IMAP-SSL timeouts, since I use a FreeBSD/PF gateway

mariourk

mariourk

I'm using a FreeBSD serve with PF as my gateway for some time now. Everything seemd to work fine, except that I notice Evolution trying to reach a mailserver on the internet for minutes, until it times out. When I cancel that, it usually works fine right away. But every now and than something goes wrong and it doesn't. I have no idea what causes this problem.

Another strange thing is when I try to post to a forum. This one, for example. When I click on Submit, or Preview, I get a 22 invalid argument error. But when I click on refesh, it works fine.

Here is my firewall configuration. Does some have an idea what causes this strange behavious?

Code: 
int_if = "em0"
ext_if = "fxp0"
tcp_services = "{ 22,80,443,25,587,993 }"
icmp_types = "echoreq"
priv_nets = "{ 192.168.10.0/24 }"

set block-policy drop
set loginterface $ext_if
set skip on lo0

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)


### filter rules
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

Feel free to point out any rookie mistake too ;)
 
SirDice said:
There's no rule that allows outgoing traffic.
Click to expand...

Aren't these rules doing that?
Code: 
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Also, if outgoing traffic was not allowed, how is it possible that I can surf the web?

I'm not trying to mock you. I'm just trying to understand what you mean and what I'm doing wrong :)
 
Hello,

Are you sure the server you are trying to connect is connectable? What says
Code: 
pfctl -ss | grep 993

Can you able to resolve the server you are trying to connect? If not try to connect to its IP address instead hostname.

"Mailserver on the internet", this means some external server, not yours or?

Can you able to connect to the same server via other place?

Did you try to connect via telnet instead via your local mail client?
 
here is the output, when the problem occured.

192.168.1.99 is the internal network address of my PC. 10.0.0.150 is the IP of my modem.

The server is still accessable when this problem occures.
 
I don't see the point in here but this is irrelevant from your problem:

Code: 
# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

Now, you might want to check your external router for CRC errors. You might also want to expand the ICMP types, { echorep, echoreq, timex, paramprob, unreach code needfrag }. Finally, you can try to measure your packet loss generally.
 
You must log in or register to reply here.
Back
Top