Howdy,
I am having a strange ipfilter ruleset problem on my mail server
(Sun E220R, Solaris 8, sendmail 8.12.7, ipfilter 3.4.31, my ipf.conf
file is attached) with remote sites that run Microsoft Exchange 2000
mail service.
I noticed this problem the other day when outbound email to Amherst
College quit moving (deferred: connection timed out). I called their
email sysadmin and found out that they had recently upgraded from
Exchange 5.5 to 2000. The guy there did some tcpdump and said
that a handshake between his server and ours never completed. I shut
down ipfilter and suddenly our outbound email to Amherst moved. Hmmm.
Today, I turned on some ipfilter logging at "block in all" and
"block out all" and discovered that when my server attempts to send
an email to Amherst, their server responds back with a connection from
their port 25 to a random high-number port to our end:
hme0 @0:16 b 148.85.136.10,25 -> 137.146.210.52,40633 PR tcp len 20 40 -A IN
(Amherst) (Colby)
which my "block in all" rule kills. I've tried "keep state" settings
on my "pass in" and "pass out" rules for port 25, that didn't help.
Obviously I don't want to remove the "block in all" rule.
Any ideas what MS Exchange 2000 is up to? How to fix this problem?
Anybody else encountered this phenomenon?
-----------------------------------
Jeff A. Earickson, Ph.D
Senior UNIX Sysadmin and Email Guru
Information Technology Services
Colby College, 4214 Mayflower Hill,
Waterville ME, 04901-8842
phone: 207-872-3659 (fax = 3076)
-----------------------------------
#---COLBY ipfilter rulesets
#
#---anything tranversing loopback is internal software
#---let it do its thing unrestricted
pass in quick on lo0 all
pass out quick on lo0 all
#---quick block of any inbound packet on lan interface
#---that claims to come from reserved IANA space (bogus!)
block in log quick on hme0 from 0.0.0.0/7 to any
block in log quick on hme0 from 2.0.0.0/8 to any
block in log quick on hme0 from 5.0.0.0/8 to any
block in log quick on hme0 from 23.0.0.0/8 to any
block in log quick on hme0 from 27.0.0.0/8 to any
block in log quick on hme0 from 31.0.0.0/8 to any
block in log quick on hme0 from 70.0.0.0/7 to any
block in log quick on hme0 from 72.0.0.0/5 to any
block in log quick on hme0 from 84.0.0.0/6 to any
block in log quick on hme0 from 88.0.0.0/5 to any
block in log quick on hme0 from 96.0.0.0/3 to any
block in log quick on hme0 from 127.0.0.0/8 to any
block in log quick on hme0 from 197.0.0.0/8 to any
block in log quick on hme0 from 201.0.0.0/8 to any
#---quick block on any outbound packet claiming to come
#---from IANA reserved space, log it...
block out log quick on hme0 from any to 0.0.0.0/7
block out log quick on hme0 from any to 2.0.0.0/8
block out log quick on hme0 from any to 5.0.0.0/8
block out log quick on hme0 from any to 23.0.0.0/8
block out log quick on hme0 from any to 27.0.0.0/8
block out log quick on hme0 from any to 31.0.0.0/8
block out log quick on hme0 from any to 70.0.0.0/7
block out log quick on hme0 from any to 72.0.0.0/5
block out log quick on hme0 from any to 84.0.0.0/6
block out log quick on hme0 from any to 88.0.0.0/5
block out log quick on hme0 from any to 96.0.0.0/3
block out log quick on hme0 from any to 127.0.0.0/8
block out log quick on hme0 from any to 197.0.0.0/8
block out log quick on hme0 from any to 201.0.0.0/8
#---at this point, we have blocked and logged all spoofed packets
#---everything else is a legit packet, but do we want it?
#---by default, block all inbound and outbound packets
#---unless some rule below passes the packet
block in all
block out all
#---now we deal with ICMP packets: ping and some traceroutes
# Allow in ICMP type 0/0 and 11/0 (ping and traceroute)
# Traceroute Unix requires Code 3 Type: 3 and UDP port > 33000
# Tracert Microsoft requires type: 8, 0, 11
# Ping (Packet InterNet Groper) requires type: 8, 0
# ICMP 0/0 - echo reply
# ICMP 8/0 - echo request
# ICMP 11/0 - TTL expired in transit
# ICMP 3/3 - Port unreachable
#---comment these lines out if machine not publically visible
#---this line answers pings
pass in quick on hme0 proto icmp from any to any icmp-type 8 keep state
#---this line answers udp traceroutes
pass in quick on hme0 proto udp from any to any port 33434 >< 33498
#---rulesets for named connections
pass in log quick on hme0 proto tcp from any to 137.146.210.52 port = 53 flags S keep
state
pass in log quick on hme0 proto udp from any to 137.146.210.52 port = 53 keep state
#---let any outbound tcp connection run in state mode
#---so the remote machine can complete the connection
#---does not work with ftp and other half-baked schemes
#---that pick some random high-number port for the return connection
pass out quick on hme0 proto tcp from 137.146.210.52 to any keep state
pass out quick on hme0 proto udp from 137.146.210.52 to any keep state
pass out quick on hme0 proto icmp from 137.146.210.52 to any keep state
#---take anything inbound/outbound from Colby.edu
#pass in from 137.146.0.0/16 to 137.146.210.52
#pass out from 137.146.210.52 to 137.146.0.0/16
#---explicitly block inbound to port 515
block in log quick on hme0 proto tcp from any to 137.146.210.52 port = 515
#---take smtp connections to/from anywhere (ports 25 and 587)
#---also take identd (113) connections from anywhere
#---since we don't run identd, this will give a quick
#---"connection refused" message back.
pass in proto tcp from any to 137.146.210.52 port = 113
pass in proto tcp from any to 137.146.210.52 port = 25
pass out proto tcp from 137.146.210.52 to any port = 25
pass in proto tcp from any to 137.146.210.52 port = 587
pass out proto tcp from 137.146.210.52 to any port = 587
#---take pop3 connections from anywhere (port 110)
pass in proto tcp from any to 137.146.210.52 port = 110
#---explicitly pass anything inbound on port 80 (http),
#---81 (proxy) or 443 (https) from the world
pass in quick on hme0 proto tcp from any to 137.146.210.52 port = 80
pass in quick on hme0 proto tcp from any to 137.146.210.52 port = 81
pass in quick on hme0 proto tcp from any to 137.146.210.52 port = 443
#---take anything inbound/outbound from ITS machine room subnet and offices
#---209 and 210 subnets
pass in from 137.146.209.0/24 to 137.146.210.52
pass out from 137.146.210.52 to 137.146.209.0/24
pass in from 137.146.210.0/24 to 137.146.210.52
pass out from 137.146.210.52 to 137.146.210.0/24
