Hello all, I'm trying to debug my packet filtering rules. The problem is that messages sent from my internal network are not getting through to the SMTP host on my OpenBSD 3.8-CURRENT system.
The only output I'm getting from tcpdump is: Feb 06 00:56:09.237698 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74: 192.168.18.47.65248 > 192.168.19.242.25: S 3208584508:3208584508(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 1838120409 0> (DF) Feb 06 00:56:09.237735 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58: 192.168.19.242.25 > 192.168.18.47.65248: S 3124286715:3124286715(0) ack 3208584509 win 0 <mss 1460> (DF) [tos 0x10] Feb 06 00:56:09.238491 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60: 192.168.18.47.65248 > 192.168.19.242.25: . ack 1 win 65535 (DF) Feb 06 00:56:09.954495 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74: 192.168.18.47.65249 > 192.168.19.242.25: S 2319452229:2319452229(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 1838120411 0> (DF) Feb 06 00:56:09.954545 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58: 192.168.19.242.25 > 192.168.18.47.65249: S 2347749644:2347749644(0) ack 2319452230 win 0 <mss 1460> (DF) [tos 0x10] Feb 06 00:56:09.955300 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60: 192.168.18.47.65249 > 192.168.19.242.25: . ack 1 win 65535 (DF) 192.168.19.242 is the OpenBSD system. 192.168.18.47 is my laptop. Beyond that, I have no clue what this means. And all I know is that the SMTP logs show on the OpenBSD system show no sign of contact. On the laptop: 2006-02-06 00:56:08.528514500 starting delivery 812: msg 36185520 to remote [EMAIL PROTECTED] 2006-02-06 00:56:08.528522500 status: local 0/10 remote 3/20 2006-02-06 00:56:08.528523500 starting delivery 813: msg 36182781 to remote [EMAIL PROTECTED] 2006-02-06 00:56:08.528527500 status: local 0/10 remote 4/20 2006-02-06 01:00:39.530878500 delivery 810: deferral: Connected_to_192.168.19.242_but_connection_died._(#4.4.2)/ 2006-02-06 01:00:39.530885500 status: local 0/10 remote 3/20 Both systems are running qmail. A copy of my /etc/pf.conf is attached. -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/ # $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. #ext_if="ext0" # replace with actual external interface name i.e., dc0 ext_if="xl0" #int_if="int0" # replace with actual internal interface name i.e., dc1 int_if="dc0" dmz_if="sf3" pub_if="sf0" lupin_if="sf1" #internal_net="10.1.1.1/8" internal_net="192.168.18.1/24" external_addr="66.93.170.242" routable_subnet="66.93.170.241/28" dmz_net="192.168.19.0/24" dmz_addr="192.168.19.242" mta_ad = "192.168.19.242" mta_pt = "25" dhcp_net="192.168.20.0/24" lupin_net="192.168.100.0/24" public_admin_net="192.168.17.0/24" starshine="216.240.40.161/27" allowed_nets="{ $starshine, $dmz_net, $internal_net }" trusted_external="{ 12.22.55.0/24 24.23.206.48/32 64.0.0.0/4 134.154.0.0/16 216.240.40.161/27 166.154.0.0/16 166.147.140.0/24 198.144.195.188/32 4.4.0.0/16 207.47.24.0/24 208.54.15.0/24 209.172.123.0/24 }" # Doubletree King's Head Local CSU Hayward starshine.org Verizon Wireless earth_ext="66.93.170.243" earth_dmz="192.168.19.243" earth_int="192.168.18.43" dnscache="192.168.19.4" kindling_ext="66.93.170.244" kindling_int="192.168.19.244" home_ext="66.93.170.245" home_int="192.168.18.44" raven_ext="66.93.170.246" raven_int="192.168.18.45" lair_ext="66.93.170.247" lair_int="192.168.18.46" thunder_ext="66.93.170.248" thunder_int="192.168.18.47" lupin_ext="66.93.170.254" non_routable="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }" macintoshes="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int }" linux_pcs="{ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int, $raven_ext, $raven_int }" auth_local="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int \ $earth_ext, $earth_dmz, $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int, $raven_ext, $raven_int }" lupin_router="192.168.100.1" lupin_net="192.168.100.0/24" dmz_services="port { smtp, pop3, http, ftp-data, ftp, domain, ntp }" tcp_udp="proto { tcp, udp }" in_out="{ in, out }" # Tables: similar to macros, but more flexible for many addresses. #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 30, frag 10 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal set block-policy drop #set block-policy return #set require-order yes # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in from any to any scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. rdr on $ext_if proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 # block SMTP from Hotmail and other spammer networks # hotmail.com rdr on $ext_if proto tcp from 65.54/16 to any port smtp -> 127.0.0.1 port 8025 rdr on $ext_if proto tcp from 64.4/16 to any port smtp -> 127.0.0.1 port 8025 # prod-infinitum.com.mx rdr on $ext_if proto tcp from 201.153.0.0/16 to any port smtp -> 127.0.0.1 port 8025 # voyager.net rdr on $ext_if proto tcp from 216.93.66.0/24 to any port smtp -> 127.0.0.1 port 8025 #rdr on $ext_if proto tcp from any to any port smtp -> $mta_ad port $mta_pt # FTP #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 #nat on $ext_if from $internal_net to any -> ($ext_if) #binat on $ext_if from $earth_dmz to any -> $earth_ext binat on $int_if from $earth_dmz to any -> $earth_int binat on $ext_if from $home_int to any -> $home_ext binat on $ext_if from $raven_int to any -> $raven_ext binat on $ext_if from $lair_int to any -> $lair_ext binat on $ext_if from $thunder_int to any -> $thunder_ext #binat on $ext_if from $lupin_router to any -> 66.93.170.253 nat on $ext_if from $internal_net to any -> $external_addr nat on $ext_if from $dhcp_net to any -> $external_addr #nat on $ext_if from $lupin_net to any -> $lupin_ext # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr