tarballed
September 30th, 2003, 21:07
Hey everyone!

Ok...im finishing up on my OpenBSD mail gateway as well as configuring PF. Pf is working great except for one thing: when the rules are up, it cannot find a route to the host. When the rules are down, it relays email perfectly.

Doing some testing and reading, I found the following in my log entry:

[code:1:bdf500e224]Sep 30 17:06:27.880375 rule 3/0(match): block out on fxp0: 10.0.1.80.40733 > 192.168.1.165.25: S 2667922609:2667922609(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901588459 0> (DF)
[/code:1:bdf500e224]

I should note: 10.0.1.80 is the IP address of the Mail gateway
192.168.1.165 is the IP address of the mail server, on the trusted network.

So, the problem is that its getting blocked when trying to pass out on fxp0.

A quick q: There are two interfaces: fxp0 which I have setup to get email from the firewall. fxp1, which i've setup to be accessed by SSH from the intranet.

So im wondering, if I need to configure pf to pass traffic out through fxp1 to the mail server.

Here are my rules:

[code:1:bdf500e224]ext_if="fxp0" # External Interface
int_if="fxp1"
int_net="192.168.1.0/24"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"

#Tables
table <NoRouteIPs> { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !192.168.0.0/24 }
table <trusted> persist file "/etc/tables/trusted"

# Clean up fragmented and abnormal packets
scrub in all

#default Deny all
block in log on $ext_if all

#loopback rules
pass in quick on lo0 all

# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from <NoRouteIPs> to any
block out log quick on $ext_if from any to <NoRouteIPs>

#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state

# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from <trusted> to $int_if port 22 keep state

# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
[/code:1:bdf500e224]

I tried adjusting the no route IP's by taking out 10.0.0.0/8 all together, but it still was blocked.

Is it possible, to have port 25 traffic sent through fxp1 instead of fxp0? Or does it even matter.

Thanks guys