Re: PF and Raptor SMTP gateway incompatible?

[Marco Radzinschi <marco@radzinschi.com>]

On Sat, 15 Jun 2002, Darren Reed wrote:

> In some mail from Mike Lewinski, sie said:
> >
> > I think I've tracked this down.... it's also visible under ipfilter on a 2.9
> > box with very generic configs. For readability the sample IPs below have
> > been replaced with 'openbsd' and 'raptor'.
> [...]
>
> Ah, so it is "this" product which is causing the problem!
>
> There are other threads about dealing with it in the misc archives.
> If you have a "block return-rst in proto tcp ..." (without flags S)
> type rule, the 1st connection will fail but the 2nd will succeed.
>
> I've updated IPFilter to better deal with this situation - so long
> as you have a "block return-rst in" type rule.
>
> Darren


I want to thank everyone for responding to this, in particular Mike
Lewinski for the tcpdump and Darren Reed for some insight.

>From what I understand of this, the return-rst fix may or may not work on
OpenBSD 3.1's pf, correct?

I will try to get it to work, but if it does not work, it seems I have
three options:

1.  Install IPFilter on OpenBSD
2.  Replace OpenBSD with NetBSD or FreeBSD, which come with IPFilter
3.  Replace OpenBSD with Linux and use IPTables

Third option does not look too good, since the firewall/gateway machines
in question only have 1.2 GB drives and 32 MB RAM.

Am I wrong in my assumptions, or can anyone suggest any other solutions?

Thanks again,

Marco Radzinschi

E-Mail: marco@radzinschi.com
AOL IM: CrackedBoy

"Whoever fights monsters should see to it that in the process he does not
become a monster. And when you look long into an abyss, the abyss also
looks into you." -- Friedrich Nietzsche (Beyond Good and Evil)