|
|||
pf blocking php mail
pf firewall was working well till suddenly it is nolonger allow and mail to be delivered. when i disable pf everything works fine.
Below is the relevant rule. Any ideas as to why this is happening. Code:
tcpservices = "{ domain, www, smtp, https, 10000 }" block all pass proto tcp from any to self port $tcpservices
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 |
|
|||
I have temporarily fixed the issue with the rules below
Code:
# pass smtp pass in quick on $ext_if proto tcp from any to $ext_if port 25 keep state pass out quick on $ext_if proto tcp from any to any port 25 keep state
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 |
|
|||
DNS, or 'domain' usually uses UPD and hardly ever TCP.
For filtering TCP statefully you have to create state on the first packet of the TCP handshake. You do this with flags S/SA Code:
pass in quick on $ext_if inet proto tcp from any to $ext_if port 25 \ flags S/SA keep state BTW, in most cases you are better off to create separate rules for outgoing and incoming traffic. Just create TCP_OUT, TCP_IN, UDP_IN and UDP_OUT macro's for finer grained rules.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Code:
tcpservices = "{ domain, www, smtp, https, 10000 }" block all pass proto tcp from any to self port $tcpservices Code:
# pass smtp pass in quick on $ext_if proto tcp from any to $ext_if port 25 keep state pass out quick on $ext_if proto tcp from any to any port 25 keep state as regards allowing udp the below rules were already present in my rule set. Code:
udpservices = "{ domain, ntp }" pass proto udp to any port $udpservices pass out on $ext_if proto udp from any to port $udpservices Quote:
so still puzzled as to what is wrong with the ruleset that I have to add the # pass smtp rules to get smtp working
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 |
|
|||
If you don't show the complete ruleset it is very difficult to diagnose the problem.
There probably is some other rule that is blocking the smtp traffic. Remember: in pf the last matching rule wins. These rules are still not correct Code:
# pass smtp pass in quick on $ext_if proto tcp from any to $ext_if port 25 keep state pass out quick on $ext_if proto tcp from any to any port 25 keep state
Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
[QUOTE=ijk;16943]My initial rule set below did not allow smtp
Code:
tcpservices = "{ domain, www, smtp, https, 10000 }" block all pass proto tcp from any to self port $tcpservices Some other rule is blocking smtp. Or you may be having problems with dns, which that rule is _not_ passing. Your problem with smtp is not in those rules. it is in other rules, elsewhere in your pf.conf (Alternatley, maybe you are having a problem with the 'self' keyword. If you are using dhcp, maybe the address has changed since you loaded the ruleset. If you have dynamic ip addresses, it is best to use keywords like that in brackets (eg "( self )" ). Then the address will be updated if the interface addresses change.)
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. |
|
|||
I have added more rules here and trying to avoid putting my entire rule set on display.
All my block rules are however listed. Code:
norouteips = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 240.0.0.0/4 }" tcpservices = "{ domain, www, smtp, https, 10000 }" table <bruteforce> persist file "/pathto/bruteforceblock" block all block quick from <bruteforce> set skip on tx0 antispoof quick for { tx0 $ext_if } # block non routable ips block in quick on $ext_if from $norouteips to any block out quick on $ext_if from any to $norouteips # block exploited servers http://www.wizcrafts.net/exploited-servers-iptables-blocklist.txt block in quick from <exploitedservers> pass proto tcp from any to self port $tcpservices pass inet proto tcp from any to port $tcpservices keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <bruteforce> flush global) I was wondering if the below ruleset could be causing the problem Code:
pass inet proto tcp from any to port $tcpservices keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <bruteforce> flush global) however mysteriously everything seems to be back to normal now even without using those smtp rules
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 Last edited by ijk; 31st October 2008 at 09:45 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Blocking MySpace | roddierod | Other OS | 3 | 12th April 2009 09:39 PM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
Firewall Blocking Good Traffic | plexter | OpenBSD Security | 6 | 8th January 2009 05:58 PM |
PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |
Blocking remote desktop apps | bichumo | General software and network | 3 | 30th September 2008 08:14 PM |