Ok...Narrowing down the problem here. The problem, obviously, is with my rules. I can SSH to the box from my intranet only. My rules are allowing port 25 in, and it seems, nothing else.
The problem is when postfix tries to relay mail to my internal mail server. When the rules are up, mail cannot find a route. When the rules are down, it works perfectly.
Here is the snip from the maillog:
Oct 1 10:11:26 blowfish postfix/smtp[26912]: connect to 192.168.1.165[192.168.1.165]: No route to host (port 25)
Oct 1 10:11:26 blowfish postfix/smtp[26912]: 2AE731B0949: to=<[EMAIL PROTECTED]>, relay=none, delay=0, status=deferred (connect to 192.168.1.165[192.168.1.165]: No route to host)
Here are my rules:
ext_if="fxp0" # External Interface
int_if="fxp1"
int_net="192.168.1.0/24"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"#Tables
table <NoRouteIPs> { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !192.168.0.0/24 }
table <trusted> persist file "/etc/tables/trusted"
# Clean up fragmented and abnormal packets scrub in all
#default Deny all block in log on $ext_if all
#loopback rules pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from <NoRouteIPs> to any block out log quick on $ext_if from any to <NoRouteIPs>
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from <trusted> to $int_if port 22 keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep stateAnd here is a snippet from my pflog:
Oct 01 10:11:26.711858 rule 3/0(match): block out on fxp0: 10.0.1.80.30123 > 192.168.1.165.25: S 3073788046:3073788046(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901711457 0> (DF)
Quick note: 10.0.1.80 is the OpenBSD mail gateway. 192.168.1.165 is the internal mail server.
The log clearly states the problem. Now im trying to figure out how to tweak my rules.
Is the problem due to my tables for <NoRouteIPs>?
I tried removing 10.0.0.0/8 from the table, but it did not work?
Also, as far as tables is concerned, does it matter which order you place the entries in?
Thanks everyone.
Cheers,
Jason
