On Thu, Nov 17, 2005 at 11:37:55AM +0100, Raphael GRUNDRICH wrote: > Can you say to me why the best I can have is : > PROXY:DST (pfctl -ss) > > shouldn't get > ESTABLISHED:ESTABLISHED > like a www,ssh, .. connection ?
That means you're using synproxy and that pf has completed the TCP handshake with the client is now trying to replay the handshake with the server. That explains why the client thinks it's connected, then just times out. For some reason, the server is not replying to the TCP SYN of the replayed handshake from pf (or never gets the SYN in the first place). A quick first guess would be that the IMAP server is not routing its replies through the pf box (i.e. the default gateway setting on the IMAP server is wrong). If that's not it, you'll have to debug. Run tcpdump on the internal interface of the pf box and capture all packets related to one connection attempt. Depending on whether you see the SYN leave and the SYN+ACK come back, there are several things that might be going wrong. In general, don't debug with synproxy. Use plain keep state until everything works, then enable synproxy. It just adds additional complexity to debugging. This might appear to be related to the IMAP protocol, but since it's the handshake failing, the protocol itself is not involved yet. So, one test would be to run some other TCP service on the same box and see whether that works. That tells you whether it's a generic TCP problem or indeed something related to IMAP. If some other TCP service is working on some OTHER local server, that might equally provide a hint that there's something wrong with that particular server. Daniel
