On Mon, Feb 06, 2006 at 01:10:20AM -0800, David Benfell wrote: > Hello all, > > I'm trying to debug my packet filtering rules. The problem is that > messages sent from my internal network are not getting through to the > SMTP host on my OpenBSD 3.8-CURRENT system. > > The only output I'm getting from tcpdump is: > Feb 06 00:56:09.237698 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74: > 192.168.18.47.65248 > 192.168.19.242.25: S 3208584508:3208584508(0) win 65535 > <mss 1460,nop,wscale 0,nop,nop,timestamp 1838120409 0> (DF) > Feb 06 00:56:09.237735 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58: > 192.168.19.242.25 > 192.168.18.47.65248: S 3124286715:3124286715(0) ack > 3208584509 win 0 <mss 1460> (DF) [tos 0x10] > Feb 06 00:56:09.238491 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60: > 192.168.18.47.65248 > 192.168.19.242.25: . ack 1 win 65535 (DF) > Feb 06 00:56:09.954495 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 74: > 192.168.18.47.65249 > 192.168.19.242.25: S 2319452229:2319452229(0) win 65535 > <mss 1460,nop,wscale 0,nop,nop,timestamp 1838120411 0> (DF) > Feb 06 00:56:09.954545 0:a0:cc:65:ba:d0 0:3:93:eb:21:f2 0800 58: > 192.168.19.242.25 > 192.168.18.47.65249: S 2347749644:2347749644(0) ack > 2319452230 win 0 <mss 1460> (DF) [tos 0x10] > Feb 06 00:56:09.955300 0:3:93:eb:21:f2 0:a0:cc:65:ba:d0 0800 60: > 192.168.18.47.65249 > 192.168.19.242.25: . ack 1 win 65535 (DF) > > 192.168.19.242 is the OpenBSD system. 192.168.18.47 is my laptop. > Beyond that, I have no clue what this means. And all I know is that > the SMTP logs show on the OpenBSD system show no sign of contact. > > On the laptop: > 2006-02-06 00:56:08.528514500 starting delivery 812: msg 36185520 to remote > [EMAIL PROTECTED] > 2006-02-06 00:56:08.528522500 status: local 0/10 remote 3/20 > 2006-02-06 00:56:08.528523500 starting delivery 813: msg 36182781 to remote > [EMAIL PROTECTED] > 2006-02-06 00:56:08.528527500 status: local 0/10 remote 4/20 > 2006-02-06 01:00:39.530878500 delivery 810: deferral: > Connected_to_192.168.19.242_but_connection_died._(#4.4.2)/ > 2006-02-06 01:00:39.530885500 status: local 0/10 remote 3/20 > > Both systems are running qmail. A copy of my /etc/pf.conf is > attached. > > -- > David Benfell, LCP > [EMAIL PROTECTED] > --- > Resume available at http://www.parts-unknown.org/ > # $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ > # > # See pf.conf(5) and /usr/share/pf for syntax and examples. > # Required order: options, normalization, queueing, translation, filtering. > # Macros and tables may be defined and used anywhere. > # Note that translation rules are first match while filter rules are last > match. > > # Macros: define common values, so they can be referenced and changed easily. > #ext_if="ext0" # replace with actual external interface name i.e., dc0 > ext_if="xl0" > #int_if="int0" # replace with actual internal interface name i.e., dc1 > int_if="dc0" > dmz_if="sf3" > pub_if="sf0" > lupin_if="sf1" > #internal_net="10.1.1.1/8" > internal_net="192.168.18.1/24" > external_addr="66.93.170.242" > routable_subnet="66.93.170.241/28" > dmz_net="192.168.19.0/24" > dmz_addr="192.168.19.242" > mta_ad = "192.168.19.242" > mta_pt = "25" > dhcp_net="192.168.20.0/24" > lupin_net="192.168.100.0/24" > public_admin_net="192.168.17.0/24" > starshine="216.240.40.161/27" > allowed_nets="{ $starshine, $dmz_net, $internal_net }" > trusted_external="{ 12.22.55.0/24 24.23.206.48/32 64.0.0.0/4 134.154.0.0/16 > 216.240.40.161/27 166.154.0.0/16 166.147.140.0/24 198.144.195.188/32 > 4.4.0.0/16 207.47.24.0/24 208.54.15.0/24 209.172.123.0/24 }" > # Doubletree King's Head Local CSU Hayward > starshine.org Verizon Wireless > earth_ext="66.93.170.243" > earth_dmz="192.168.19.243" > earth_int="192.168.18.43" > dnscache="192.168.19.4" > kindling_ext="66.93.170.244" > kindling_int="192.168.19.244" > home_ext="66.93.170.245" > home_int="192.168.18.44" > raven_ext="66.93.170.246" > raven_int="192.168.18.45" > lair_ext="66.93.170.247" > lair_int="192.168.18.46" > thunder_ext="66.93.170.248" > thunder_int="192.168.18.47" > lupin_ext="66.93.170.254" > non_routable="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }" > macintoshes="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int }" > linux_pcs="{ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int, > $raven_ext, $raven_int }" > auth_local="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int \ > $earth_ext, $earth_dmz, $dnscache, $kindling_ext, $kindling_int, > $home_ext, $home_int, $raven_ext, $raven_int }" > lupin_router="192.168.100.1" > lupin_net="192.168.100.0/24" > dmz_services="port { smtp, pop3, http, ftp-data, ftp, domain, ntp }" > tcp_udp="proto { tcp, udp }" > in_out="{ in, out }" > > # Tables: similar to macros, but more flexible for many addresses. > #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } > > # Options: tune the behavior of pf, default values are given. > #set timeout { interval 30, frag 10 } > #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } > #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } > #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } > #set timeout { icmp.first 20, icmp.error 10 } > #set timeout { other.first 60, other.single 30, other.multiple 60 } > #set limit { states 10000, frags 5000 } > #set loginterface none > #set optimization normal > set block-policy drop > #set block-policy return > #set require-order yes > > # Normalization: reassemble fragments and resolve or reduce traffic > ambiguities. > #scrub in from any to any > scrub in all > > # Queueing: rule-based bandwidth control. > #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } > #queue dflt bandwidth 5% cbq(default) > #queue developers bandwidth 80% > #queue marketing bandwidth 15% > > # Translation: specify how addresses are to be mapped or redirected. > # nat: packets going out through $ext_if with source address $internal_net > will > # get translated as coming from the address of $ext_if, a state is created for > # such packets, and incoming packets will be redirected to the internal > address. > > rdr on $ext_if proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 > > # block SMTP from Hotmail and other spammer networks > # hotmail.com > rdr on $ext_if proto tcp from 65.54/16 to any port smtp -> 127.0.0.1 port 8025 > rdr on $ext_if proto tcp from 64.4/16 to any port smtp -> 127.0.0.1 port 8025 > # prod-infinitum.com.mx > rdr on $ext_if proto tcp from 201.153.0.0/16 to any port smtp -> 127.0.0.1 > port 8025 > # voyager.net > rdr on $ext_if proto tcp from 216.93.66.0/24 to any port smtp -> 127.0.0.1 > port 8025 > #rdr on $ext_if proto tcp from any to any port smtp -> $mta_ad port $mta_pt
> # spamd-setup puts addresses to be redirected into table <spamd>. > table <spamd> persist > no rdr on { lo0, lo1 } from any to any > rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 > > # redirect connections from spammers to spamd, all legitimate > # connections will not be redirected > #rdr on $ext_if inet proto tcp \ > #from <spamd> to ($ext_if) port 25 -> 127.0.0.1 port 8025 > # pass redirected connections to spamd listening on the local > # loop interface (lo0) > pass in log quick on lo0 inet proto tcp \ > from <spamd> to 127.0.0.1 port 8025 > > #allow SMTP from internal network > pass in quick on $int_if inet proto tcp from any to $mta_ad port smtp flags > S/SA synproxy state > > # pass legitimate connections to port 25 on the > # external interface > pass in log quick on $ext_if inet proto tcp \ > from any to ($ext_if) port 25 keep state > # pass redirected connections to spamd listening on the local > # loop interface (lo0) > pass in on lo0 inet proto tcp \ > from <spamd> to 127.0.0.1 port 8025 > #pass out on $dmz_if inet proto tcp \ > #from any to $mta_ad port $mta_pt keep state > #allow DMZ services to DMZ > pass in log quick $tcp_udp from any to $dmz_net $dmz_services > flags S/SA synproxy state > pass in log quick $tcp_udp from any to { $external_addr, > $dmz_addr } port smtp flags S/SA synproxy state > pass in log quick $tcp_udp from any to { $external_addr, > $dmz_addr } port domain keep state > > #allow SMTP from earth to home > #pass in log quick proto tcp from $earth_dmz to $home_int port > smtp keep state > #pass in log quick proto tcp from $earth_int to $home_int port > smtp keep state > > #allow internal access to DMZ > pass in log quick $tcp_udp from { $internal_net, $dmz_net } to { > $internal_net, $dmz_net } keep state > pass out log quick $tcp_udp from { $internal_net, $dmz_net } to { > $internal_net, $dmz_net } keep state I must admit to not having read every line, but a quick search on mta_pt|25|smtp showed only the above lines being relevant. I do not see a rule allowing any -> mailserver, at least not assuming the mailserver is in the dmz. The advice you have been given about pf.conf debugging is sound; also, cleaning up and simplifying the configuration before sending it is appreciated, and in fact, usually enough to find the problem. Joachim