Hello,
I'm having a strange happenings at a customer machine running Solaris
10+ipfilter+postfix.
I have a lot of similar installation that do not face this problem.
This is a Solaris 10 10/08 s10x_u6wos_07b X86 release, where I replaced
ipfilter binaries
to 4.1.30 throgh the "replace" utiliy coming with the sources (somthing I
usually do on all my installations).
I started to find a lot of "lost connection after EHLO" inside postfix logs,
from various sources.
After some examination on a specific IP source, I finally found many logs from
ipfilter:
23/04/2009 16:38:01.644069 e1000g1 @0:14 b 89.96.239.179,25 ->
212.121.67.67,36480 PR tcp len 20 52 -A OUT OOW
23/04/2009 16:38:13.690033 e1000g1 @0:14 b 89.96.239.179,25 ->
212.121.67.67,36480 PR tcp len 20 255 -AFP OUT OOW
These are all answer packets coming from the server to the original source
after its connection to port 25, and probably after that source issued the EHLO
command.
There is no strange rule in ipf.conf that may block these kind of packets, but
the fact that I have these logs implies that ipfilter decided to block them.
Why?
Here is the ipf.conf I use. Thanx for any help! :)
pass out quick on lo0 all
#Everything is safe on loopback and local network
pass in quick on lo0 all
pass out quick on e1000g0 all
pass in quick on e1000g0 all
#No private or strange packets from the inside to the outside
block out quick on e1000g1 from any to 192.168.0.0/16
block out quick on e1000g1 from any to 172.16.0.0/12
block out quick on e1000g1 from any to 127.0.0.0/8
block out quick on e1000g1 from any to 10.0.0.0/8
block out quick on e1000g1 from any to 0.0.0.0/8
block out quick on e1000g1 from any to 169.254.0.0/16
block out quick on e1000g1 from any to 192.0.2.0/24
block out quick on e1000g1 from any to 204.152.64.0/23
block out quick on e1000g1 from any to 224.0.0.0/3
#Pass anything from the public network to the Internet
#and keep state for reply packets to be accepted
pass out quick on e1000g1 from {public-ip}/32 to any keep state
#Pass NAT for LAN
#Comment out to enable
pass out quick on e1000g1 from {private-net}/24 to any keep state
#Block anything else going out
block out log quick on e1000g1 from any to any
#Block any spoofing or strange packet coming from the Internet
block in quick on e1000g1 from 192.168.0.0/16 to any
block in quick on e1000g1 from 172.16.0.0/12 to any
block in quick on e1000g1 from 10.0.0.0/8 to any
block in quick on e1000g1 from 127.0.0.0/8 to any
block in quick on e1000g1 from 0.0.0.0/8 to any
block in quick on e1000g1 from 169.254.0.0/16 to any
block in quick on e1000g1 from 192.0.2.0/24 to any
block in quick on e1000g1 from 204.152.64.0/23 to any
block in quick on e1000g1 from 224.0.0.0/3 to any
block in log quick on e1000g1 from 192.168.0.0/24 to any
block in log quick on e1000g1 from any to 192.168.0.0/32
block in log quick on e1000g1 from any to 192.168.0.255/32
#Permit normal ICMP (ping, traceroute) but not spoofed ICMP
pass in quick on e1000g1 proto icmp from any to {public-ip}/32 icmp-type 0
pass in quick on e1000g1 proto icmp from any to {public-ip}/32 icmp-type 11
block in log quick on e1000g1 proto icmp from any to any
#Permit specific services from the outside to public machines
(ssh,smtp,http,https,imaps)
pass in quick on e1000g1 proto tcp from any to {public-ip}/32 port = 22
pass in quick on e1000g1 proto tcp from any to {public-ip}/32 port = 25
pass in quick on e1000g1 proto tcp from any to {public-ip}/32 port = 80
pass in quick on e1000g1 proto tcp from any to {public-ip}/32 port = 143
pass in quick on e1000g1 proto tcp from any to {public-ip}/32 port = 443
pass in quick on e1000g1 proto tcp from any to {public-ip}/32 port = 993
pass in quick on e1000g1 proto tcp from any to {public-ip}/32 port = 11194
#Permit outfoing ftp
pass in quick proto tcp from any to {public-ip}/32 port = ftp keep state
pass in quick proto tcp from any to {public-ip}/32 port = ftp-data keep state
pass in quick proto tcp from any port = ftp-data to {public-ip}/32 port > 1023
keep state
#Block anything else from the outside
block in log quick on e1000g1 from any to any
pass in all
Gabriele Bulfon - Sonicle S.r.l.
Tel +39 028246016 Int. 30 - Fax +39 028243880
Via Felice Cavallotti 16 - 20089, Rozzano - Milano - ITALY
http://www.sonicle.com
