I started switching from pf to ipfw, so far so good, but here's my problem: I can't send my to outside my server

# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
EFDFC9213 710 Thu Mar 25 20:43:21 aldis@bsdroot.lv
(connect to 127.0.0.1[127.0.0.1]:10025: Permission denied)
killasmurf86@gmail.com

-- 1 Kbytes in 1 Request.

in this message you can see that postfix want to connect to clamav antivirus, it then should send mail.

here's (what I think) relevant part of ipfw rules

#!/bin/sh
cmd="/sbin/ipfw -q"


$cmd flush

# setup loopback
$cmd add 00010 allow ip from 127.0.0.0/8 to 127.0.0.0/8 via lo0
$cmd add 00020 deny ip from any to 127.0.0.0/8
$cmd add 00030 deny ip from 127.0.0.0/8 to any

$cmd add 00060 check-state

$cmd add 00500 allow tcp from $root_ip to any smtp,submission out via $e_if keep-state



I tried many different combos related to loopback, but I fail to figure this out, any ideas?
If you need more info, let me know


Should I mention that it works if ipfw is off

$root_ip and $e_if is not defined in your script, so your rule #500 won't work.

Why do you use local loopback ip for smtp use instead of lan or wan ip?

You can remark all rules and add allow all from any to any so that you can test variations before this rule. Is your ipfw set to open or close?

they are defined, I simply showed relevant part, whole script is about 50 lines.
I think it's set to close....
I will try your suggestion about allowing any to any [heck why didn't I thought of this :D ] tomorrow. tonight is late

When I remove this:
# setup loopback
$cmd add 00010 allow ip from 127.0.0.0/8 to 127.0.0.0/8 via lo0
$cmd add 00020 deny ip from any to 127.0.0.0/8
$cmd add 00030 deny ip from 127.0.0.0/8 to any


and add:

$cmd add 00010 allow ip from me to me

postfix can send mail

Change rule 10 to be just: allow ip from any to any via lo0

You want to allow everything over the loopback device, otherwise a lot of things will fail. :)