Problems with pf blocking smtp

S

sam0016

I have been trying to get this to work for hours but I just cant get it to work. pf blocks the emails going out with this config. Can anyone see what is wrong?

Code: 
SYN_ONLY="S/FSRA"
EXT_NIC="em0"
INT_NIC="em0"

EXT_IP="Removed"

block all

pass in log quick on $EXT_NIC proto TCP from any to $EXT_IP port 22 keep state
pass in log quick on $EXT_NIC proto TCP from any to $EXT_IP port 80 keep state
pass in log quick on $EXT_NIC proto TCP from any to $EXT_IP port 443 keep state

pass in log on $EXT_NIC proto TCP from any to any port 25
pass out log on $EXT_NIC proto TCP from any to any port 25

pass in quick on lo0 all
pass out quick on lo0 all
 
My first suggestion was statefull filtering, then I glimpsed at the packet filter guide (I'm more of an ipfilter guy) and statefull filtering is implied so we can scratch that idea.

Even so; I'd suggest trying to use telnet to contact the remote SMTP server manually using $ telnet [host] 25. That way you can see for yourself what's happening; your box should be able to contact the remote, but do you also see any response data?
 
sam0016 said:
If I add this in it works.

Code: 
pass out log quick on $EXT_NIC proto icmp all keep state
Click to expand...
Then my suggestion would be correct, but it makes little sense because the packet filter guide explicitly states that all pass rules create a state entry (see the state section of that guide).

As such something doesn't add up here.

Glad to hear you managed to solve it though; happens to all of us. Just after you asked for help you finally see the problem :e
 
ShelLuser said:
Then my suggestion would be correct, but it makes little sense because the packet filter guide explicitly states that all pass rules create a state entry (see the state section of that guide).

As such something doesn't add up here.

Glad to hear you managed to solve it though; happens to all of us. Just after you asked for help you finally see the problem :e
Click to expand...

I changed it to this and it is still working but it is now not blocking anything on other ports :)

Code: 
pass out log on $EXT_NIC proto UDP from $EXT_IP to any port 53

Never mind I forgot to reenable pf :) it's been a long day it's working now though.
 
If you want to allow outgoing mail this should do it:

Code: 
pass out log quick on $EXT_NIC proto TCP from any to any port 25

You can delete those rules for allowing loopback lo0 traffic by using:
Code: 
set skip on lo0
at the beginning of your rule set.

You can view the blocked traffic if you use:

Code: 
block [color=blue]log[/color] all

and run tcpdump on the pflog0 device:

Code: 
[cmd=#]tcpdump -tttt -eni pflog0[/cmd]
2013-04-19 21:16:48.767552 rule 16..16777216/0(match): block in on re0:
 74.9.218.18.11727 > myserverip.1080: Flags [S], seq 3193498077, 
 win 65535, options [mss 1380,nop,nop,sackOK], length 0

2013-04-19 21:16:48.908457 rule 16..16777216/0(match): block in on re0:
  74.9.218.18.11728 > myserverip.1080: Flags [S], seq 3435152698,
   win 65535, options [mss 1380,nop,nop,sackOK], length 0

2013-04-19 21:20:50.465815 rule 16..16777216/0(match): block in on re0:
   81.94.201.44.53145 > myserverip.445: Flags [S], seq 1722286079,
   win 512, length 0

These blocked connection attempts are probes for:
Code: 
[cmd=$]egrep '1080|445' /etc/services[/cmd]

microsoft-ds    445/tcp                         # Microsoft-DS
microsoft-ds    445/udp                         # Microsoft-DS
socks           1080/tcp                        # Socks

You also can run tcpdump on the /var/log/pflog file:

# tcpdump -tttt -enr /var/log/pflog
 
You must log in or register to reply here.
Back
Top