On Mon, Feb 06, 2006 at 01:10:20AM -0800, David Benfell wrote:
> Hello all,
>
> I'm trying to debug my packet filtering rules. The problem is that
> messages sent from my internal network are not getting through to the
> SMTP host on my OpenBSD 3.8-CURRENT system.
>
> The only output I'm getting from tcpdump is:
> Feb 06 00:56:09.237698 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74:
> 192.168.18.47.65248 > 192.168.19.242.25: S 3208584508:3208584508(0) win 65535
> <mss 1460,nop,wscale 0,nop,nop,timestamp 1838120409 0> (DF)
> Feb 06 00:56:09.237735 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58:
> 192.168.19.242.25 > 192.168.18.47.65248: S 3124286715:3124286715(0) ack
> 3208584509 win 0 <mss 1460> (DF) [tos 0x10]
> Feb 06 00:56:09.238491 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60:
> 192.168.18.47.65248 > 192.168.19.242.25: . ack 1 win 65535 (DF)
> Feb 06 00:56:09.954495 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74:
> 192.168.18.47.65249 > 192.168.19.242.25: S 2319452229:2319452229(0) win 65535
> <mss 1460,nop,wscale 0,nop,nop,timestamp 1838120411 0> (DF)
> Feb 06 00:56:09.954545 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58:
> 192.168.19.242.25 > 192.168.18.47.65249: S 2347749644:2347749644(0) ack
> 2319452230 win 0 <mss 1460> (DF) [tos 0x10]
> Feb 06 00:56:09.955300 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60:
> 192.168.18.47.65249 > 192.168.19.242.25: . ack 1 win 65535 (DF)
>
> 192.168.19.242 is the OpenBSD system. 192.168.18.47 is my laptop.
> Beyond that, I have no clue what this means. And all I know is that
> the SMTP logs show on the OpenBSD system show no sign of contact.
>
> On the laptop:
> 2006-02-06 00:56:08.528514500 starting delivery 812: msg 36185520 to remote
> [EMAIL PROTECTED]
> 2006-02-06 00:56:08.528522500 status: local 0/10 remote 3/20
> 2006-02-06 00:56:08.528523500 starting delivery 813: msg 36182781 to remote
> [EMAIL PROTECTED]
> 2006-02-06 00:56:08.528527500 status: local 0/10 remote 4/20
> 2006-02-06 01:00:39.530878500 delivery 810: deferral:
> Connected_to_192.168.19.242_but_connection_died._(#4.4.2)/
> 2006-02-06 01:00:39.530885500 status: local 0/10 remote 3/20
>
> Both systems are running qmail. A copy of my /etc/pf.conf is
> attached.
>
> --
> David Benfell, LCP
> [EMAIL PROTECTED]
> ---
> Resume available at http://www.parts-unknown.org/
> # $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Required order: options, normalization, queueing, translation, filtering.
> # Macros and tables may be defined and used anywhere.
> # Note that translation rules are first match while filter rules are last
> match.
>
> # Macros: define common values, so they can be referenced and changed easily.
> #ext_if="ext0" # replace with actual external interface name i.e., dc0
> ext_if="xl0"
> #int_if="int0" # replace with actual internal interface name i.e., dc1
> int_if="dc0"
> dmz_if="sf3"
> pub_if="sf0"
> lupin_if="sf1"
> #internal_net="10.1.1.1/8"
> internal_net="192.168.18.1/24"
> external_addr="66.93.170.242"
> routable_subnet="66.93.170.241/28"
> dmz_net="192.168.19.0/24"
> dmz_addr="192.168.19.242"
> mta_ad = "192.168.19.242"
> mta_pt = "25"
> dhcp_net="192.168.20.0/24"
> lupin_net="192.168.100.0/24"
> public_admin_net="192.168.17.0/24"
> starshine="216.240.40.161/27"
> allowed_nets="{ $starshine, $dmz_net, $internal_net }"
> trusted_external="{ 12.22.55.0/24 24.23.206.48/32 64.0.0.0/4 134.154.0.0/16
> 216.240.40.161/27 166.154.0.0/16 166.147.140.0/24 198.144.195.188/32
> 4.4.0.0/16 207.47.24.0/24 208.54.15.0/24 209.172.123.0/24 }"
> # Doubletree King's Head Local CSU Hayward
> starshine.org Verizon Wireless
> earth_ext="66.93.170.243"
> earth_dmz="192.168.19.243"
> earth_int="192.168.18.43"
> dnscache="192.168.19.4"
> kindling_ext="66.93.170.244"
> kindling_int="192.168.19.244"
> home_ext="66.93.170.245"
> home_int="192.168.18.44"
> raven_ext="66.93.170.246"
> raven_int="192.168.18.45"
> lair_ext="66.93.170.247"
> lair_int="192.168.18.46"
> thunder_ext="66.93.170.248"
> thunder_int="192.168.18.47"
> lupin_ext="66.93.170.254"
> non_routable="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }"
> macintoshes="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int }"
> linux_pcs="{ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int,
> $raven_ext, $raven_int }"
> auth_local="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int \
> $earth_ext, $earth_dmz, $dnscache, $kindling_ext, $kindling_int,
> $home_ext, $home_int, $raven_ext, $raven_int }"
> lupin_router="192.168.100.1"
> lupin_net="192.168.100.0/24"
> dmz_services="port { smtp, pop3, http, ftp-data, ftp, domain, ntp }"
> tcp_udp="proto { tcp, udp }"
> in_out="{ in, out }"
>
> # Tables: similar to macros, but more flexible for many addresses.
