On May 15, 2011, at 10:09 AM, Wietse Venema wrote: > jason hirsh: >> 08:40:31.036997 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972295960 ecr 0,nop,wscale 6], length 0 > > SYN from google.com -> theoceanwindow-bv.com > >> 08:40:34.037857 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972298960 ecr 0,nop,wscale 6], length 0 > > Retransmission: SYN from google.com -> theoceanwindow-bv.com > >> 08:40:40.036791 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972304960 ecr 0,nop,wscale 6], length 0 > > Retransmission: SYN from google.com -> theoceanwindow-bv.com > >> 08:40:50.037758 IP mail-iy0-f182.google.com.51101 > >> tuna.theoceanwindow-bv.com.smtp: Flags [S], seq 850119283, win 5720, >> options [mss 1430,sackOK,TS val 2972314960 ecr 0,nop,wscale 6], length 0 > > and so on. > > The packet arrives on the network interface, but it is dropped > (by firewall rule) before it reaches your TCP protocol engine, > and therefore your machine does not respond. > > Show your IPFW rules (or whatever the packet filter). I suspect > a malformed net/mask rule. > IPFW show as follows
00010 10199 16170990 allow ip from any to any via lo0 00015 2038 374094 allow ip from any to any via tap0 00035 0 0 allow ip from any to 10.8.0.0/24 keep-state 00037 0 0 allow ip from 10.8.0.0/24 to any keep-state 00040 0 0 deny tcp from any to any frag 00041 0 0 deny log ip from 221.192.199.49 to any 00050 0 0 check-state 00060 189242 105467724 allow tcp from any to any established 00070 32719 3680271 allow ip from any to any out keep-state 00080 324 27140 allow icmp from any to any 00100 3825 245465 allow log tcp from any to me dst-port 21 in setup keep-state 00105 0 0 allow log tcp from me 20,21 to any out keep-state 00120 0 0 allow log tcp from any to any dst-port 21 out 00130 13 676 allow tcp from any to any dst-port 22 in 00140 0 0 allow tcp from any to any dst-port 22 out 00150 261 15020 allow tcp from any to any dst-port 25 in 00160 0 0 allow tcp from any to any dst-port 25 out 00170 2625 197570 allow udp from any to any dst-port 53 in 00175 0 0 allow tcp from any to any dst-port 53 in 00180 0 0 allow udp from any to any dst-port 53 out 00185 0 0 allow tcp from any to any dst-port 53 out 00190 552 32580 allow tcp from any to any dst-port 80 in 00192 0 0 allow tcp from any to any dst-port 8010 in 00193 0 0 allow tcp from any to any dst-port 8010 out 00195 0 0 allow tcp from any to any dst-port 80 out 00196 0 0 allow tcp from any to any dst-port 81 in 00197 0 0 allow tcp from any to any dst-port 81 out 00198 0 0 allow udp from any to any dst-port 81 in 00199 0 0 allow udp from any to any dst-port 81 out 00209 156 9696 allow tcp from any to any dst-port 110 in 00210 0 0 allow tcp from any to any dst-port 110 out 00211 218000 17030046 allow udp from any to any dst-port 137 in 00212 0 0 allow tcp from any to any dst-port 137 in 00213 0 0 allow udp from any to any dst-port 137 out 00214 0 0 allow tcp from any to any dst-port 137 out 00215 24493 5357641 allow udp from any to any dst-port 138 in 00216 0 0 allow tcp from any to any dst-port 138 in 00217 0 0 allow udp from any to any dst-port 138 out 00218 0 0 allow tcp from any to any dst-port 138 out 00223 0 0 allow udp from any to any dst-port 139 in 00224 0 0 allow udp from any to any dst-port 139 out 00225 5 288 allow tcp from any to any dst-port 139 in 00226 0 0 allow tcp from any to any dst-port 139 out 00227 0 0 allow tcp from any to any dst-port 445 in 00228 0 0 allow tcp from any to any dst-port 445 out 00229 0 0 allow udp from any to any dst-port 445 in 00230 0 0 allow udp from any to any dst-port 445 out 00231 118 7264 allow ip from any to any dst-port 465 in 00232 0 0 allow ip from any to any dst-port 465 out 00240 0 0 allow ip from any to any dst-port 587 in 00242 0 0 allow ip from any to any dst-port 587 out 00250 57 3544 allow tcp from any to any dst-port 993 in 00251 0 0 allow tcp from any to any dst-port 993 out 00260 1714 108268 allow tcp from any to any dst-port 995 in 00261 0 0 allow tcp from any to any dst-port 995 out 00270 0 0 allow ip from any to any dst-port 1194 setup 00271 73 8194 allow udp from any to me dst-port 1194 00300 1172 60776 allow tcp from any to any dst-port 2500 in 00301 0 0 allow tcp from any to any dst-port 2500 out 00320 2 80 allow tcp from any to any dst-port 3128 in 00322 0 0 allow tcp from any to any dst-port 3218 out 00350 0 0 allow tcp from any to any dst-port 3306 in keep-state 00356 0 0 allow tcp from any to any dst-port 3306 out keep-state 00380 0 0 allow tcp from any to any dst-port 9000 in 00381 0 0 allow tcp from any to any dst-port 9000 out 00400 0 0 allow tcp from 209.160.65.133 to any keep-state 00405 0 0 allow tcp from 209.160.68.112 to any keep-state 00410 0 0 allow udp from me to any keep-state 00500 7812 887732 deny log ip from any to any 65535 0 0 deny ip from any to any this may be a dumb question even for me.... but do i need a rule for 10025 which I am using for amavisd-new?? > Wietse