NTP for the GPS time source to the internal network. Hopefully, this way, # the time source will answer. #rdr on $dmz_if $tcp_udp from any to 192.168.18.10/32 port ntp -> $earth_int # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table <spamd>. table <spamd> persist no rdr on { lo0, lo1 } from any to any rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 # redirect connections from spammers to spamd, all legitimate # connections will not be redirected #rdr on $ext_if inet proto tcp \ #from <spamd> to ($ext_if) port 25 -> 127.0.0.1 port 8025 # enable authpf rules anchor "authpf/*" # pass redirected connections to spamd listening on the local # loop interface (lo0) pass in log quick on lo0 inet proto tcp \ from <spamd> to 127.0.0.1 port 8025 #allow SMTP from internal network pass in quick on $int_if inet proto tcp from any to $mta_ad port smtp flags S/SA synproxy state # pass legitimate connections to port 25 on the # external interface pass in log quick on $ext_if inet proto tcp \ from any to ($ext_if) port 25 keep state # only allow smtp to here, not to our real SMTP host #block in log quick on $ext_if inet proto tcp from any to any port smtp # redirect all legitimate connections to the real MTA #rdr on $ext_if inet proto tcp \ #from any to ($ext_if) port 25 -> $mta_ad port $mta_pt # block all incoming connections block in log on $ext_if all # pass redirected connections to spamd listening on the local # loop interface (lo0) pass in on lo0 inet proto tcp \ from <spamd> to 127.0.0.1 port 8025 #pass out on $dmz_if inet proto tcp \ #from any to $mta_ad port $mta_pt keep state # Filtering: the implicit first two rules are #pass in all #pass out all #block non-routable addresses from the outside routable world #block in log quick on $ext_if from $non_routable to any antispoof log quick for $ext_if pass in log quick on lo0 from any to any #antispoof log quick for $int_if inet #antispoof log quick for $dmz_if inet # block all incoming packets, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log from any to any #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if $tcp_udp from any to any keep state block in log from any to any pass out log from any to any keep state #allow pings pass in log quick proto icmp from any to any pass out log quick proto icmp from any to any #allow ssh only within my network or to router pass log proto tcp from any to any port ssh keep state block in log on $ext_if proto tcp from any to any port ssh pass in log quick on $ext_if proto tcp from any to $home_int port ssh keep state pass in log quick on $ext_if proto tcp from any to $earth_int port ssh keep state #allow ssh from trusted networks pass in log quick on $ext_if proto tcp from $trusted_external to any port ssh keep state #allow printing from trusted networks pass in log quick on $ext_if proto tcp from $trusted_external to $lair_int port { 515, 631 } keep state #allow dns cache inquiries to public dns cache pass in quick on $ext_if inet proto udp from any to any port 53 #block ports used by W32.Blaster.Worm, per Speakeasy alert 12 Aug 2003 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 134 >< 140 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 445 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 593 #block ports recommended by CERT block in log quick on { $ext_if, $pub_if } inet proto udp from any to any port 69 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any port 87 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 111 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any port 511 >< 516 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any port 540 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 2000 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 2049 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 5999 >< 6064 #block ports recommended by Felix von Leitner block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 5000 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port 1025 #allow non-privileged ports anywhere pass log quick $tcp_udp from any to any port>1023 keep state pass out log quick on $dmz_if proto tcp from any to any port>1023 keep state #allow Tor services to router pass in $tcp_udp from any to 192.168.18.1 port 9001 keep state pass in $tcp_udp from any to 192.168.18.1 port 9030 keep state #allow FTP to ftp-proxy pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) user proxy flags S/SA #allow DMZ services to DMZ pass in log quick $tcp_udp from any to $dmz_net $dmz_services flags S/SA synproxy state pass in log quick $tcp_udp from any to { $external_addr, $dmz_addr } port smtp flags S/SA synproxy state pass in log quick $tcp_udp from any to { $external_addr, $dmz_addr } port domain keep state #allow SMTP from earth to home #pass in log quick proto tcp from $earth_dmz to $home_int port smtp keep state #pass in log quick proto tcp from $earth_int to $home_int port smtp keep state #allow internal access to DMZ pass in log quick $tcp_udp from { $internal_net, $dmz_net } to { $internal_net, $dmz_net } keep state pass out log quick $tcp_udp from { $internal_net, $dmz_net } to { $internal_net, $dmz_net } keep state #allow Internet access here #pass in log quick on { $dmz_if, $int_if, $pub_if, $lupin_if } from { $internal_net, $dmz_net, $dhcp_net $lupin_net } to any keep state #pass in log quick on { $dmz_if, $int_if, $pub_if, $lupin_if } $tcp_udp from { $internal_net, $dmz_net, $dhcp_net $lupin_net } to any keep state pass in log quick on { $dmz_if, $int_if, $pub_if } $tcp_udp from { $internal_net, $dmz_net, $dhcp_net } to any keep state #block out log quick on $ext_if $tcp_udp from $lupin_net to any #block in log quick on $ext_if $tcp_udp from any to $lupin_net # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
