[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf keep state and lotus mail

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: pf keep state and lotus mail
From: qstreb <qstreb_(_at_)_ism-computer_(_dot_)_de>
Date: Wed, 8 May 2002 15:28:45 -0700
Hi list,
I have again a strange problem

i can connect to "any" smtp server on internet except gate.comics.de
with "pass out quick proto tcp from any to any port = 25 keep state"

to be able to "telnet gate.comics.de 25" i have to specify:
"pass out quick proto tcp from any to 195.4.123.130 port = 25"
"pass in  quick proto tcp from 195.4.123.130 port = 25 to any"

once the communication is established i can delete the upper 2 rules
and it will work for some time with the standard keep state

i played around with differnet flags in combination with keep & modulate state
but there was no effect

could anybody explain why it happens and how to solve this problem,
at this moment I am not sure that this is the only smtp server i will have 
troubles in the future :(

10x in advance,
qstreb

P.S.
what i use is more or less standard pf rules (long): 

# set up some variables
ext_if = 'xl1'
int_if = 'xl0'
lan_0 = '10.1.10.0/24'
int_ip = '10.1.10.254/32'
lan_2 = '192.168.0.0/16'
lan_3 = '172.16.0.0/12'
lan_4 = '10.6.0.91/32'
vpn   = '10.1.99.0/24'
dmz   = '10.1.20.0/24'
ext_ip = '10.1.20.9/32'
dmz_1  = '10.10.10.0/24 '
broadcast = '255.255.255.255/32'
spoofed = '{172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 255.255.255.255/32 }'
#spoofed = '{10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 255.255.255.255/32 }'

#pass out log quick proto tcp from any to 195.4.123.130 port = 25
#pass in  log quick proto tcp from 195.4.123.130 port = 25 to any


bad_xxx = '{ 12.151.26.150/32, \
        62.146.30.213/32, \
        62.152.9.160/32, \
        64.65.0.53/32, \
        151.189.46.220/32, \
        213.221.81.18/32, \
        213.221.109.27/32, \
        217.172.161.241/32, \
        217.223.73.114/32 }'

block in log quick on $int_if from any to $bad_xxx
block in quick on $ext_if from $bad_xxx to any

#pass out quick on $ext_if proto tcp from any to 195.4.123.130 port = 25
#pass in  quick on $ext_if proto tcp from 195.4.123.130 port = 25 to any

pass in  quick on lo0 all keep state
pass out quick on lo0 all keep state
pass in quick on $int_if proto tcp from $lan_0 to lo0 port {21, 80, 8081, 3128} keep state

# block and log everything by default
block             out log-all on $int_if           all
block             in  log-all on $int_if           all

block             out log on $ext_if           all
block             in  log on $ext_if           all
block return-rst  out log on $ext_if proto tcp all
block return-rst  in  log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in  log on $ext_if proto udp all

# drop spoofed packets
block out log quick on $ext_if from ! $ext_ip to any
block out log quick on $ext_if from any to $spoofed
block in  log quick on $ext_if from $spoofed to any
block in  log quick on $ext_if from any to $spoofed

# fuzz any 'nmap' attempt
block in log-all quick on $ext_if proto tcp all flags FUP
block in log-all quick on $ext_if proto tcp all flags SF/SFRA
block in log-all quick on $ext_if proto tcp all flags /SFRA

block out quick on $ext_if proto tcp from any to any port {137, 138, 139, 445}
block out quick on $ext_if proto udp from any to any port {137, 138, 139, 445}
block in  quick on $ext_if proto tcp from any to any port {137, 138, 139, 445}
block in  quick on $ext_if proto udp from any to any port {137, 138, 139, 445}

#--------------------------------------------------------------------------

# VPN: allow any traffic on the ISAKMP port
pass in  quick on $ext_if proto udp from any port = 500 to any port = 500
pass out quick on $ext_if proto udp from any port = 500 to any port = 500

