[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Perplexed about pf
On Thu, Jan 02, 2003 at 10:59 PM, John Kerbawy wrote:
>
> Are you sure you know how to check for blocked packets?
I am doing "tcpdump -e -n -ttt -i pflog0".
> > Can anyone suggest why loading my pf rules causes e-mail with sizeable
> > attachments to fail, when pf is not logging any blocked packets?
>
> I recently finished debugging a similar problem between a client's
> mail server and some Unix SMTP servers. The client, on a DSL line
> behind a NAT box, some virus scanners, and a firewall, would try to
> send large attachments to these Unix servers located on the other side
> of a GRE tunnel. The SMTP server would hang while waiting for DATA
> from the client because the client's workstation would start sending
> large packets which wouldn't make it through the tunnel. Of course, the
> routers/NAT boxes would send ICMP back to the client in an attempt to
> get the client's workstation to send smaller packets, but their firewall
> blocked the incoming ICMP so the connection was eventually dropped.
Interesting idea, but blocked ICMP packets should be showing up.
> Is there a packet filter other than your OpenBSD server that's located
> between the two mail servers? Does the Windows server have any sort of
> "personal firewall" installed on it?
None that I am aware of, but will confirm.
> Can you provide tcpdump data of
> any TCP and ICMP traffic between the two servers on both sides of the
> connection?
I have a capture done with Ethereal on the DMZ which I am sending
you seperately. I haven't done a trace from the internal network.
> What does ifconfig -a look like?
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: 00:a0:c9:db:e8:41
media: Ethernet autoselect (100baseTX)
status: active
inet XXX.XXX.XXX.XXX netmask 0xfffffff8 broadcast XXX.XXX.XXX.255
inet6 fe80::2a0:c9ff:fedb:e841%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: 00:a0:c9:db:db:3c
media: Ethernet autoselect (100baseTX)
status: active
inet6 fe80::2a0:c9ff:fedb:db3c%fxp1 prefixlen 64 scopeid 0x2
fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:a0:c9:ce:0d:91
media: Ethernet autoselect (100baseTX)
status: active
inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::2a0:c9ff:fece:d91%fxp2 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=41<UP,RUNNING> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
address: 00:00:00:00:00:00
vlan1: flags=0<> mtu 1500
address: 00:00:00:00:00:00
gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
I'm not sure it's important or related, but I did notice a few messages
like the following popping up on the firewall:
/bsd: arplookup: unable to enter address for xxx.xxx.xxx.242
where xxx.xxx.xxx.242 is the IP address of the external mail
server in question. Since brconfig -a shows the MAC address
of the server listed on fxp1, and since I can ping the machine
etc., I have not been too concerned about the arplookup
message, but would like to know why it occurs if anyone can
tell me.
Thanks again,
Richard.