PF server ntpd error

I have used OS/2 Weasel for a mail server (for a week), Plan 9 upas for mail (for a week), Sendmail (egad!) and OpenSMTPD. I would recommend OpenSMTPD. Everyone has their own opinion of what is best and what they prefer, but the syntax for OpenSMTPD is easy to read. And you don't need a 1400 page "Bat book" for it (reference to the O'Reilly Sendmail book).

This is my current smtpd.conf for OpenSMTPD on OpenBSD. I think there is still a FreeBSD port.
Code:
queue compression
queue encryption key 44d1ee9dd2f0a54e4a6c21bd24b2c2d1
# pki setup
pki mail.myname.email certificate "/etc/ssl/mail.myname.email.crt"
pki mail.myname.email key "/etc/ssl/private/mail.myname.email.key"
pki mail.business.com certificate "/etc/ssl/mail.business.com.crt"
pki mail.business.com key "/etc/ssl/private/mail.business.com.key"
# tables setup
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table users file:/etc/mail/users
table secrets file:/etc/mail/secrets
table blacklist-recipients file:/etc/mail/blacklist-recipients
# listen ports setup
listen on lo0
#listen on egress port 25
#listen on egress port 587 tls-require pki mail.myname.email auth <secrets>
listen on egress port 25 tls auth-optional <secrets> hostname mail.myname.email
listen on egress port 587 tls-require auth <secrets> hostname mail.myname.email
# allow local messages
#accept from local for local alias <aliases> deliver to maildir "/var/mail/%{user.username}/Inbox"
accept recipient ! <blacklist-recipients> from local for local alias <aliases> deliver to mbox
# allow virtual domains
accept from any recipient ! <blacklist-recipients> for domain <domains> \
    virtual <users> deliver to maildir "/var/mail/%{user.username}/Inbox"
# allow outgoing mails
accept from local for any relay
BTW, I should consider openSMTPD as opposed to postfix?
 
Actually, you shouldn't. As I said before, pf handles ICMP error responses in a smart way so you don't have to take care of that manually. From pf.conf(5):
Code:
     Furthermore, correct handling of ICMP error messages is critical to many
     protocols, particularly TCP.  pf(4) matches ICMP error messages to the
     correct connection, checks them against connection parameters, and passes
     them if appropriate.  For example if an ICMP source quench message
     referring to a stateful TCP connection arrives, it will be matched to the
     state and get passed.
The only ICMP message you should allow by explicit filter rules is ICMP echo request, provided you actually want your machine to be able to ping/be pinged.
I'm not sure that would work for UDP traffic, and in the case of intermediate routers, like say a machine doing NAT for multiple jails. In any case, no offense, but I'm going to take Peter N. M. Hansteen's word over yours:

There is nothing to gain from that, as keep state is the default behaviour for pass rules:
Code:
     pass  The packet is passed; state is created unless the no state option
           is specified.
Good to know. That behavior was added in Openbsd 4.1. I'm showing my age.
 
Ok, it turns out the syntax error is because I needed a blank line at the end.
But, I am still locking myself out, even with these simple rules. Hmm!
It is not because there is a switch between the windows computer and the router, whereas the server is connected directly to the router, is it?
 
My apologies, it worked beautifully, I had left out the line for the ports. Sorry, got distracted there for a minute.
The problem then was just that I needed one blank line at the end.
And I have read what every single one of you have said.
I will post a final solution along with my topography here for anyone else who will have a similar situation in the future.
Thank you all, Sys Admins are THE BEST!
 
Alrighty then, this is the rules that are allowing me to get into my FreeBSD box from my windows machines within my LAN. (Please note there needs to be a blank line at the very bottom of pf.conf otherwise you get a syntax error message.):
Code:
# macros
ext_if="e0"

tcp_services="{ 80, 443 }"
adm_services="{ 22, 3306, 10000, 11000 }"
icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
#nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

# filter rules
block in
block drop in quick on $ext_if inet proto tcp from 212.166.54.0/24 to any

pass out

antispoof quick for { lo }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in on $ext_if inet proto tcp from any to ($ext_if) port $adm_services
pass in inet proto icmp all icmp-type $icmp_types

This is My topology:
Network topology.jpg
Kindly comment.
 
But, I am still locking myself out, even with these simple rules. Hmm!
Tips from the trenches:

Write your new rules to /etc/pf.conf.new for example. Then on the command line use something like this: pfctl -f /etc/pf.conf.new && sleep 60 && pfctl -f /etc/pf.conf
This will load the ruleset from /etc/pf.conf.new, sleep for 60 seconds then load /etc/pf.conf again. In that 60 seconds you can test your new rules, if you happen to lock yourself out wait the 60 seconds and your original ruleset is loaded again, allowing access again. Set the timer to 120 or 180 if you need more time to test.

Prevent syntax errors by loading the rules with pfctl -nf /etc/pf.conf. This will only check the rules for validity, it doesn't apply them.
 
I find myself stuck once more.
Because I have not been able to achieve full functionality of my openemr application in nginx, I have set it up a second instance of it with apache 2.4 as the httpd server in a 12.1-RELEASE jail. My question is now two-fold:
1. Does the apache jail need to have an IP address in a different subnet from the host machine, and if so, can I choose for example 192.168.0.9/24 (again, my host being 192.168.1.10, default router: 192.168.1.1)
2. How do I now tell my host PF firewall to direct traffic to and from the jail? When I try to access the jails server (at the address bar from a windows computer from within the LAN), it gets sent to the mains host Nginx server instead, (hence, I know my networking is messed up).

TIA
 
It's better to open a new thread for this problem and describe how your jail network is setup inside the host.
 
Back
Top