Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 May 2005 11:31:30 -0700
From:      Scott Stevenson <scott@maxify.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Clients receive only first 4k (issue with pf.conf) -- ignore others
Message-ID:  <5843C5B4-AAA9-4A64-BEE2-9CB5E7476966@maxify.com>
In-Reply-To: <199B60BD-1D20-492E-A278-21BD0CCF3475@maxify.com>
References:  <199B60BD-1D20-492E-A278-21BD0CCF3475@maxify.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On May 30, 2005, at 9:23 AM, Scott Stevenson wrote:

> The problem is that if I use the version without "keep state," the  
> machine can't send outbound mail, and I see messages like this in  
> maillog:
>
>     May 30 09:14:33 vertigo qmail: 1117469673.126013 delivery  
> 639634: deferral
>     Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
>
> In fact, I tried to send this message to the list twice yesterday,  
> but realized that mail packets were being filtered out. I looked at  
> pflog0 while mail was being sent, but I wasn't able to find the  
> bounced packets. Here's the relevant smtp line:
>
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
> port 25
>
>
> I'm much more familiar with the firewalls bundled with various  
> linux distributions, so I'm really stumped. I've read through  
> various sections of the PF faq, but I haven't found an answer to this.


Sorry to post *yet again* on this, but I think I finally figured out  
what was wrong. I want to post a follow-up for the archives. The  
solution to "partial page" Apache problem was to balance the "keep  
state" directives.


Originally, the httpd line looked like this:

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 80

And the "out" line looked like this:

     pass  out on $ext_if proto { tcp, udp } all keep state


The solution was to change the httpd line to this:

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 80 keep state


Does it make sense that I'd need "keep state" for both in and out, or  
is this a PF bug? Should I add it to these as well?

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 25
     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 53


Thanks, and sorry again for the duplicate messages.

     - Scott

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5843C5B4-AAA9-4A64-BEE2-9CB5E7476966>