On 3/7/07, Ramdas <[EMAIL PROTECTED]> wrote:
On 3/7/07, Ramdas <[EMAIL PROTECTED]> wrote: > On 3/7/07, Pablo Halamaj <[EMAIL PROTECTED]> wrote: > > On 05/03/07, Ramdas <[EMAIL PROTECTED]> wrote: > > > Hi Group, > > > > > > I have a server with two lan cards both with valid ips . One interface > > > (fxp1) is patched behind a CISCO PIX Firewall & Other outside firewall > > > (fxp0) > > > > > > I want that there should be no greylisting/filtering on fxp1 (I have > > > the related ports opened in the PIX) & it should be enabled only for > > > fx0. > > > > > > The server will be used as Mail server. > > > > > > Please help. I want to check if the below rules are correct. > > > My Pf rules are as follows: > > > ---- > > > # PF Conf > > > # ########### > > > # Macros > > > ############# > > > > > > # internal and external network interfaces > > > int_if = "fxp0" > > > ext_if = "fxp1" > > > > > > # Internal servers > > > mail_host = "a.b.c.d" > > > > > > icmp_types = "{ echoreq, unreach }" > > > tcp_services = "{110,143,80 }" > > > > > > > SMTP server use port 25 , you should allow conections from internet to port 25 > > > > > # We should never see these coming from the Internet . > > > martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ > > > 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ > > > 0.0.0.0/8, 240.0.0.0/4 }" > > > > > > # options > > > set block-policy return > > > > i preferr "set block-ploicy drop" i will hide your server of some > > scans and minimize your upload bandwidth ;-) > > > > > set loginterface $ext_if > > > > > > # Scrub > > > scrub in all > > > > > > ################# > > > # Spamd > > > ################# > > > > > > # grey host list > > > table <spamd> persist > > > # White host list > > > table <spam-white> persist > > > # This whitelist we are maintaining > > > table <whitelist> persist file "/etc/whitelist.txt" > > > > > > # Send whitelisted hosts to the actual mail server > > > > > > rdr on $ext_if proto tcp from <whitelist> to \ > > > $ext_if port smtp -> $mail_host port smtp > > > > > > # send all suspects to the spamd daemon > > > rdr pass on $ext_if inet proto tcp from <spamd> to \ > > > $ext_if port smtp -> 127.0.0.1 port 8025 > > > rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ > > > $ext_if port smtp -> 127.0.0.1 port 8025 > > > > > > > > > # Send whitelisted hosts to the actual mail server > > > rdr on $ext_if proto tcp from <spamd-white> to \ > > > $ext_if port smtp -> $mail_host port smtp > > > > > > # ############# > > > # Filter Rules > > > # ############# > > > > > > block all > > > set skip on lo0 > > > > > > antispoof for $ext_if > > > antispoof for $int_if > > > > > > # Martians > > > block drop in quick on $ext_if from $martians to any > > > block drop out quick on $ext_if from any to $martians > > > > > > # Allow ping and path MTU discovery > > > pass in inet proto icmp all icmp-type $icmp_types keep state > > > > > > # Allow incoming Smtp & Pop connection > > > pass in on $ext_if inet proto tcp from any to ($ext_if) \ > > > port $tcp_services flags S/SA keep state > > > > > > > > > # For spamdlog to update the whitelists > > > # don't need to log static whitelist > > > pass in quick on $ext_if inet proto tcp from <whitelist> \ > > > to port smtp flags S/SA keep state > > > pass in log quick on $ext_if inet proto tcp from <spamd-white> \ > > > to port smtp flags S/SA keep state > > > > > > # Allow anything from the internal network out onto the Internet > > > pass out on $ext_if proto tcp all modulate state flags S/SA > > > pass out on $ext_if proto { udp, icmp } all keep state > > > > > > pass quick on $int_if > > > ---- > > > > > > One more question I want to ask is that will it be ok to enable > > > multicost routing on this server. Or is it that I need to add more > > > rules to the above for it to work with Multicost routing. > > > > > > Thanx & Regards > > > Ram > > > > > > > > > I am sorry to repeat my question. But some thing is wrong in my rules > and I do not know how to debug & proceed. > > The above rules did not help me . > I could either connect on fxp0 OR fxp1 depending on my /etc/mygate > settings (had disabled multicost routing). > > Then I enabled multicost routing & deleted /etc/mygate . This allowed > me to connect on my fxp0 on port 25 but not on fxp1 . > pfctl -ss whould show a SYN_SENT:EXTABLISHED for port 25 > > After a lot of struggle I removed the rules > antispoof on fxp0 > antispoof on fxp1 > after which I can connect on both fxp1 & fxp0 on port 25. > > The new problem that has started is that after the host gets > whitelisted it cannot connect on the mail_host port 25 . That is > Gerylisted connections have no problem whitelisted ips cannot > communicate on the server. > > Please suggest the corrections I need to make . > > Regards > RAM > Sorry for the noise. But I am unable to get over the problem.I have a server with two network cards both with Valid IP. On one nic I want greylisting enabled & on other I do not want any geylisting. I have enabled multicost routing on the machine. I have removed all my rules and stared with some basic ones as below. --- #macros ext_if = "em0" int_if = "bge0" tcp_services = "{ 25, 110, 80 }" icmp_types = "{ echoreq, unreach }" ssh_only = "{ 22 }" myhost = "{ myhost_IP_address }" # Options set block-policy return set loginterface $ext_if set loginterface $int_if #Scrub scrub in all # Filter rules block all set skip on lo # Allow incoming Smtp & Pop connection on Ext_if pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state tag OUTNET pass out quick on $ext_if tagged OUTNET # Allow incoming Smtp & Pop connection on Int_if pass in on $int_if inet proto tcp from any to ($int_if) \ port $tcp_services flags S/SA keep state tag INTNET pass out quick on $int_if tagged INTNET # Allow ssh from local network pass in on $int_if inet proto tcp from $myhost to ($int_if) \ port $ssh_only flags S/SA keep state # Allow ssh from local network on Ext if pass in on $ext_if inet proto tcp from $myhost to ($ext_if) \ port $ssh_only flags S/SA keep state --- Still the problem is that whenever a machine (I have a dial up pc) connects on one Int it cannot connect to the ports on the other interface. tcpdup shows that the packets come in from one int and try to go out from a diff int. Please help, I am completely lost now, if possibe suggest me the correct rules. Otherwise I will have to fall back to the single interface to internet setup with other int only for invalid network & will have to do away with Greylisting also as users would connect on the valid int. Thanx in advance for any help . Regards Ram
The problem is with handeling return-path data. The traffice coming in on one interface passout (tries to pass out) from other interface. I have been trying a lot of combinations with less result. I just want to know a few things (read I beg for help) a) With a multiple external interfaces (two in my case) sysctl net.inet.ip.multipath should be on or off (mine is kept on) b) sysctl net.inet.ip.forwarding should be On or Off . I have set it to off. Regards Ram
