ipfw can't send mail

graudeejs · Mar 25, 2010

I started switching from pf to ipfw, so far so good, but here's my problem: I can't send my to outside my server

Code:

# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
EFDFC9213       710 Thu Mar 25 20:43:21  aldis@bsdroot.lv
                    (connect to 127.0.0.1[127.0.0.1]:10025: Permission denied)
                                         killasmurf86@gmail.com

-- 1 Kbytes in 1 Request.

in this message you can see that postfix want to connect to clamav antivirus, it then should send mail.

here's (what I think) relevant part of ipfw rules

Code:

#!/bin/sh
cmd="/sbin/ipfw -q"


$cmd flush

# setup loopback
$cmd add 00010 allow ip from 127.0.0.0/8 to 127.0.0.0/8 via lo0
$cmd add 00020 deny ip from any to 127.0.0.0/8
$cmd add 00030 deny ip from 127.0.0.0/8 to any

$cmd add 00060 check-state

$cmd add 00500 allow tcp from $root_ip to any smtp,submission out via $e_if keep-state

I tried many different combos related to loopback, but I fail to figure this out, any ideas?
If you need more info, let me know

Should I mention that it works if ipfw is off

jailed · Mar 25, 2010

$root_ip and $e_if is not defined in your script, so your rule #500 won't work.

Why do you use local loopback ip for smtp use instead of lan or wan ip?

You can remark all rules and add allow all from any to any so that you can test variations before this rule. Is your ipfw set to open or close?

graudeejs · Mar 25, 2010

they are defined, I simply showed relevant part, whole script is about 50 lines.
I think it's set to close....
I will try your suggestion about allowing any to any [heck why didn't I thought of this

] tomorrow. tonight is late

graudeejs · Mar 26, 2010

When I remove this:

Code:

# setup loopback
$cmd add 00010 allow ip from 127.0.0.0/8 to 127.0.0.0/8 via lo0
$cmd add 00020 deny ip from any to 127.0.0.0/8
$cmd add 00030 deny ip from 127.0.0.0/8 to any

and add:

Code:

$cmd add 00010 allow ip from me to me

postfix can send mail

phoenix · Mar 26, 2010

Change rule 10 to be just:

Code:

allow ip from any to any via lo0

You want to allow everything over the loopback device, otherwise a lot of things will fail.

smoofy · Jul 23, 2013

Hi,

I'm currently having a similar problem. Please see my ipfw list below:

Code:

00010 allow ip from any to any via lo0
00015 check-state
00100 allow tcp from x.y.z.254 to x.y.z.164 dst-port 22 via vtnet0 setup keep-state
00101 allow tcp from x.y.z.164 22 to any via vtnet0 setup keep-state
00110 allow udp from any to any dst-port 53 via vtnet0
00120 allow { udp or tcp } from any to any dst-port 25,113,465 out keep-state
00130 allow log tcp from any to any dst-port 25,465 in
65535 deny ip from any to any

Yet I'm unable to send mail to localhost nor to outside network. When I turn off the firewall, email could be sent to localhost. Any advice?

Thx

Savagedlight · Jul 23, 2013

smoofy said:
Hi,
I'm currently having similar problem. Please see my ipfw list below:

Code:

00010 allow ip from any to any via lo0 00015 check-state 00100 allow tcp from x.y.z.254 to x.y.z.164 dst-port 22 via vtnet0 setup keep-state 00101 allow tcp from x.y.z.164 22 to any via vtnet0 setup keep-state 00110 allow udp from any to any dst-port 53 via vtnet0 00120 allow { udp or tcp } from any to any dst-port 25,113,465 out keep-state 00130 allow log tcp from any to any dst-port 25,465 in 65535 deny ip from any to any

Yet I'm unable to send mail to localhost nor to outside network. When I turn off the firewall, email could be sent to localhost. Any advice?

Thx

You forgot keep-state on rule 130. Currently, it will allow packets in on port 25 and 465, but it won't allow any communication going out from those ports.

smoofy · Jul 23, 2013

Thanks for the reply, great point. But still that would make a sense for outgoing connections only, right? The rule has nothing to do with communication on localhost by which is locally sent email treated or am I wrong?
I thought that this line:

Code:

00010 allow ip from any to any via lo0

means that all communication on loopback is allowed and therefore even locally sent mails. And as I said before, when IPFW is stopped, mail will arrive normally.

Savagedlight · Jul 23, 2013

SYN packets are allowed to pass in through your firewall to port 25. ACK (or SYN/ACK) from port 25 to whatever port the connection was initialized from, is blocked by the catch-all deny rule. This makes the connection fail to establish.

Therefore, you either need keep-state, or add some other rule which allows traffic from port 25 on your host to anyone, on any interface.