On 29 May 2007, at 14:24, Paul Theodoropoulos wrote: > (This is a huge message, but I felt too much info was better than too little) > > Preface: I'm a relative n00b to ipfilter, though I got quite an > education when my server was attacked recently by some site in China > (which is what got me started using it in the first place). That > said, here is the problem, followed at the bottom with details as > per the IPfilter FAQ: > > After putting in place the ruleset shown at the bottom, I discovered > that any email with attachments that's sent to any address at > att.net/sbcglobal.net/pacbell.net will not go through. The connection > invariably times out. *This does not happen with any other MX servers > on the net!*. That's what's particularly baffling - if I had a > mistake in my ruleset, I'd presume NO mail would go out. I've tweaked > and adjusted based on everything I can find out there, to no avail. > If i replace the ruleset with > > pass in all > pass out all > > The mail goes through just fine.
.... > root-klaatu /etc/ipf% ipfstat -io > block out all > pass out quick on lo0 all > block out log quick from any to 192.168.0.0/16 > block out log quick from any to 172.16.0.0/12 > block out log quick from any to 10.0.0.0/8 > pass out log quick proto tcp from 206.176.249.128/28 to any port = > 113 flags R/FSRPU > pass out quick proto tcp from 206.176.249.128/28 to any flags > S/FSRPAU keep state > pass out quick proto udp from 206.176.249.128/28 to any keep state > pass out quick proto icmp from 206.176.249.128/28 to any icmp-type echorep > pass out quick proto icmp from 206.176.249.128/28 to any icmp-type unreach > pass out quick proto icmp from 206.176.249.128/28 to any icmp-type echo > pass out quick proto icmp from 206.176.249.128/28 to any icmp-type timex > block in all > pass in quick on lo0 all > block in log quick from 192.168.0.0/16 to any > block in log quick from 172.16.0.0/12 to any > block in log quick from 10.0.0.0/8 to any > block in log quick on hme0 from 127.0.0.0/8 to any > block in log quick on hme1 from 127.0.0.0/8 to any > block in log quick from any to any with short > block in log from any to any with ipopts > block return-rst in log quick proto tcp from any to > 206.176.249.128/28 port = 113 > block in log quick from 211.154.104.85/32 to any > pass in quick proto tcp from any to 206.176.249.128/28 port = ftp > flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port 32768 >< > 65535 flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port = smtp > flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port = > spamd-smtp flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port = > priv-ssh flags S/FSRPAU keep state > pass in quick proto udp from any to 206.176.249.128/28 port = domain keep > state > pass in quick proto tcp from any to 206.176.249.128/28 port = httpd > flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port = pop3 > flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port = imap > flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port = > submission flags S/FSRPAU keep state > pass in quick proto tcp from any to 206.176.249.128/28 port = > smtp-alt flags S/FSRPAU keep state > pass in quick proto icmp from any to 206.176.249.128/28 icmp-type echorep > pass in quick proto icmp from any to 206.176.249.128/28 icmp-type unreach > pass in quick proto icmp from any to 206.176.249.128/28 icmp-type echo > pass in quick proto icmp from any to 206.176.249.128/28 icmp-type timex As for your smtp rules they are no different to mine. Main difference is that for all services in use I have a lot of rules similar to: block return-icmp-as-dest(port-unr) in log quick on le0 proto tcp/udp from any to any port = 25 but I can't remember why these are needed as I'm mostly using same ruleset as I did 6 - 7 years ago, just the ips and interfaces changed occasionally. Possibly try with pass all in/out for icmp to check if such rules might be needed. Other thing is I doubt any email has been sent from here to any address@ att.net/sbcglobal.net/pacbell.net. David
