I have noticed an odd thing. I think someone else reported this
awhile back...but using pf with synproxy like this:
pass in quick on $EXT_INT proto tcp from any to $SERVERS port 25
flags S/SA synproxy state
..causes issues. What I see are tons of rejects in pflog all relating
to yahoo email servers (big surprise here).
Now, if I change 'synproxy' to 'modulate' - things work fine as expected.
So..........I was wondering if anyone has a workaround on how to deal
with 'yahoo'. So far, from installing pf - 'yahoo' is the only
*legit* system I have seen that is not working with synproxy.
I enjoy this feature however, as I am seeing alot of cable modem IPs
that are failing with synproxy...so I would like to continue to use it.
Yahoo seems to use smtp servers all over the map...they dont just
have 1 or 2 netblocks that I could permit via modulate state ahead of
synproxy state rules.
Any thoughts on this? - I dont consider it a bug at all, but was
wondering if/how anyone is dealing with this.
I think this is a decent feature to have and use - if I can find a workaround.
Perhaps a table or something, but I may not be able to locate all of
the yahoo mail server IPs.
Thanks in advance for any tips.
-JD
