Paul de Weerd wrote: > Hi Renaud, > > On Mon, Dec 10, 2007 at 04:50:36PM +0100, Paul de Weerd wrote: > | Have you actually seen these packets live on the wire ? > > I re-read your original mail, and it turns out you have seen these > packets on the wire. Sorry for the too-quick-answer ;P
No problem. The firewall admin told me he was blocking packets from 127.0.0.1 originating from the antispam servers. > > | I doubt it. In general (the recommended setup), pf redirects incoming > | requests to 127.0.0.1:8025, the port where spamd is listening *on > | localhost*. Replies such as ACK's etc. *MUST* originate from > | 127.0.0.1:8025 in this case. PF will take care of rewriting the packet > | to the address the client originally used to contact your mailserver > | (spamdserver). > > For some reason, pf doesn't seem to take care of rewriting the return > traffic where it should. Can you confirm there is a matching pf-state > in the state table when you see this sort of traffic ? > It is quite hard to capture as it seems sporadic and servers are heavy loaded: tcpdump: listening on em0, link-type EN10MB Dec 10 17:07:18.585359 00:15:17:19:0e:be 00:04:23:09:79:68 0800 113: 127.0.0.1.8025 > 217.132.142.68.2199: FP 959669614:959669673(59) ack 2605929486 win 65535 all tcp 127.0.0.1:8025 <- 157.164.187.68:25 <- 217.132.142.68:4557 FIN_WAIT_2:FIN_WAIT_2 all tcp 127.0.0.1:8025 <- 157.164.187.68:25 <- 217.132.142.68:1052 FIN_WAIT_2:FIN_WAIT_2 all tcp 127.0.0.1:8025 <- 157.164.187.68:25 <- 217.132.142.68:1181 FIN_WAIT_2:FIN_WAIT_2 all tcp 127.0.0.1:8025 -> 217.132.142.68:2199 CLOSING:CLOSED I guess the last one is the one I see on the firewall. -- 010100100110010101101110011000010111010101100100 010000010110110001101100011000010111001001100100 [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
