[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Forwarding failures
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Forwarding failures
- From: "Peter H. Coffin" <hellsop_(_at_)_ninehells_(_dot_)_com>
- Date: Mon, 14 Mar 2005 17:08:15 -0600
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
- Reply-to: hellsop_(_at_)_ninehells_(_dot_)_com
On Mon, Mar 14, 2005 at 05:54:41PM -0500, Chris Zakelj wrote:
> Peter H. Coffin wrote:
>
> >Can this box mail anywhere?
> >
> Not anymore (it used to). Attempting to mail from my user account to
> two old college addresses likewise resulted in timeout/deferred. I'm
> almost certain I broke something in my pf rules (reposted below, I
> changed some aliases last night while trying to figure this out), but
> I'm at a loss as to what.
New apartment, maybe new ISP account, no metion of port 25/smtp in
pf.conf; more likely you're being filtered on the SMTP port. telnet to
your ISP's SMTP host on port 25 and see if you get a connection. If so,
telnet to any other mail host on port 25 (try ninhells.com if you're at
a complete loss) and see if the connection times out.
Configering the box to relay through the ISP's smtp host is an exercise
left to the student.
>
> bbhhs96# cat /etc/pf.conf
> # Define interfaces and rooms
> int_if = "rl0"
> ext_if = "tun0"
> xp = "192.168.0.2"
> laptop = "192.168.0.3"
> w98 = "192.168.0.4"
>
> # RFC1918
> priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
>
> # Those wonderful scrubbing bubbles
> scrub in all
>
> # Queueing
> # TCP/ACK frames get first dibs, followed by webserver, DNS lookups, and
> # the unwashed masses.
> altq on $ext_if priq bandwidth 256Kb queue { std_out, web_req, dns_out,
> web_server, tcp_ack_out }
> queue std_out priq(default)
> queue web_req priority 3
> queue dns_out priority 4
> queue web_server priority 5
> queue tcp_ack_out priority 6
>
> # NAT/RDR directives
> nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
> rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr pass on $ext_if proto { tcp, udp } from any to any port 6081 -> $xp
> port 6081
> rdr pass on $ext_if proto tcp from any to any port 9985:9989 -> $w98
> port 9985:*
> rdr pass on $ext_if proto tcp from any to any port 9990:9994 -> $xp port
> 9990:*
> rdr pass on $ext_if proto tcp from any to any port 9995:9999 -> $laptop
> port 9995:*
>
> # Filtering begins
> block drop log all
>
> # Local machine stuff
> pass quick on lo0 all
>
> # Clean invalid SRC/DST packets
> block in quick on $ext_if from $priv_nets to any
> block out quick on $ext_if from any to $priv_nets
>
> # Pass in allowed servers/proxies
> # pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA
> keep state
> pass in on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA
> keep state queue web_server
> pass in on $ext_if proto tcp from any to ($ext_if) user proxy keep state
>
> # Out to the 'net
> pass out on $ext_if from ($ext_if) to any modulate state queue(std_out,
> tcp_ack_out)
> pass out on $ext_if proto tcp from ($ext_if) to any port { http, https }
> modulate state queue (web_req, tcp_ack_out)
> pass out on $ext_if proto { udp, icmp } from ($ext_if) to any keep state
> queue std_out
> pass out on $ext_if proto { tcp, udp } from ($ext_if) to any port domain
> modulate state queue dns_out
> pass out on $ext_if proto tcp from ($ext_if) to any user www modulate
> state queue web_server
>
> # Internal
> pass quick on $int_if all
>
--
28. My pet monster will be kept in a secure cage from which it cannot escape
and into which I could not accidentally stumble.
--Peter Anspach's list of things to do as an Evil Overlord
Visit your host, monkey.org