> [EMAIL PROTECTED] wrote:
> > I had a power outage to our building due to the fires in San
> Diego
>
and it crashed those without UPSes. One of them is the spamd
> machine.
>
I've brought it back up and ran fsck on all volumes. However, mail
> will
>
not come into our mailboxes from outside but mail can be delivered
> to
>
outside recipients. I can telnet into the spamd machine and send
> mail
>
externally and internally. Postfix seems to be ok. When I stop pf,
> mail
>
from the outside of our LAN come pouring in. When I start up pf,
> inbound
>
mail comes to a stop. In the spamd log, I see all kinds of
> connections
>
being blacklisted and greylisted but still not one mail is
> being
>
delivered. I am using spamd-mywhite as my whitelist and put all known GMail
> IP
>
addresses on it. I then send an email from my GMail account to
> this
>
machine. It gets greylisted and eventually sits in the greylist for
> quite
>
a while. I also see ports 25 open on both external and internal
> NICs
>
and port 8025 open on the localhost interface.
> >
> > I need assistance in troubleshooting this. Running spamd 4.1.2
> on
>
FreeBSD 6.2. We average 800 valid mail per day and so far in the last
> 24
>
hours, not one mail has come through using the existing
> spamd
>
configuration.
> >
> > mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf
> > ext_if = "rl0"
> > int_if = "xl0"
> > internal_net = "192.168.1.1/24"
> > external_addr = "216.70.250.4"
> > vpn_net = "10.8.0.0/24"
> > icmp_types = "echoreq"
> > NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12
> 10.0.0.0/8
>
}"
> > webserver1 = "192.168.1.4"
> > set skip on { lo0 }
> > set skip on { gif0 }
> > @0 scrub in all fragment reassemble
> > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
> > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
> > @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http
> ->
>
192.168.1.4 port 80
> > table persist
> > table persist
> > table persist
> file
>
"/usr/local/etc/spamd/spamd-mywhite"
> > @4 rdr inet proto tcp from to 216.70.250.4 port
> =
>
smtp -> 127.0.0.1 port 25
> > @5 rdr inet proto tcp from to 216.70.250.4 port
> =
>
smtp -> 127.0.0.1 port 25
> > @6 rdr pass inet proto tcp from to 216.70.250.4 port =
> smtp
>
-> 127.0.0.1 port 8025
> > @7 rdr pass inet proto tcp from ! to
> 216.70.250.4
>
port = smtp -> 127.0.0.1 port 8025
> > @8 pass in log inet proto tcp from any to 216.70.250.4 port =
> smtp
>
flags S/SA synproxy state
> > @9 pass out log inet proto tcp from 216.70.250.4 to any port =
> smtp
>
flags S/SA synproxy state
> > @10 pass in log inet proto tcp from 192.168.1.0/24 to
> 192.168.1.25
>
port = smtp flags S/SA synproxy state
> > @11 block drop in log all
> > @12 pass in log quick on xl0 inet proto tcp from any to
> 192.168.1.25
>
port = ssh flags S/SA synproxy state
> > @13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
> > @14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
> > @15 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
> > @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
> > @17 block drop out log quick on rl0 inet from any to 127.0.0.0/8
> > @18 block drop out log quick on rl0 inet from any to 192.168.0.0/16
> > @19 block drop out log quick on rl0 inet from any to 172.16.0.0/12
> > @20 block drop out log quick on rl0 inet from any to 10.0.0.0/8
> > @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
> > @22 block drop in log quick inet from 192.168.1.25 to any
> > @23 pass in on xl0 inet from 192.168.1.0/24 to any
> > @24 pass out log on xl0 inet from any to 192.168.1.0/24
> > @25 pass out log quick on xl0 inet from any to 10.8.0.0/24
> > @26 pass out on rl0 proto tcp all flags S/SA modulate state
> > @27 pass out on rl0 proto udp all keep state
> > @28 pass out on rl0 proto icmp all keep state
> > @29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port =
> http
>
flags S/SA synproxy state
> > @30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port =
> ssh
>
keep state
> > warning: macro 'icmp_types' not used
> > mailfilter-root@/usr/ports#
> >
> > What's the quickest way to recover from this? Any
> other
>
troubleshooting techniques?
> >
> > ~Doug
> >
>
> with rule @11 (log) you can do a
> tcpdump -net -i pflog0 and look at the block rule number.
This is what I am seeing:
303784 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S
863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S
3256136674:3256136674(0) win 57344 <mss 1460>
157399 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S
4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
1. 139142 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25:
S 4237450357:4237450357(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
199803 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S
2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
039859 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S
1802046267:1802046267(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
101924 rule 3/0(match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S
1996496288:1996496288(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
295669 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S
863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
192006 rule 3/0(match): block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S
1648209710:1648209710(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
639961 rule 3/0(match): block in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S
490829265:490829265(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
391948 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S
4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
042299 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S
3256136674:3256136674(0) win 57344 <mss 1460>
025190 rule 3/0(match): block in on rl0: 209.11.60.21.14104 > 127.0.0.1.25: S
598584256:598584256(0) win 16384 <mss 1380>
1. 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25:
S 4237450357:4237450357(0) win 65535 <mss 1460,sackOK,eol>
214949 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S
2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
038980 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S
1802046267:1802046267(0) w
Which of the rules above does rule 3/0(match) refer to?
Also,
mailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/pflog port 8025
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
mailfilter-root@/usr/ports#
No forwarding to port 8025 is occurring at this point, or so it seems.
>
> also do a sockstat -4 -p 25 and look if your mailserver listen
> at 127.0.0.1:25 otherwise rule @4 and @5 have no effect
mailfilter-root@/usr/ports# sockstat -4 -p 25
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root master 841 11 tcp4 *:25 *:*
I should mention that this is a relay for our internal Exchange server. I'm
going to test if Postfix is relaying correctly. From all indications it does
seem to relay correctly but I need to make sure it does!
~Doug
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
