Well it is a simple ruleset (see below). As for the ISP blocking stuff -
not likely, since the email server is run by me at another location. Since
I have more users connecting to this server from other locations I've ruled
the problem out from that end. It is only from this one location that this
problem occurs....
-----
#
# cat /etc/pf.conf
#
# pf.rules
#
#-Interfaces-----------------------------------------------
#
# sis0 - external
# sis1 - internal
# sis2 - not used
#
#-Variables------------------------------------------------
#
ExtIF="sis0"
IntIF="sis1"
IntRange="192.168.22.0/24"
table <scanners> persist file "/etc/scanners"
#
#-Options--------------------------------------------------
#
#
#-Normalize Traffic----------------------------------------
#
scrub in on $ExtIF all
#scrub out on $ExtIF all random-id
#
#-NAT Rules------------------------------------------------
#
nat on $ExtIF from $IntRange to any -> $ExtIF
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#
#-Antispoof------------------------------------------------
#
antispoof for { $ExtIF, $IntIF}
#
#-Firewall Rules-------------------------------------------
#
# Drop IPv6 packets immediately
block in quick inet6 all
block out quick inet6 all
# Drop SSH port scanners immediately
block quick from <scanners>
# Block in all inbound and outbound packets
block in on $ExtIF all
block out on $ExtIF all
# Anchor for FTP Proxy
anchor "ftp-proxy/*"
# Drop hackers
block in quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags SAFRU/SAFRU
block in quick on $ExtIF inet proto tcp from any to any flags SF/SF
block in quick on $ExtIF inet proto tcp from any to any flags SR/SR
block in on $ExtIF inet proto tcp from any to any flags S/SFRA
block in on $ExtIF inet proto tcp from any to any flags SA/SFRA
# Allow SSH in
pass in quick log on $ExtIF inet proto tcp from any to any port 22 modulate
state (max-src-conn-rate 3/15, overload <scanners> flush global)
# Allow normal traffic out
pass out on $ExtIF inet proto tcp from any to any modulate state
pass out on $ExtIF inet proto udp from any to any keep state
pass out on $ExtIF inet proto icmp from any to any keep state
-----
That's it!
Peter
-----Original Message-----
From: Alexander Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, June 19, 2006 9:07 PM
To: Peter Bako
Cc: misc@openbsd.org
Subject: Re: Packet overload?
Peter Bako wrote:
> I have a Soekris net4801 box running as a firewall for a friend of
> mine that runs a small business (about 5 employees). The ruleset is
> quite simple in that he does not run any internal servers, so I pretty
> much block all inbound traffic and allow all traffic back out. For
> inbound traffic I have the scrub command enabled and for outbound
> traffic (tcp and udp) I have keep state flag on.
>
> However I've noticed that if more than one or two people are getting
> email from their ISP (standard pop3), then the third person to try to
> get email will get an error that the server could not be reached.
> Until recently they have not received enough email for the email check
> and subsequent downloads to take long, so whenever anyone got this
> error they would just wait a few seconds and try again. However
> lately they have been getting a larger volume of email (expected due
> to an upturn in business), so this problem is getting much more noticed
and annoying.
>
> Anyone have any idea as to the cause and a solution for this? I've
> though it might be that the Soekris box is underpowered, but the
> processor is basically a PII/266 with 128M of RAM, which should be
> enough for such a small site.
Now, I have not seen your pf.conf, but only using a simple ruleset that you
describe, my bet is that it is not the firewall that is causing the problem.
Does the ISP/mailserver have restrictions by any chance?
I cannot imagine that the 4801 would have ANY performance problem in the
situation you describe, unless it is en/de-crypting stuff that passes
through it. Even so, it would just make stuff go slower - not block stuff.
/Alexander
