Re: ipf rules question
Jay Hall wrote: And, following is the output from ipfstat showing the relevant rule(s). @140 block in quick proto tcp from 82.0.0.0/8 to any port = smtp If I am looking at everything correctly all traffic coming into the system from the 82.0.0.0/8 network to port 25 on the mail server should be blocked. What am I missing? I can't tell you what you're missing, but we're missing the entire story. Just because you have a block rule doesn't mean that things will get blocked if you have a pass rule before. You need to post the entire ruleset if you want help with that. Evidently, things get passed by some other rule, you can get a clue by adding the log action to all rules passing packets to port 25 or any port. When adding new rules it is a good idea to add log statements so you can debug. Once things work, remove them to reduce the noise. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipf rules question
Erik Norgaard wrote: Jay Hall wrote: And, following is the output from ipfstat showing the relevant rule(s). @140 block in quick proto tcp from 82.0.0.0/8 to any port = smtp Evidently, things get passed by some other rule, you can get a clue by adding the log action to all rules passing packets to port 25 or any port. And, by the way in ip-filter it is a really good idea to add a default rule explicitly, always specify network interface and use groups to organize and optimize your ruleset. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipf rules question
Ladies and Gentlemen, I think I am missing something. I am running a FreeBSD 6. server with ipf compiled into the kernel. Following are the headers from an email. From: oea...@brantbenun.com Subject: SUSPECTED SPAM REAL Doctors, REAL Science, REAL Results! Date: July 27, 2009 2:33:25 PM CDT To: xx...@mnea.org Reply-To: oea...@brantbenun.com Received: from mail.mnea.org ([10.129.10.45]) by mo-hq-s1.mo.loc with Microsoft SMTPSVC(6.0.3790.1830); Mon, 27 Jul 2009 14:33:29 -0500 Received: by mail.mnea.org (Postfix, from userid 10071) id 572563F661; Mon, 27 Jul 2009 14:33:29 -0500 (CDT) Received: from speedtouch.lan (213-84-78-162.adsl.xs4all.nl [82.95.130.154]) by mail.mnea.org (Postfix) with ESMTP id DD9233F659 for x...@mnea.org; Mon, 27 Jul 2009 14:33:24 -0500 (CDT) Received: from 82.95.130.154 by smtp.secureserver.net; Mon, 27 Jul 2009 20:33:25 +0100 Following are the relevant entries from /var/log/maillog Jul 27 14:33:22 mail postfix/smtpd[8557]: connect from 213-84-78-162.adsl.xs4all.nl[82.95.130.154] Jul 27 14:33:24 mail postfix/smtpd[8557]: DD9233F659: client=213-84-78-162.adsl.xs4all.nl[82.95.130.154] Jul 27 14:33:26 mail postfix/cleanup[7974]: DD9233F659: message-id=824460019.99376997845...@brantbenun.com Jul 27 14:33:26 mail postfix/qmgr[52904]: DD9233F659: from=oea...@brantbenun.com , size=1245, nrcpt=1 (queue active) And, following is the output from ipfstat showing the relevant rule(s). @140 block in quick proto tcp from 82.0.0.0/8 to any port = smtp If I am looking at everything correctly all traffic coming into the system from the 82.0.0.0/8 network to port 25 on the mail server should be blocked. What am I missing? Thanks for your help. Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipf rules question
On Jul 27, 2009, at 2:27 PM, Jay Hall wrote: [ ... ] If I am looking at everything correctly all traffic coming into the system from the 82.0.0.0/8 network to port 25 on the mail server should be blocked. What am I missing? Maybe they are connecting to the MSP aka 587/tcp rather than port 25? It's hard to tell from your message which mailserver lines are from machines under your control; try editting the mail headers a little less and we might be able to do better. Otherwise, maybe your firewall rules are not working, are applied to the wrong network interface, etc. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipf rules question
On Jul 27, 2009, at 4:40 PM, Chuck Swiger wrote: On Jul 27, 2009, at 2:27 PM, Jay Hall wrote: [ ... ] If I am looking at everything correctly all traffic coming into the system from the 82.0.0.0/8 network to port 25 on the mail server should be blocked. What am I missing? Otherwise, maybe your firewall rules are not working, are applied to the wrong network interface, etc. Sorry about the confusion. Postfix is listening on port 25 on mail.mnea.org. Port 587 is not open. I will post some modified log files shortly. Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
