sending mail with attachments always fail (FreeBSD/pf)
Hi all, I have production network with FreeBSD box acting as firewall. The problem emerge as soon as users send mail with attachments. (Sending mail without attachments always succeeds). Basically, when a user tries to send a message, only part of it transmitted before connection is interrupted and sending fails. The problem persists only when pf is enabled. My ruleset: scrub in all fragment reassemble block drop on em0 all pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA keep state pass proto udp from any to any port = domain keep state This is what i get from pfctl -si just after #/etc/rc.d/pf start # pfctl -si Status: Enabled for 0 days 00:00:09 Debug: Urgent State Table Total Rate current entries0 searches 00.0/s inserts00.0/s removals 00.0/s Counters match 00.0/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch 00.0/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s After I try to send some mail with attachments a couple of times(which always fail), i get this from pfctl -si: Status: Enabled for 0 days 00:02:58 Debug: Urgent State Table Total Rate current entries 48 searches13137.4/s inserts 1310.7/s removals 830.5/s Counters match1520.9/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch220.1/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s Any suggestions/ideas would be appreciated, Best regards, Victor FreeBSD router 7.2-RELEASE FreeBSD 7.2-RELEASE #4: Sun May 3 23:29:04 2009 r...@router:/usr/obj/usr/src/sys/GENERIC i386 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sending mail with attachments always fail (FreeBSD/pf)
El día Saturday, November 21, 2009 a las 08:59:12PM +0600, Victor Lyapunov escribió: Hi all, I have production network with FreeBSD box acting as firewall. The problem emerge as soon as users send mail with attachments. (Sending mail without attachments always succeeds). Basically, when a user tries to send a message, only part of it transmitted before connection is interrupted and sending fails. The problem persists only when pf is enabled. I think concerning TCP/IP there is no diff between a mail with or w/o attachment, it is just talking SMTP to a remote server and only the size, i.e, the number of IP pkgs, differs; the content is anyway; My ruleset: scrub in all fragment reassemble block drop on em0 all pass inet proto tcp from 192.168.0.0/24 to any port = smtp flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3 flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = imap flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = smtps flags S/SA keep state pass inet proto tcp from 192.168.0.0/24 to any port = pop3s flags S/SA keep state pass proto udp from any to any port = domain keep state I never used S/SA as flags in my rules, only S. More I can' see. HIH (if not watch with some tcpdump(1) what's going on between the NIC and the remote server). matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ Vote NO to EU The Lisbon Treaty: http://www.no-means-no.eu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sending mail with attachments always fail (FreeBSD/pf)
On Sat, 21 Nov 2009 16:27:20 +0100 Matthias Apitz g...@unixarea.de wrote: El día Saturday, November 21, 2009 a las 08:59:12PM +0600, Victor Lyapunov escribió: Hi all, I have production network with FreeBSD box acting as firewall. The problem emerge as soon as users send mail with attachments. (Sending mail without attachments always succeeds). Basically, when a user tries to send a message, only part of it transmitted before connection is interrupted and sending fails. The problem persists only when pf is enabled. I think concerning TCP/IP there is no diff between a mail with or w/o attachment, it is just talking SMTP to a remote server and only the size, i.e, the number of IP pkgs, differs; the content is anyway; This kind of thing is often due to a mtu blackhole - when a larger email causes a full size IP packet to be sent. I don't see why PF should make a difference though, IFAIK it's supposed to let ICMP through when it's learned state on a tcp connection. I never used S/SA as flags in my rules, only S. S/SA is correct, it mean look at SYN and ACK and match if only SYN is set, S matches on SYN irrespective of whether ACK is set. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sending mail with attachments always fail (FreeBSD/pf)
This kind of thing is often due to a mtu blackhole - when a larger email causes a full size IP packet to be sent. I don't see why PF should make a difference though, IFAIK it's supposed to let ICMP through when it's learned state on a tcp connection. Thanks for your answer. Don't know whether it is relevant to the particular issue, but i tried both rulesets first with `scrub in all fragment reassemble` and another one without it, but neither worked for me. I'm kinda upset by the fact that pf can't handle large emails. Any other ideas how to possibly fix it, please? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: sending mail with attachments always fail (FreeBSD/pf)
On Sat, 21 Nov 2009 23:36:33 +0600, Victor Lyapunov fullblastst...@gmail.com wrote: This kind of thing is often due to a mtu blackhole - when a larger email causes a full size IP packet to be sent. I don't see why PF should make a difference though, IFAIK it's supposed to let ICMP through when it's learned state on a tcp connection. Thanks for your answer. Don't know whether it is relevant to the particular issue, but i tried both rulesets first with `scrub in all fragment reassemble` and another one without it, but neither worked for me. I'm kinda upset by the fact that pf can't handle large emails. Any other ideas how to possibly fix it, please? If on FreeBSD 7 or higher you can get rid of the keep state. It's implicit. Secondly, please test if the problem disappears by removing the rules and simply allowing outgoing traffic. Your rules would be: scrub in on $ext_if fragment reassemble block in on $ext_if pass out on $ext_if from $int_if:network to any If that works, then your problem is likely that you're creating 2 states for one connection causing confusion. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
