[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: ipf rules preventing smtp traffic with ATT mailservers
From: "David Lord" <ipfilter () lordynet ! org>
Date: 2007-05-30 18:39:56
Message-ID: 465DC4FC.9057.16784B1 () localhost
[Download RAW message or body]
On 29 May 2007, at 14:24, Paul Theodoropoulos wrote:
> (This is a huge message, but I felt too much info was better than too little)
>
> Preface: I'm a relative n00b to ipfilter, though I got quite an
> education when my server was attacked recently by some site in China
> (which is what got me started using it in the first place). That
> said, here is the problem, followed at the bottom with details as
> per the IPfilter FAQ:
>
> After putting in place the ruleset shown at the bottom, I discovered
> that any email with attachments that's sent to any address at
> att.net/sbcglobal.net/pacbell.net will not go through. The connection
> invariably times out. *This does not happen with any other MX servers
> on the net!*. That's what's particularly baffling - if I had a
> mistake in my ruleset, I'd presume NO mail would go out. I've tweaked
> and adjusted based on everything I can find out there, to no avail.
> If i replace the ruleset with
>
> pass in all
> pass out all
>
> The mail goes through just fine.
....
> root-klaatu /etc/ipf% ipfstat -io
> block out all
> pass out quick on lo0 all
> block out log quick from any to 192.168.0.0/16
> block out log quick from any to 172.16.0.0/12
> block out log quick from any to 10.0.0.0/8
> pass out log quick proto tcp from 206.176.249.128/28 to any port =
> 113 flags R/FSRPU
> pass out quick proto tcp from 206.176.249.128/28 to any flags
> S/FSRPAU keep state
> pass out quick proto udp from 206.176.249.128/28 to any keep state
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type echorep
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type unreach
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type echo
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type timex
> block in all
> pass in quick on lo0 all
> block in log quick from 192.168.0.0/16 to any
> block in log quick from 172.16.0.0/12 to any
> block in log quick from 10.0.0.0/8 to any
> block in log quick on hme0 from 127.0.0.0/8 to any
> block in log quick on hme1 from 127.0.0.0/8 to any
> block in log quick from any to any with short
> block in log from any to any with ipopts
> block return-rst in log quick proto tcp from any to
> 206.176.249.128/28 port = 113
> block in log quick from 211.154.104.85/32 to any
> pass in quick proto tcp from any to 206.176.249.128/28 port = ftp
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port 32768 ><
> 65535 flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = smtp
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port =
> spamd-smtp flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port =
> priv-ssh flags S/FSRPAU keep state
> pass in quick proto udp from any to 206.176.249.128/28 port = domain keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = httpd
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = pop3
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = imap
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port =
> submission flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port =
> smtp-alt flags S/FSRPAU keep state
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type echorep
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type unreach
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type echo
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type timex
As for your smtp rules they are no different to mine. Main difference
is that for all services in use I have a lot of rules similar to:
block return-icmp-as-dest(port-unr) in log quick on le0 proto tcp/udp
from any to any port = 25
but I can't remember why these are needed as I'm mostly using same
ruleset as I did 6 - 7 years ago, just the ips and interfaces changed
occasionally.
Possibly try with pass all in/out for icmp to check if such rules
might be needed.
Other thing is I doubt any email has been sent from here to any
address@ att.net/sbcglobal.net/pacbell.net.
David
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic