Solved Gnus gmail stops working

Hello,

This morning I found sending gmail emails via Gnus stopped working. It used to be working since I checked my Gnus 'sent' folder and there are mails I sent several months ago.

Code:
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix)
Sending via mail...
network-stream-open-starttls: make client process failed: No route to host, :name, smtpmail, :buffer, *trace of SMTP session to smtp.gmail.com*, :host, smtp.gmail.com, :service, 587

As soon as I disabled pf sudo pfctl -d, Emacs would connect. So I think the problem is probably related to pf. Currently my /etc/pf.conf is as follows,

Code:
tcp_services = "{ ssh, sftp, ntp, imaps, https, smtps, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain, ntp }"
tcp_in_services = "{ ssh, sftp }"
block all
set skip on lo0
pass in proto tcp to port $tcp_in_services
pass out proto tcp to port $tcp_services
pass proto udp to port $udp_services

and I just upgraded to 12.0p1 (Could it possibly also a problem?)

Bash:
uname -a
FreeBSD freebsd-machine 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  amd64

Do you guys have any idea of how to fix this? Many thanks in advance.
 
show your actual ruleset
pfctl -sr -P
Thanks. This is the output
Bash:
sudo pfctl -sr -P
block drop all
pass out proto tcp from any to any port = 22 flags S/SA keep state
pass out proto tcp from any to any port = 115 flags S/SA keep state
pass out proto tcp from any to any port = 123 flags S/SA keep state
pass out proto tcp from any to any port = 993 flags S/SA keep state
pass out proto tcp from any to any port = 443 flags S/SA keep state
pass out proto tcp from any to any port = 465 flags S/SA keep state
pass out proto tcp from any to any port = 53 flags S/SA keep state
pass out proto tcp from any to any port = 80 flags S/SA keep state
pass out proto tcp from any to any port = 110 flags S/SA keep state
pass out proto tcp from any to any port = 113 flags S/SA keep state
pass out proto tcp from any to any port = 995 flags S/SA keep state
pass in proto tcp from any to any port = 22 flags S/SA keep state
pass in proto tcp from any to any port = 115 flags S/SA keep state
pass proto udp from any to any port = 53 keep state
pass proto udp from any to any port = 123 keep state
 
Is there any reason for restricting the outgoing traffic?

ps.
It's better to use ftps or scp instead of sftp (TCP 115) rfc913
Thanks. Nothing really. So what's your recommendation? Am I better off erasing the tcp_services = line?

As for sftp, I constantly use sftp (because most of the time, it is installed by default) and lftp to transfer files between computers, so if I change all the "sftp"s in /etc/pf.conf to "ftps", will using sftp and lftp be affected by pf? It seems they are quite different protocols. Thanks.
 
Allow all outgoing traffic from your server and control only the incoming traffic to the services that you are providing to the outside.

Something like this where ext_if is your WAN facing interface.

Code:
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
 
Allow all outgoing traffic from your server and control only the incoming traffic to the services that you are providing to the outside.

Something like this where ext_if is your WAN facing interface.

Code:
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Thank you so much for your help!!! Two more questions though, what is the purpose of parentheses around $ext_if as in ($ext_if) and why the last two lines are not merged? e.g., can we just use instead

Code:
pass out on $ext_if proto { tcp, udp, icmp } all keep state
 
Hostname resolution and interface name to ip address are done on the ruleset load. If the IP address of the interface is changed the ruleset must be reloaded for the change to be reflected. When you put the interface in parentheses the rule is updated whenever the interface changes its address.

TCP is stateful protocol and UDP and ICMP are stateless. PF control the stateless protocols by predefined timeouts (keep the port open for period of time when no traffic is passing)
 
Hostname resolution and interface name to ip address are done on the ruleset load. If the IP address of the interface is changed the ruleset must be reloaded for the change to be reflected. When you put the interface in parentheses the rule is updated whenever the interface changes its address.

TCP is stateful protocol and UDP and ICMP are stateless. PF control the stateless protocols by predefined timeouts (keep the port open for period of time when no traffic is passing)
Thank you so much for the detailed explanation.
 
Back
Top