Help.... Same exact ipfilter rule sets, outbound email won't go to amherst, will go everyplace else (eg, microsoft). Solaris 8, ipfilter 3.4.31. It is clearly my ruleset that is blocking the Amherst outbound traffic, but I cannot see why. It looks like the state table screws up, but only for them. If I set up my rulesets to log everything inbound and outbound, they look like:
ipfstat -in ----------- @1 pass in log quick on lo0 from any to any @2 block in log quick on hme0 from 0.0.0.0/7 to any @3 block in log quick on hme0 from 2.0.0.0/8 to any @4 block in log quick on hme0 from 5.0.0.0/8 to any @5 block in log quick on hme0 from 23.0.0.0/8 to any @6 block in log quick on hme0 from 27.0.0.0/8 to any @7 block in log quick on hme0 from 31.0.0.0/8 to any @8 block in log quick on hme0 from 70.0.0.0/7 to any @9 block in log quick on hme0 from 72.0.0.0/5 to any @10 block in log quick on hme0 from 84.0.0.0/6 to any @11 block in log quick on hme0 from 88.0.0.0/5 to any @12 block in log quick on hme0 from 96.0.0.0/3 to any @13 block in log quick on hme0 from 127.0.0.0/8 to any @14 block in log quick on hme0 from 197.0.0.0/8 to any @15 block in log quick on hme0 from 201.0.0.0/8 to any @16 block in log from any to any @17 block in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 515 @18 pass in log quick on hme0 proto icmp from any to any icmp-type echo keep state @19 pass in log quick on hme0 proto udp from any to any port 33434 >< 33498 @20 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 53 flags S/FSRPAU keep state @21 pass in log quick on hme0 proto udp from any to 137.146.210.52/32 port = 53 keep state @22 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 113 flags S/FSRPAU keep state keep frags @23 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 25 flags S/FSRPAU keep state keep frags @24 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 587 flags S/FSRPAU keep state keep frags @25 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 110 flags S/FSRPAU keep state keep frags @26 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 80 flags S/FSRPAU keep state keep frags @27 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 81 flags S/FSRPAU keep state keep frags @28 pass in log quick on hme0 proto tcp from any to 137.146.210.52/32 port = 443 flags S/FSRPAU keep state keep frags @29 pass in log from 137.146.209.0/24 to 137.146.210.52/32 @30 pass in log from 137.146.210.0/24 to 137.146.210.52/32 ipfstat -on ----------- @1 pass out log quick on lo0 from any to any @2 block out log quick on hme0 from any to 0.0.0.0/7 @3 block out log quick on hme0 from any to 2.0.0.0/8 @4 block out log quick on hme0 from any to 5.0.0.0/8 @5 block out log quick on hme0 from any to 23.0.0.0/8 @6 block out log quick on hme0 from any to 27.0.0.0/8 @7 block out log quick on hme0 from any to 31.0.0.0/8 @8 block out log quick on hme0 from any to 70.0.0.0/7 @9 block out log quick on hme0 from any to 72.0.0.0/5 @10 block out log quick on hme0 from any to 84.0.0.0/6 @11 block out log quick on hme0 from any to 88.0.0.0/5 @12 block out log quick on hme0 from any to 96.0.0.0/3 @13 block out log quick on hme0 from any to 127.0.0.0/8 @14 block out log quick on hme0 from any to 197.0.0.0/8 @15 block out log quick on hme0 from any to 201.0.0.0/8 @16 block out log from any to any @17 pass out log quick on hme0 proto tcp from 137.146.210.52/32 to any flags S/FSRPAU keep state keep frags @18 pass out log quick on