# VPN: allow all traffic in ESP form
pass in  quick on $ext_if proto esp from any to any
pass out quick on $ext_if proto esp from any to any

# GRE
pass in  log quick on $ext_if proto gre from any to $ext_ip
pass out     quick on $ext_if proto gre from $ext_ip to any

block in quick on $int_if proto esp from any to any
block in quick on $int_if proto udp from any port = 500 to any port = 500
block in quick on $int_if proto gre from any to any
#--------------------------------------------------------------------------

pass in quick on $ext_if inet proto tcp from any  \
                to $ext_ip port {22, 25, 1723} flags S/SA keep state
pass in  quick on $ext_if inet proto tcp from any port = 20 \
                to $ext_ip flags S/SA keep state

pass in quick on $ext_if inet proto icmp all icmp-type 0  code 0 keep state
pass in quick on $ext_if inet proto icmp all icmp-type 3  code 3 keep state
pass in quick on $ext_if inet proto icmp all icmp-type 11 code 0 keep state
#pass in quick on $ext_if inet proto icmp all icmp-type 8  code 0 keep state
#-------------------------------------------------------------------------

pass in quick on $int_if proto tcp from {$lan_0, $lan_2, $lan_3, $lan_4} to $int_ip \
        port {21, 22, 25, 53, 80, 443, 3128, 8081} flags S/SA keep state
pass in quick on $int_if proto udp from {$lan_0, $lan_2, $lan_3, $lan_4} to $int_ip \
        port {53, 123 } keep state
pass in quick on $int_if inet proto icmp from {$lan_0, $lan_2, $lan_3, $lan_4} to $int_ip keep state

#### LANs

pass  in  quick on $int_if from {$lan_0, $lan_2, $lan_3, $lan_4, $vpn} \
                                to {$lan_0, $lan_2, $lan_3, $broadcast, $lan_4, $vpn} keep state
pass  out quick on $int_if from {$lan_0, $lan_2, $lan_3, $vpn} \
                                to {$lan_0, $lan_2, $lan_3, $broadcast, $vpn} keep state

#-------------------------------------------------------------------------
block in quick on $ext_if from any to $lan_0
pass out proto tcp from any to $lan_0 keep state
pass out proto udp from any to $lan_0 keep state

pass in  quick on $int_if from $lan_0 to $dmz keep state
pass out quick on $ext_if from $lan_0 to $dmz keep state

pass in  quick on $int_if from $lan_0 to $dmz_1 keep state
pass out quick on $ext_if from $lan_0 to $dmz_1 keep state

#-------------------------------------------------------------------------
# allow from int to the inet host
pass in quick on $int_if proto tcp from $lan_0 to \
        any port {21, 8081, 22, 2222, 2401, 23, 25, 119, 1723, 3389, 5405} flags S/SA keep state

pass in quick on $int_if inet proto icmp all icmp-type 0  code 0 keep state
pass in quick on $int_if inet proto icmp all icmp-type 3  code 3 keep state
pass in quick on $int_if inet proto icmp all icmp-type 11 code 0 keep state
pass in quick on $int_if inet proto icmp all icmp-type 8  code 0 keep state

#------------------------------------------------------------------------------

pass out quick on $ext_if proto tcp  all flags S/SA keep state
pass out quick on $ext_if proto udp  all            keep state
pass out quick on $ext_if proto icmp all            keep state

pass out quick on $int_if proto tcp  all flags S/SA keep state
pass out quick on $int_if proto udp  all            keep state
pass out quick on $int_if proto icmp all            keep state
Follow-Ups:
- Re: pf keep state and lotus mail
  - From: Chuck Yerkes
- Re: pf keep state and lotus mail
  - From: Lars Hansson
- Re: pf keep state - the AIX case
  - From: qstreb
Prev by Date: Wierd isakmpd question...
Next by Date: A new website
Previous by thread: Wierd isakmpd question...
Next by thread: Re: pf keep state and lotus mail
Index(es):
- Date
- Thread
Visit your host, monkey.org