[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Forwarding failures



On Mon, Mar 14, 2005 at 05:54:41PM -0500, Chris Zakelj wrote:
> Peter H. Coffin wrote:
> 
> >Can this box mail anywhere?
> >
> Not anymore (it used to).  Attempting to mail from my user account to 
> two old college addresses likewise resulted in timeout/deferred.  I'm 
> almost certain I broke something in my pf rules (reposted below, I 
> changed some aliases last night while trying to figure this out), but 
> I'm at a loss as to what.

New apartment, maybe new ISP account, no metion of port 25/smtp in
pf.conf; more likely you're being filtered on the SMTP port. telnet to
your ISP's SMTP host on port 25 and see if you get a connection. If so,
telnet to any other mail host on port 25 (try ninhells.com if you're at
a complete loss) and see if the connection times out.

Configering the box to relay through the ISP's smtp host is an exercise
left to the student.

> 
> bbhhs96# cat /etc/pf.conf
> # Define interfaces and rooms
> int_if = "rl0"
> ext_if = "tun0"
> xp = "192.168.0.2"
> laptop = "192.168.0.3"
> w98 = "192.168.0.4"
> 
> # RFC1918
> priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
> 
> # Those wonderful scrubbing bubbles
> scrub in all
> 
> # Queueing
> # TCP/ACK frames get first dibs, followed by webserver, DNS lookups, and
> # the unwashed masses.
> altq on $ext_if priq bandwidth 256Kb queue { std_out, web_req, dns_out, 
> web_server, tcp_ack_out }
> queue std_out priq(default)
> queue web_req priority 3
> queue dns_out priority 4
> queue web_server priority 5
> queue tcp_ack_out priority 6
> 
> # NAT/RDR directives
> nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
> rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr pass on $ext_if proto { tcp, udp } from any to any port 6081 -> $xp 
> port 6081
> rdr pass on $ext_if proto tcp from any to any port 9985:9989 -> $w98 
> port 9985:*
> rdr pass on $ext_if proto tcp from any to any port 9990:9994 -> $xp port 
> 9990:*
> rdr pass on $ext_if proto tcp from any to any port 9995:9999 -> $laptop 
> port 9995:*
> 
> # Filtering begins
> block drop log all
> 
> # Local machine stuff
> pass quick on lo0 all
> 
> # Clean invalid SRC/DST packets
> block in  quick on $ext_if from $priv_nets to any
> block out quick on $ext_if from any to $priv_nets
> 
> # Pass in allowed servers/proxies
> # pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA 
> keep state
> pass in on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA 
> keep state queue web_server
> pass in on $ext_if proto tcp from any to ($ext_if) user proxy keep state
> 
> # Out to the 'net
> pass out on $ext_if from ($ext_if) to any modulate state queue(std_out, 
> tcp_ack_out)
> pass out on $ext_if proto tcp from ($ext_if) to any port { http, https } 
> modulate state queue (web_req, tcp_ack_out)
> pass out on $ext_if proto { udp, icmp } from ($ext_if) to any keep state 
> queue std_out
> pass out on $ext_if proto { tcp, udp } from ($ext_if) to any port domain 
> modulate state queue dns_out
> pass out on $ext_if proto tcp from ($ext_if) to any user www modulate 
> state queue web_server
> 
> # Internal
> pass quick on $int_if all
> 

-- 
28. My pet monster will be kept in a secure cage from which it cannot escape 
    and into which I could not accidentally stumble.
                --Peter Anspach's list of things to do as an Evil Overlord