From owner-freebsd-pf@FreeBSD.ORG Sat Nov 21 18:07:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2BBD3106566B for ; Sat, 21 Nov 2009 18:07:16 +0000 (UTC) (envelope-from fullblaststorm@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id B6C848FC13 for ; Sat, 21 Nov 2009 18:07:15 +0000 (UTC) Received: by fxm27 with SMTP id 27so4737704fxm.3 for ; Sat, 21 Nov 2009 10:07:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=OvgKNztoZ1WCzB6Av22ARHWbepP85Cgw6uaSGaiERlg=; b=ZgC+QfY9cieaMEpfw/QHiv5Nfz0vkk+9ppBfvC3jFDQle8/gtIjbFwPTl/BWHbIzfg u4PH802wGnin/bBa/6jWmKusMh0MN6l33mZi3GkmIQfYEa0fH30Qxc3neCvxOhu/O3Nf 1W1PJiDgU7v1riMYpmpT3zAfOY6+4btvxBqz4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=TGufeVvMG213AtUmMLcz5GxAqyBd+JC92XQ1u2xzl/wps0IYvDVY4xio641yOsDo6w N/vJKgrXNE0bXBGZm+EvutmkOfDw42G89mSIrNAMhcThYM76lk9Qc/Ht+Lf76MoCmaxH Ok/UR2Aos7R0cDTNWFKTR3E11w4jA8gpcmtDA= MIME-Version: 1.0 Received: by 10.239.185.77 with SMTP id b13mr267328hbh.158.1258826834539; Sat, 21 Nov 2009 10:07:14 -0800 (PST) In-Reply-To: <4B082302.3040704@gmx.de> References: <6c51dbb10911210706g3490e463x7fdf3809243e30d2@mail.gmail.com> <4B082302.3040704@gmx.de> Date: Sun, 22 Nov 2009 00:07:14 +0600 Message-ID: <6c51dbb10911211007x4ea07528y7642460629788903@mail.gmail.com> From: Victor Lyapunov To: olli hauer , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Re: sending mail with attachments always fails (FreeBSD/pf) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 18:07:16 -0000 Thanks for your answer, olli. As i send mail not from my freebsd server, but rather from the clients on the local network, so here's what i did: my pf.conf: set loginterface pflog0 set block-policy drop set skip on lo0 block drop log on em0 all pass log inet proto tcp from 192.168.0.0/24 to any port {smtp, pop3, imap, smtps, pop3s} flags S/SA keep state pass log proto udp from any to any port = domain keep state # tcpdump -net -i pflog0 Now i went to a windows computer and tried to send an email with attachment to gmail.com (sending failed at 2%) here's what i got in my pflog: rule 4/0(match): pass in on em0: (tos 0x0, ttl 128, id 19860, offset 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > 209.85.129.111.465: [|tcp] rule 4/0(match): pass out on em0: (tos 0x0, ttl 127, id 19860, offset 0, flags [DF], proto TCP (6), length 48) 192.168.0.5.1822 > 209.85.129.111.465: tcp 28 [bad hdr length 0 - too short, < 20] 2 packets captured 2 packets received by filter 0 packets dropped by kernel Again, everything works just fine when pf is disabled. And there's no problems for incoming traffic, only outgoing traffic gets corrupted( that is, dropped in the middle of transmitting data). Any ideas? 2009/11/21 olli hauer : > Victor Lyapunov wrote: >> >> Hi all, >> >> I have production network with FreeBSD box acting as firewall. The >> problem emerge as soon as users send mail with attachments. (Sending >> mail without attachments always succeeds). Basically, when a user >> tries to send a message, only part of it transmitted before connection >> is interrupted and sending fails. The problem persists only when pf is >> enabled. >> >> My ruleset: >> scrub in all fragment reassemble >> block drop on em0 all >> pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep >> state >> pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA >> keep state >> pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA >> keep state >> pass proto udp from any to any port = domain keep state >> > > [...] > > Is this only for client submitting (imap) or even for incoming mails from > outside via smtp? > > What about outgoing traffic from the machine? > > Try the following in pf.conf to see why this happens > > set loginterface pflog0 > set block-policy drop > set skip on lo0 > > block drop in log on em0 all > pass out log on em0 all > > Now use tcpdump to see which rule drops the traffic > #> tcpdump -net -i pflog0 > > -- > olli >