On 3/10/07, Ramdas <[EMAIL PROTECTED]> wrote:
On 3/7/07, Ramdas <[EMAIL PROTECTED]> wrote: > On 3/7/07, Ramdas <[EMAIL PROTECTED]> wrote: > > On 3/7/07, Pablo Halamaj <[EMAIL PROTECTED]> wrote: > > > On 05/03/07, Ramdas <[EMAIL PROTECTED]> wrote: > > > > Hi Group, > > > > > > > > I have a server with two lan cards both with valid ips . One interface > > > > (fxp1) is patched behind a CISCO PIX Firewall & Other outside firewall > > > > (fxp0) > > > > > > > > I want that there should be no greylisting/filtering on fxp1 (I have > > > > the related ports opened in the PIX) & it should be enabled only for > > > > fx0. > > > > > > > > The server will be used as Mail server. > > > > > > > > Please help. I want to check if the below rules are correct. > > > > My Pf rules are as follows: > > > > ---- > > > > # PF Conf > > > > # ########### > > > > # Macros > > > > ############# > > > > > > > > # internal and external network interfaces > > > > int_if = "fxp0" > > > > ext_if = "fxp1" > > > > > > > > # Internal servers > > > > mail_host = "a.b.c.d" > > > > > > > > icmp_types = "{ echoreq, unreach }" > > > > tcp_services = "{110,143,80 }" > > > > > > > > > > SMTP server use port 25 , you should allow conections from internet to port 25 > > > > > > > # We should never see these coming from the Internet . > > > > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > > > > 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ > > > > 0.0.0.0/8, 240.0.0.0/4 }" > > > > > > > > # options > > > > set block-policy return > > > > > > i preferr "set block-ploicy drop" i will hide your server of some > > > scans and minimize your upload bandwidth ;-) > > > > > > > set loginterface $ext_if > > > > > > > > # Scrub > > > > scrub in all > > > > > > > > ################# > > > > # Spamd > > > > ################# > > > > > > > > # grey host list > > > > table <spamd> persist > > > > # White host list > > > > table <spam-white> persist > > > > # This whitelist we are maintaining > > > > table <whitelist> persist file "/etc/whitelist.txt" > > > > > > > > # Send whitelisted hosts to the actual mail server > > > > > > > > rdr on $ext_if proto tcp from <whitelist> to \ > > > > $ext_if port smtp -> $mail_host port smtp > > > > > > > > # send all suspects to the spamd daemon > > > > rdr pass on $ext_if inet proto tcp from <spamd> to \ > > > > $ext_if port smtp -> 127.0.0.1 port 8025 > > > > rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ > > > > $ext_if port smtp -> 127.0.0.1 port 8025 > > > > > > > > > > > > # Send whitelisted hosts to the actual mail server > > > > rdr on $ext_if proto tcp from <spamd-white> to \ > > > > $ext_if port smtp -> $mail_host port smtp > > > > > > > > # ############# > > > > # Filter Rules > > > > # ############# > > > > > > > > block all > > > > set skip on lo0 > > > > > > > > antispoof for $ext_if > > > > antispoof for $int_if > > > > > > > > # Martians > > > > block drop in quick on $ext_if from $martians to any > > > > block drop out quick on $ext_if from any to $martians > > > > > > > > # Allow ping and path MTU discovery > > > > pass in inet proto icmp all icmp-type $icmp_types keep state > > > > > > > > # Allow incoming Smtp & Pop connection > > > > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > > > > port $tcp_services flags S/SA keep state > > > > > > > > > > > > # For spamdlog to update the whitelists > > > > # don't need to log static whitelist > > > > pass in quick on $ext_if inet proto tcp from <whitelist> \ > > > > to port smtp flags S/SA keep state > > > > pass in log quick on $ext_if inet proto tcp from <spamd-white> \ > > > > to port smtp flags S/SA keep state > > > > > > > > # Allow anything from the internal network out onto the Internet > > > > pass out on $ext_if proto tcp all modulate state flags S/SA > > > > pass out on $ext_if proto { udp, icmp } all keep state > > > > > > > > pass quick on $int_if > > > > ---- > > > > > > > > One more question I want to ask is that will it be ok to enable > > > > multicost routing on this server. Or is it that I need to add more > > > > rules to the above for it to work with Multicost routing. > > > > > > > > Thanx & Regards > > > > Ram > > > > > > > > > > > > > I am sorry to repeat my question. But some thing is wrong in my rules > > and I do not know how to debug & proceed. > > > > The above rules did not help me . > > I could either connect on fxp0 OR fxp1 depending on my /etc/mygate > > settings (had disabled multicost routing). > > > > Then I enabled multicost routing & deleted /etc/mygate . This allowed > > me to connect on my fxp0 on port 25 but not on fxp1 . > > pfctl -ss whould show a SYN_SENT:EXTABLISHED for port 25 > > > > After a lot of struggle I removed the rules > > antispoof on fxp0 > > antispoof on fxp1 > > after which I can connect on both fxp1 & fxp0 on port 25. > > > > The new problem that has started is that after the host gets > > whitelisted it cannot connect on the mail_host port 25 . That is > > Gerylisted connections have no problem whitelisted ips cannot > > communicate on the server. > > > > Please suggest the corrections I need to make . > > > > Regards > > RAM > > > Sorry for the noise. But I am unable to get over the problem. > > I have a server with two network cards both with Valid IP. > On one nic I want greylisting enabled & on other I do not want any geylisting. > > I have enabled multicost routing on the machine. > I have removed all my rules and stared with some basic ones as below. > --- > #macros > > ext_if = "em0" > int_if = "bge0" > > tcp_services = "{ 25, 110, 80 }" > icmp_types = "{ echoreq, unreach }" > ssh_only = "{ 22 }" > myhost = "{ myhost_IP_address }" > > # Options > set block-policy return > set loginterface $ext_if > set loginterface $int_if > > #Scrub > scrub in all > > # Filter rules > block all > set skip on lo > > # Allow incoming Smtp & Pop connection on Ext_if > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state tag OUTNET > pass out quick on $ext_if tagged OUTNET > > # Allow incoming Smtp & Pop connection on Int_if > pass in on $int_if inet proto tcp from any to ($int_if) \ > port $tcp_services flags S/SA keep state tag INTNET > > pass out quick on $int_if tagged INTNET > > > # Allow ssh from local network > pass in on $int_if inet proto tcp from $myhost to ($int_if) \ > port $ssh_only flags S/SA keep state > > # Allow ssh from local network on Ext if > pass in on $ext_if inet proto tcp from $myhost to ($ext_if) \ > port $ssh_only flags S/SA keep state > --- > > Still the problem is that whenever a machine (I have a dial up pc) > connects on one Int it cannot connect to the ports on the other > interface. > > tcpdup shows that the packets come in from one int and try to go out > from a diff int. > > Please help, I am completely lost now, if possibe suggest me the correct rules. > > Otherwise I will have to fall back to the single interface to internet > setup with other int only for invalid network & will have to do away > with Greylisting also as users would connect on the valid int. > > Thanx in advance for any help . > > Regards > Ram > The problem is with handeling return-path data. The traffice coming in on one interface passout (tries to pass out) from other interface.I have been trying a lot of combinations with less result. I just want to know a few things (read I beg for help) a) With a multiple external interfaces (two in my case) sysctl net.inet.ip.multipath should be on or off (mine is kept on) b) sysctl net.inet.ip.forwarding should be On or Off . I have set it to off. Regards Ram
Thanx all, The return traffic problem is solved now. Traffic coming in from one interface leaves out from the same on. Regards Ram
