[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: ipf rules preventing smtp traffic with ATT mailservers
From:       "David Lord" <ipfilter () lordynet ! org>
Date:       2007-05-30 18:39:56
Message-ID: 465DC4FC.9057.16784B1 () localhost
[Download RAW message or body]

On 29 May 2007, at 14:24, Paul Theodoropoulos wrote:

> (This is a huge message, but I felt too much info was better than too little)
> 
> Preface: I'm a relative n00b to ipfilter, though I got quite an 
> education when my server was attacked recently by some site in China 
> (which is what got me started using it in the first place). That 
> said,  here is the problem, followed at the bottom with details as 
> per the IPfilter FAQ:
> 
> After putting in place the ruleset shown at the bottom, I discovered 
> that any email with attachments that's sent to any address at 
> att.net/sbcglobal.net/pacbell.net will not go through. The connection 
> invariably times out. *This does not happen with any other MX servers 
> on the net!*. That's what's particularly baffling - if I had a 
> mistake in my ruleset, I'd presume NO mail would go out. I've tweaked 
> and adjusted based on everything I can find out there, to no avail. 
> If i replace the ruleset with
> 
> pass in all
> pass out all
> 
> The mail goes through just fine.

....
 
> root-klaatu /etc/ipf% ipfstat -io
> block out all
> pass out quick on lo0 all
> block out log quick from any to 192.168.0.0/16
> block out log quick from any to 172.16.0.0/12
> block out log quick from any to 10.0.0.0/8
> pass out log quick proto tcp from 206.176.249.128/28 to any port = 
> 113 flags R/FSRPU
> pass out quick proto tcp from 206.176.249.128/28 to any flags 
> S/FSRPAU keep state
> pass out quick proto udp from 206.176.249.128/28 to any keep state
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type echorep
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type unreach
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type echo
> pass out quick proto icmp from 206.176.249.128/28 to any icmp-type timex
> block in all
> pass in quick on lo0 all
> block in log quick from 192.168.0.0/16 to any
> block in log quick from 172.16.0.0/12 to any
> block in log quick from 10.0.0.0/8 to any
> block in log quick on hme0 from 127.0.0.0/8 to any
> block in log quick on hme1 from 127.0.0.0/8 to any
> block in log quick from any to any with short
> block in log from any to any with ipopts
> block return-rst in log quick proto tcp from any to 
> 206.176.249.128/28 port = 113
> block in log quick from 211.154.104.85/32 to any
> pass in quick proto tcp from any to 206.176.249.128/28 port = ftp 
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port 32768 >< 
> 65535 flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = smtp 
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = 
> spamd-smtp flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = 
> priv-ssh flags S/FSRPAU keep state
> pass in quick proto udp from any to 206.176.249.128/28 port = domain keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = httpd 
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = pop3 
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = imap 
> flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = 
> submission flags S/FSRPAU keep state
> pass in quick proto tcp from any to 206.176.249.128/28 port = 
> smtp-alt flags S/FSRPAU keep state
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type echorep
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type unreach
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type echo
> pass in quick proto icmp from any to 206.176.249.128/28 icmp-type timex
 
As for your smtp rules they are no different to mine. Main difference 
is that for all services in use I have a lot of rules similar to:

block return-icmp-as-dest(port-unr) in log quick on le0 proto tcp/udp 
from any to any port = 25

but I can't remember why these are needed as I'm mostly using same 
ruleset as I did 6 - 7 years ago, just the ips and interfaces changed 
occasionally.

Possibly try with pass all in/out for icmp to check if such rules 
might be needed.

Other thing is I doubt any email has been sent from here to any 
address@ att.net/sbcglobal.net/pacbell.net.

David


[prev in list] [next in list] [prev in thread] [next in thread]