pf rules for smtp [Archive] - Screaming Electron Forums

bmk1st

September 7th, 2004, 20:58

I tried to get pf work with smtp.

pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 flags S/SA synproxy state

It still blocks smtp. Please tell me what's wrong? :(

Strog

September 8th, 2004, 09:34

Let's eliminate the basics first.

You are definitely seeing the packets blocked in tcpdump? (i.e. tcpdump -n -e -ttt -r /var/log/pflog)

I'm assuming that this box is directly on the net with a public IP or behind a bridging firewall since the destination is the IP of the external interface. This isn't behind a NAT firewall, correct?

bmk1st

September 8th, 2004, 10:37

Let's eliminate the basics first.

You are definitely seeing the packets blocked in tcpdump? (i.e. tcpdump -n -e -ttt -r /var/log/pflog)

Yep

I'm assuming that this box is directly on the net with a public IP or behind a bridging firewall since the destination is the IP of the external interface. This isn't behind a NAT firewall, correct?

Well, I'm behind the Linksys router. I have to admit I'm a novice when it comes to firewalls and I'm still learning! :)

I only want to use sendmail to send out emails, not to recieve anything outside the box, though.

Strog

September 8th, 2004, 12:17

You don't need to pass in packets if you just want to do outbound smtp. If you have a pass out rule and keep the state then you should be fine.

If tcpdump is showing the packets being blocked then you need to double check how your blocks are setup and make sure you are passing port 25 out.

bmk1st

September 8th, 2004, 20:50

Okay, I now have this rule -- pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

Does it look right? Also, I have this rule above other pass rules -- block in log all

Shouldn't it be included?

bsdjunkie

September 8th, 2004, 21:13

Make sure its after the block in log all. Last match wins in pf.

bmk1st

September 8th, 2004, 21:35

Damn, it doesn't work. I copied & pasted stuff from pf.conf. Does this look right? SSH and WWW work fine, except for smtp.

ext_if="sis0"

block in log all

pass out keep state

pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in on $ext_if proto { tcp, udp } from any to any port 8080 keep state
pass in inet proto icmp icmp-type 8 code 0 keep state

pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

Strog

September 8th, 2004, 22:48

Should be:

pass out log on $ext_if proto tcp from ($ext_if) to any port smtp keep state

You need to have from, to and then your port(s).