjI0msIr4a9M/Ppk0Z59oU f5A2PoOuI1dB2y Message-ID: <4B082302.3040704@gmx.de> Date: Sat, 21 Nov 2009 18:27:30 +0100 From: olli hauer User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Victor Lyapunov References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> In-Reply-To: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.66 Cc: freebsd-pf@freebsd.org Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 17:54:12 -0000 Victor Lyapunov wrote: > Hi all, > > I have production network with FreeBSD box acting as firewall. The > problem emerge as soon as users send mail with attachments. (Sending > mail without attachments always succeeds). Basically, when a user > tries to send a message, only part of it transmitted before connection > is interrupted and sending fails. The problem persists only when pf is > enabled. > > My ruleset: > scrub in all fragment reassemble > block drop on em0 all > pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state > pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA > keep state > pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA > keep state > pass proto udp from any to any port = domain keep state > [...] Is this only for client submitting (imap) or even for incoming mails from outside via smtp? What about outgoing traffic from the machine? Try the following in pf.conf to see why this happens set loginterface pflog0 set block-policy drop set skip on lo0 block drop in log on em0 all pass out log on em0 all Now use tcpdump to see which rule drops the traffic #> tcpdump -net -i pflog0 -- olli