Well it is a simple ruleset (see below). As for the ISP blocking stuff - not likely, since the email server is run by me at another location. Since I have more users connecting to this server from other locations I've ruled the problem out from that end. It is only from this one location that this problem occurs....
----- # # cat /etc/pf.conf # # pf.rules # #-Interfaces----------------------------------------------- # # sis0 - external # sis1 - internal # sis2 - not used # #-Variables------------------------------------------------ # ExtIF="sis0" IntIF="sis1" IntRange="192.168.22.0/24" table <scanners> persist file "/etc/scanners" # #-Options-------------------------------------------------- # # #-Normalize Traffic---------------------------------------- # scrub in on $ExtIF all #scrub out on $ExtIF all random-id # #-NAT Rules------------------------------------------------ # nat on $ExtIF from $IntRange to any -> $ExtIF nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # #-Antispoof------------------------------------------------ # antispoof for { $ExtIF, $IntIF} # #-Firewall Rules------------------------------------------- # # Drop IPv6 packets immediately block in quick inet6 all block out quick inet6 all # Drop SSH port scanners immediately block quick from <scanners> # Block in all inbound and outbound packets block in on $ExtIF all block out on $ExtIF all # Anchor for FTP Proxy anchor "ftp-proxy/*" # Drop hackers block in quick on $ExtIF inet proto tcp from any to any flags /SFRA block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA block in quick on $ExtIF inet proto tcp from any to any flags SAFRU/SAFRU block in quick on $ExtIF inet proto tcp from any to any flags SF/SF block in quick on $ExtIF inet proto tcp from any to any flags SR/SR block in on $ExtIF inet proto tcp from any to any flags S/SFRA block in on $ExtIF inet proto tcp from any to any flags SA/SFRA # Allow SSH in pass in quick log on $ExtIF inet proto tcp from any to any port 22 modulate state (max-src-conn-rate 3/15, overload <scanners> flush global) # Allow normal traffic out pass out on $ExtIF inet proto tcp from any to any modulate state pass out on $ExtIF inet proto udp from any to any keep state pass out on $ExtIF inet proto icmp from any to any keep state ----- That's it! Peter -----Original Message----- From: Alexander Hall [mailto:[EMAIL PROTECTED] Sent: Monday, June 19, 2006 9:07 PM To: Peter Bako Cc: misc@openbsd.org Subject: Re: Packet overload? Peter Bako wrote: > I have a Soekris net4801 box running as a firewall for a friend of > mine that runs a small business (about 5 employees). The ruleset is > quite simple in that he does not run any internal servers, so I pretty > much block all inbound traffic and allow all traffic back out. For > inbound traffic I have the scrub command enabled and for outbound > traffic (tcp and udp) I have keep state flag on. > > However I've noticed that if more than one or two people are getting > email from their ISP (standard pop3), then the third person to try to > get email will get an error that the server could not be reached. > Until recently they have not received enough email for the email check > and subsequent downloads to take long, so whenever anyone got this > error they would just wait a few seconds and try again. However > lately they have been getting a larger volume of email (expected due > to an upturn in business), so this problem is getting much more noticed and annoying. > > Anyone have any idea as to the cause and a solution for this? I've > though it might be that the Soekris box is underpowered, but the > processor is basically a PII/266 with 128M of RAM, which should be > enough for such a small site. Now, I have not seen your pf.conf, but only using a simple ruleset that you describe, my bet is that it is not the firewall that is causing the problem. Does the ISP/mailserver have restrictions by any chance? I cannot imagine that the 4801 would have ANY performance problem in the situation you describe, unless it is en/de-crypting stuff that passes through it. Even so, it would just make stuff go slower - not block stuff. /Alexander