hme0 proto udp from 137.146.210.52/32 to any keep state @19 pass out log quick on hme0 proto icmp from 137.146.210.52/32 to any keep state @20 pass out log quick on hme0 proto tcp from 137.146.210.52/32 to any port = 25 flags S/FSRPAU keep state keep frags @21 pass out log quick on hme0 proto tcp from 137.146.210.52/32 to any port = 587 flags S/FSRPAU keep state keep frags @22 pass out log from 137.146.210.52/32 to 137.146.209.0/24 @23 pass out log from 137.146.210.52/32 to 137.146.210.0/24 sample ipmon output for email that goes: ---------------------------------------- 16:43:26.654922 hme0 @0:17 p 137.146.210.52,32575 -> 131.107.3.122,25 PR tcp len 20 48 -S K-S K-F OUT 16:43:26.743042 hme0 @0:17 p 131.107.3.122,25 -> 137.146.210.52,32575 PR tcp len 20 48 -AS K-S K-F IN 16:43:26.743140 hme0 @0:17 p 137.146.210.52,32575 -> 131.107.3.122,25 PR tcp len 20 40 -A K-S K-F OUT 16:43:26.829489 hme0 @0:17 p 131.107.3.122,25 -> 137.146.210.52,32575 PR tcp len 20 144 -AP K-S K-F IN 16:43:26.829769 hme0 @0:17 p 137.146.210.52,32575 -> 131.107.3.122,25 PR tcp len 20 40 -A K-S K-F OUT 16:43:26.830107 hme0 @0:17 p 137.146.210.52,32575 -> 131.107.3.122,25 PR tcp len 20 64 -AP K-S K-F OUT 16:43:27.379353 hme0 @0:17 p 131.107.3.122,25 -> 137.146.210.52,32575 PR tcp len 20 40 -A K-S K-F IN 16:43:27.379452 hme0 @0:17 p 137.146.210.52,32575 -> 131.107.3.122,25 PR tcp len 20 43 -AP K-S K-F OUT 16:43:27.476331 hme0 @0:17 p 131.107.3.122,25 -> 137.146.210.52,32575 PR tcp len 20 119 -AP K-S K-F IN 16:43:27.467786 hme0 @0:17 p 131.107.3.122,25 -> 137.146.210.52,32575 PR tcp len 20 40 -A K-S K-F IN 16:43:27.569479 hme0 @0:17 p 137.146.210.52,32575 -> 131.107.3.122,25 PR tcp len 20 40 -A K-S K-F OUT sample failed outbound email attempt to amherst, same rules: ----------------------------------------------------------- 16:30:05.409975 hme0 @0:17 p 137.146.210.52,30715 -> 148.85.136.10,25 PR tcp len 20 48 -S K-S K-F OUT 16:30:05.438835 hme0 @0:16 b 148.85.136.10,25 -> 137.146.210.52,30715 PR tcp len 20 40 -A IN 16:30:12.160142 hme0 @0:17 p 137.146.210.52,30715 -> 148.85.136.10,25 PR tcp len 20 48 -S K-S K-F OUT 16:30:12.194821 hme0 @0:16 b 148.85.136.10,25 -> 137.146.210.52,30715 PR tcp len 20 40 -A IN 16:30:25.660141 hme0 @0:17 p 137.146.210.52,30715 -> 148.85.136.10,25 PR tcp len 20 48 -S K-S K-F OUT 16:30:25.683833 hme0 @0:16 b 148.85.136.10,25 -> 137.146.210.52,30715 PR tcp len 20 40 -A IN 16:31:46.664372 hme0 @0:17 p 137.146.210.52,30944 -> 148.85.136.10,25 PR tcp len 20 48 -S K-S K-F OUT 16:31:46.687370 hme0 @0:16 b 148.85.136.10,25 -> 137.146.210.52,30944 PR tcp len 20 40 -A IN 16:31:50.029932 hme0 @0:17 p 137.146.210.52,30944 -> 148.85.136.10,25 PR tcp len 20 48 -S K-S K-F OUT 16:31:50.046868 hme0 @0:16 b 148.85.136.10,25 -> 137.146.210.52,30944 PR tcp len 20 40 -A IN 16:32:10.305032 hme0 @0:16 b 148.85.136.10,25 -> 137.146.210.52,30944 PR tcp len 20 40 -A IN Inbound Rule 16 gets underfoot for some reason. It is acting like the remote side at Amherst responds before the state table for outbound rule 17 gets into ipfilter, yet Amherst is many millseconds away on the Net. Amherst is the only site where I've seen this problem. What is wrong with my ipfilter rules? Help! ----------------------------------- Jeff A. Earickson, Ph.D Senior UNIX Sysadmin and Email Guru Information Technology Services Colby College, 4214 Mayflower Hill, Waterville ME, 04901-8842 phone: 207-872-3659 (fax = 3076) -----------------------------------
