Re: PF config for exchange

Wed, 18 Jan 2006 09:44:05 -0800 

I actually believe I might have found it
This Exchange server has load balanced nics (intel proset) and it seems that it keeps updating the arp entries on the firewall to the non-balanced mac address thus dropping the connections. 


I noticied it in the log files of the firewall after I took it offline to 
review



I assume based on that, I just need to add a static perm entry pointing the 
LB mac addy to the correct IP address and things should be good..


My rules, I have checked on and they are really clear cut
block log all
pass quick log from <staffsegments> to <exchangeservers> keep state
pass quick log from <exchangeservers> to <staffsegments> keep state


Of course, there is 11 other pages of rules, redirects, and such, but there 
is no blocks involved.. Everything between staff systems and these systems 
are wide open. Plans were to close them down a bit but havn't put that 
inplace yet.



The ISAKMPD stuff is running without errors at all now that I made the PF 
rule changes that I seemed to have needed regarding reneg of keys.


I do have these options
##############################################################
# Options
#
# Options tune the behaviour of the packet filtering engine
#
set limit {frags 50000, states 100000}
set loginterface $ext
set optimization normal
set block-policy return
##############################################################
# Packet Normalization
#
# Traffic normalization protect internal machines against
# intenet protocols and implementations.
#
scrub in all


Thoughts?



James

----- Original Message ----- 
From: "Kevin" <[EMAIL PROTECTED]>

To: <misc@openbsd.org>
Sent: Wednesday, January 18, 2006 2:45 AM
Subject: Re: PF config for exchange



More to follow as I need to get access and clean up these files.. the PF

rule base is approx 11 pages, the ISAKMPD file is just huge with 200 
tunnels

being created.


As a prior poster said, posting sanitized pf.conf (and isakmpd.conf)
files is going to be a necessity for anyone to take a real shot at
helping debug things--particularly given that there are FIVE NICs in
your config.

My suspicion is that it's one of the Microsoft Exchange-specific TCP
mail ports (I think there are two, if memory serves) that need to be
opened up, but without seeing pf.conf, we're only guessing.


Best,
Kevin

--
http://www.ebiinc.com : background screening from EBI
Employment background investigations worldwide.
















    











					Reply via email to