> #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
>
> # Options: tune the behavior of pf, default values are given.
> #set timeout { interval 30, frag 10 }
> #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> #set timeout { icmp.first 20, icmp.error 10 }
> #set timeout { other.first 60, other.single 30, other.multiple 60 }
> #set limit { states 10000, frags 5000 }
> #set loginterface none
> #set optimization normal
> set block-policy drop
> #set block-policy return
> #set require-order yes
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> #scrub in from any to any
> scrub in all
>
> # Queueing: rule-based bandwidth control.
> #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
> #queue dflt bandwidth 5% cbq(default)
> #queue developers bandwidth 80%
> #queue marketing bandwidth 15%
>
> # Translation: specify how addresses are to be mapped or redirected.
> # nat: packets going out through $ext_if with source address $internal_net
> will
> # get translated as coming from the address of $ext_if, a state is created for
> # such packets, and incoming packets will be redirected to the internal
> address.
>
> rdr on $ext_if proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>
> # block SMTP from Hotmail and other spammer networks
> # hotmail.com
> rdr on $ext_if proto tcp from 65.54/16 to any port smtp -> 127.0.0.1 port 8025
> rdr on $ext_if proto tcp from 64.4/16 to any port smtp -> 127.0.0.1 port 8025
> # prod-infinitum.com.mx
> rdr on $ext_if proto tcp from 201.153.0.0/16 to any port smtp -> 127.0.0.1
> port 8025
> # voyager.net
> rdr on $ext_if proto tcp from 216.93.66.0/24 to any port smtp -> 127.0.0.1
> port 8025
> #rdr on $ext_if proto tcp from any to any port smtp -> $mta_ad port $mta_pt
> # spamd-setup puts addresses to be redirected into table <spamd>.
> table <spamd> persist
> no rdr on { lo0, lo1 } from any to any
> rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>
> # redirect connections from spammers to spamd, all legitimate
> # connections will not be redirected
> #rdr on $ext_if inet proto tcp \
> #from <spamd> to ($ext_if) port 25 -> 127.0.0.1 port 8025
> # pass redirected connections to spamd listening on the local
> # loop interface (lo0)
> pass in log quick on lo0 inet proto tcp \
> from <spamd> to 127.0.0.1 port 8025
>
> #allow SMTP from internal network
> pass in quick on $int_if inet proto tcp from any to $mta_ad port smtp flags
> S/SA synproxy state
>
> # pass legitimate connections to port 25 on the
> # external interface
> pass in log quick on $ext_if inet proto tcp \
> from any to ($ext_if) port 25 keep state
> # pass redirected connections to spamd listening on the local
> # loop interface (lo0)
> pass in on lo0 inet proto tcp \
> from <spamd> to 127.0.0.1 port 8025
> #pass out on $dmz_if inet proto tcp \
> #from any to $mta_ad port $mta_pt keep state
> #allow DMZ services to DMZ
> pass in log quick $tcp_udp from any to $dmz_net $dmz_services
> flags S/SA synproxy state
> pass in log quick $tcp_udp from any to { $external_addr,
> $dmz_addr } port smtp flags S/SA synproxy state
> pass in log quick $tcp_udp from any to { $external_addr,
> $dmz_addr } port domain keep state
>
> #allow SMTP from earth to home
> #pass in log quick proto tcp from $earth_dmz to $home_int port
> smtp keep state
> #pass in log quick proto tcp from $earth_int to $home_int port
> smtp keep state
>
> #allow internal access to DMZ
> pass in log quick $tcp_udp from { $internal_net, $dmz_net } to {
> $internal_net, $dmz_net } keep state
> pass out log quick $tcp_udp from { $internal_net, $dmz_net } to {
> $internal_net, $dmz_net } keep state
I must admit to not having read every line, but a quick search on
mta_pt|25|smtp showed only the above lines being relevant.
I do not see a rule allowing any -> mailserver, at least not assuming
the mailserver is in the dmz.
The advice you have been given about pf.conf debugging is sound; also,
cleaning up and simplifying the configuration before sending it is
appreciated, and in fact, usually enough to find the problem.
Joachim
