tarballed
October 2nd, 2003, 15:22
I'm coming across a weird thing going on with my OpenBSD mail gateway box. I've been playing with this for a better part of the morning, and I think the problem is a routing issue.
Please see this prior thread for a bit of background info:
http://screamingelectron.org/phpBB2/viewtopic.php?t=1037&highlight=
Required info:
OpenBSD 3.3
Mail Gateway on the DMZ
DMZ subnet: 10.0.1.1/24
fxp0 = 10.0.1.80
fxp1 = 10.0.1.100
/etc/mygate = 10.0.1.1
Private Network: 192.168.1.0/24
IP Address of mail server = 192.168.1.165
Here is what is going on:
When I fire up my PF rules, mail is not being relayed to my internal mail server. When I shut the rules off, mail IS relayed to the internal mail server.
My rules:
ext_if="fxp0" # External Interface
int_if="fxp1"
int_net="192.168.1.0/24"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"
#Tables
table <NoRouteIPs> { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !192.168.0.0/24 }
table <trusted> persist file "/etc/tables/trusted"
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block in log on $ext_if all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from <NoRouteIPs> to any
block out log quick on $ext_if from any to <NoRouteIPs>
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from <trusted> to $int_if port 22 keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
[/code:1:7c99153a32]
[snip from maillog]
[code:1:7c99153a32]Oct 1 10:11:26 blowfish postfix/smtp[26912]: connect to 192.168.1.165[192.168.1.165]: No route to host (port 25)
Oct 1 10:11:26 blowfish postfix/smtp[26912]: 2AE731B0949: to=<jwilliams@courtesymortgage.com>, relay=none, delay=0, status=deferred (connect to 192.168.1.165[192.168.1.165]: No route to host)[/code:1:7c99153a32]
No route to host.Hmm.
Entry from my pflog:
[code:1:7c99153a32]Oct 01 10:11:26.711858 rule 3/0(match): block out on fxp0: 10.0.1.80.30123 > 192.168.1.165.25: S 3073788046:3073788046(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901711457 0> (DF)[/code:1:7c99153a32]
Granted, this is with the PF rules up. When they are down, mail is relayed just fine.
Ok. With that in mind, when the rules are up, I cant ping my gateway. I get no route output.
My thinking is that, I obviously have something backward. For some reason, mail, when going to the trusted network, is going out the external interface and that does not seem correct. I think it should go out through the internal interface.
One thing I should mention: I did setup a rule on the company firewall. A smtp-filter rule that will allow traffic from 10.0.1.100 (fxp1) to 192.168.1.165. I was trying to isolate the direction of traffic and which direction it can flow.
Anyone have any suggestions on what im missing?
If anyone needs additional output, let me know. I'll put it up as quickly as possible.
Thanks.
Please see this prior thread for a bit of background info:
http://screamingelectron.org/phpBB2/viewtopic.php?t=1037&highlight=
Required info:
OpenBSD 3.3
Mail Gateway on the DMZ
DMZ subnet: 10.0.1.1/24
fxp0 = 10.0.1.80
fxp1 = 10.0.1.100
/etc/mygate = 10.0.1.1
Private Network: 192.168.1.0/24
IP Address of mail server = 192.168.1.165
Here is what is going on:
When I fire up my PF rules, mail is not being relayed to my internal mail server. When I shut the rules off, mail IS relayed to the internal mail server.
My rules:
ext_if="fxp0" # External Interface
int_if="fxp1"
int_net="192.168.1.0/24"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"
#Tables
table <NoRouteIPs> { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !192.168.0.0/24 }
table <trusted> persist file "/etc/tables/trusted"
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block in log on $ext_if all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from <NoRouteIPs> to any
block out log quick on $ext_if from any to <NoRouteIPs>
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from <trusted> to $int_if port 22 keep state
# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
[/code:1:7c99153a32]
[snip from maillog]
[code:1:7c99153a32]Oct 1 10:11:26 blowfish postfix/smtp[26912]: connect to 192.168.1.165[192.168.1.165]: No route to host (port 25)
Oct 1 10:11:26 blowfish postfix/smtp[26912]: 2AE731B0949: to=<jwilliams@courtesymortgage.com>, relay=none, delay=0, status=deferred (connect to 192.168.1.165[192.168.1.165]: No route to host)[/code:1:7c99153a32]
No route to host.Hmm.
Entry from my pflog:
[code:1:7c99153a32]Oct 01 10:11:26.711858 rule 3/0(match): block out on fxp0: 10.0.1.80.30123 > 192.168.1.165.25: S 3073788046:3073788046(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901711457 0> (DF)[/code:1:7c99153a32]
Granted, this is with the PF rules up. When they are down, mail is relayed just fine.
Ok. With that in mind, when the rules are up, I cant ping my gateway. I get no route output.
My thinking is that, I obviously have something backward. For some reason, mail, when going to the trusted network, is going out the external interface and that does not seem correct. I think it should go out through the internal interface.
One thing I should mention: I did setup a rule on the company firewall. A smtp-filter rule that will allow traffic from 10.0.1.100 (fxp1) to 192.168.1.165. I was trying to isolate the direction of traffic and which direction it can flow.
Anyone have any suggestions on what im missing?
If anyone needs additional output, let me know. I'll put it up as quickly as possible.
Thanks.