On 3/7/07, Pablo Halamaj <[EMAIL PROTECTED]> wrote:
On 05/03/07, Ramdas <[EMAIL PROTECTED]> wrote: > Hi Group, > > I have a server with two lan cards both with valid ips . One interface > (fxp1) is patched behind a CISCO PIX Firewall & Other outside firewall > (fxp0) > > I want that there should be no greylisting/filtering on fxp1 (I have > the related ports opened in the PIX) & it should be enabled only for > fx0. > > The server will be used as Mail server. > > Please help. I want to check if the below rules are correct. > My Pf rules are as follows: > ---- > # PF Conf > # ########### > # Macros > ############# > > # internal and external network interfaces > int_if = "fxp0" > ext_if = "fxp1" > > # Internal servers > mail_host = "a.b.c.d" > > icmp_types = "{ echoreq, unreach }" > tcp_services = "{110,143,80 }" >SMTP server use port 25 , you should allow conections from internet to port 25 > # We should never see these coming from the Internet . > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ > 0.0.0.0/8, 240.0.0.0/4 }" > > # options > set block-policy return i preferr "set block-ploicy drop" i will hide your server of some scans and minimize your upload bandwidth ;-) > set loginterface $ext_if > > # Scrub > scrub in all > > ################# > # Spamd > ################# > > # grey host list > table <spamd> persist > # White host list > table <spam-white> persist > # This whitelist we are maintaining > table <whitelist> persist file "/etc/whitelist.txt" > > # Send whitelisted hosts to the actual mail server > > rdr on $ext_if proto tcp from <whitelist> to \ > $ext_if port smtp -> $mail_host port smtp > > # send all suspects to the spamd daemon > rdr pass on $ext_if inet proto tcp from <spamd> to \ > $ext_if port smtp -> 127.0.0.1 port 8025 > rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ > $ext_if port smtp -> 127.0.0.1 port 8025 > > > # Send whitelisted hosts to the actual mail server > rdr on $ext_if proto tcp from <spamd-white> to \ > $ext_if port smtp -> $mail_host port smtp > > # ############# > # Filter Rules > # ############# > > block all > set skip on lo0 > > antispoof for $ext_if > antispoof for $int_if > > # Martians > block drop in quick on $ext_if from $martians to any > block drop out quick on $ext_if from any to $martians > > # Allow ping and path MTU discovery > pass in inet proto icmp all icmp-type $icmp_types keep state > > # Allow incoming Smtp & Pop connection > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state > > > # For spamdlog to update the whitelists > # don't need to log static whitelist > pass in quick on $ext_if inet proto tcp from <whitelist> \ > to port smtp flags S/SA keep state > pass in log quick on $ext_if inet proto tcp from <spamd-white> \ > to port smtp flags S/SA keep state > > # Allow anything from the internal network out onto the Internet > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > pass quick on $int_if > ---- > > One more question I want to ask is that will it be ok to enable > multicost routing on this server. Or is it that I need to add more > rules to the above for it to work with Multicost routing. > > Thanx & Regards > Ram > >
I am sorry to repeat my question. But some thing is wrong in my rules and I do not know how to debug & proceed. The above rules did not help me . I could either connect on fxp0 OR fxp1 depending on my /etc/mygate settings (had disabled multicost routing). Then I enabled multicost routing & deleted /etc/mygate . This allowed me to connect on my fxp0 on port 25 but not on fxp1 . pfctl -ss whould show a SYN_SENT:EXTABLISHED for port 25 After a lot of struggle I removed the rules antispoof on fxp0 antispoof on fxp1 after which I can connect on both fxp1 & fxp0 on port 25. The new problem that has started is that after the host gets whitelisted it cannot connect on the mail_host port 25 . That is Gerylisted connections have no problem whitelisted ips cannot communicate on the server. Please suggest the corrections I need to make . Regards RAM
