PF Allow fetchmail through pf firewall (FreeBSD 13.2).

[sprock]

Hello,

I use fetchmail (6.4.37_1) to get email from an IMAP server. It works fine if the (pf) firewall is disabled but I get this error when it is enabled:

fetchmail -v
fetchmail: 6.4.37 querying mail.this.gb (protocol IMAP) at Mon Jan 22 10:42:20 2024: poll started
Trying to connect to xx.xx.xx.xx/993..connection failed.
fetchmail: connection to mail.this.gb:imaps [xx.xx.xx.xx/993] failed: Permission denied.
fetchmail: Connection errors for this poll:
name 0: connection to mail.this.gb:imaps [xx.xx.xx.xx/993] failed: Permission denied.
IMAP connection to mail.this.gb failed: Permission denied
fetchmail: 6.4.37 querying mail.this.gb (protocol IMAP) at Mon Jan 22 10:42:20 2024: poll completed
fetchmail: Query status=2 (SOCKET)
fetchmail: normal termination, status 2

This is my pf config:

ext_if = "bge0"
icmp_types = "{ echoreq unreach }"
table <bruteforce> persist
 
table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16          \
                  172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24    \
                  192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24            \
                  240.0.0.0/4 255.255.255.255/32 }

set skip on lo0
scrub in all fragment reassemble max-mss 1440
antispoof quick for $ext_if
block in quick on egress from <rfc6890>
block return quick on egress to <rfc6890>

block all
# pass in on $ext_if proto tcp to port { 22 } # SSH
pass in on $ext_if proto tcp to port { 22 } \
    keep state (max-src-conn 15, max-src-conn-rate 3/1, \
        overload <bruteforce> flush global)

# See: https://forums.freebsd.org/threads/which-ports-do-i-open-for-nfs.5123/
pass in proto { tcp udp } to port { 111 2049 941 757 } # RPC NFSD LOCKD nfs-info
pass out proto { tcp udp } to port { 22 53 80 123 443 111 2049 941 757 } # SSH DNS HTTP NTP HTTPS RPC NFSD LOCKD nfs-info
pass out inet proto icmp icmp-type $icmp_types

I've tried adding port 25 to the 'pass in proto' and 'pass out proto' lines, without success.

Thanks for any help.
sprock

 

[Kristof Provost]

Port 25 is SMTP, i.e. outbound e-mail.

You're trying to use IMAP with fetch mail (i.e. inbound e-mail), and that's port 993.

 

[sprock]

Many thanks. That was it.
srock