ipfw breaking smtp conversations
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
ipfw breaking smtp conversations
by whereisalext
::
Rate this Message:
Hi List,
I'm having trouble with mail deliveries. I'm getting lots of error messages like: timeout writing message to mx3.comcast.net.: Broken pipe timeout writing message to mailserver2.telmex.net.co.: Resource temporarily unavailable After looking elsewhere I decided to try changing my ipfw.rules - the problems went away immediately. Unfortunately, the change caused http connections from outside to stall mid-conversation. So I changed it back. But I'm clearly doing something wrong. Here is what my network looks like (fairly basic): Direct to Internet ^ | Dual-Homed Host (em0 external interface) NAT,DHCP (sk0 internal interface) | v Internal LAN Here are my current rules: #!/bin/sh IPFW="ipfw -q add" ipfw -q -f flush $IPFW 10 allow all from any to any via sk0 $IPFW 20 allow all from any to any via lo0 $IPFW 30 divert natd ip from any to any in via em0 $IPFW 50 check-state $IPFW 60 skipto 500 all from any to any out via em0 setup keep-state $IPFW 70 allow all from any to me in via em0 setup limit src-addr 50 $IPFW 500 divert natd ip from any to any out via em0 $IPFW 600 allow ip from any to any $IPFW 800 deny all from any to any Here are the rules that fixed smtp, but broke http: #!/bin/sh IPFW="/sbin/ipfw -q add" ipfw -q -f flush $IPFW 990 divert natd ip from any to any in via em0 $IPFW 995 divert natd ip from any to any out via em0 $IPFW 1000 allow tcp from any to any established $IPFW 1010 allow all from any to any via em0 $IPFW 1020 allow all from any to any via sk0 $IPFW 1030 allow all from any to any via lo0 $IPFW 1050 allow tcp from any to any out $IPFW 1060 allow udp from any to any out $IPFW 1070 allow udp from any to any frag $IPFW 1090 allow ip from any to any $IPFW 9999 deny all from any to any Somewhere between these two sets is the right thing, but I'm not certain where to look. In english, here is what (I think) I'm trying to do: Allow all incoming traffic on all ports on em0 Allow all outbound traffic on all ports on em0 Divert incoming NAT'd packets on em0 to sk0 Divert outbound NAT'd packets on sk0 to em0 Thanks, Alex _______________________________________________ freebsd-questions@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..." |
|
|
Re: ipfw breaking smtp conversations
by krad-2
::
Rate this Message:
2009/11/4 Alex Teslik <whereisalext@...>
> Hi List, > > I'm having trouble with mail deliveries. I'm getting lots of error > messages like: > > timeout writing message to mx3.comcast.net.: Broken pipe > timeout writing message to mailserver2.telmex.net.co.: Resource > temporarily > unavailable > > After looking elsewhere I decided to try changing my ipfw.rules - the > problems went away immediately. Unfortunately, the change caused http > connections from outside to stall mid-conversation. So I changed it back. > But I'm clearly doing something wrong. > > Here is what my network looks like (fairly basic): > > Direct to Internet > ^ > | > Dual-Homed Host (em0 external interface) > NAT,DHCP (sk0 internal interface) > | > v > Internal LAN > > Here are my current rules: > > #!/bin/sh > IPFW="ipfw -q add" > ipfw -q -f flush > > $IPFW 10 allow all from any to any via sk0 > $IPFW 20 allow all from any to any via lo0 > $IPFW 30 divert natd ip from any to any in via em0 > $IPFW 50 check-state > $IPFW 60 skipto 500 all from any to any out via em0 setup keep-state > $IPFW 70 allow all from any to me in via em0 setup limit src-addr 50 > $IPFW 500 divert natd ip from any to any out via em0 > $IPFW 600 allow ip from any to any > $IPFW 800 deny all from any to any > > > Here are the rules that fixed smtp, but broke http: > > #!/bin/sh > IPFW="/sbin/ipfw -q add" > ipfw -q -f flush > > $IPFW 990 divert natd ip from any to any in via em0 > $IPFW 995 divert natd ip from any to any out via em0 > $IPFW 1000 allow tcp from any to any established > $IPFW 1010 allow all from any to any via em0 > $IPFW 1020 allow all from any to any via sk0 > $IPFW 1030 allow all from any to any via lo0 > $IPFW 1050 allow tcp from any to any out > $IPFW 1060 allow udp from any to any out > $IPFW 1070 allow udp from any to any frag > $IPFW 1090 allow ip from any to any > $IPFW 9999 deny all from any to any > > > Somewhere between these two sets is the right thing, but I'm not certain > where to look. In english, here is what (I think) I'm trying to do: > > Allow all incoming traffic on all ports on em0 > Allow all outbound traffic on all ports on em0 > Divert incoming NAT'd packets on em0 to sk0 > Divert outbound NAT'd packets on sk0 to em0 > > Thanks, > Alex > _______________________________________________ > freebsd-questions@... mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@..." > I'm not sure what the problem is but if you are freebsd 5+, which I assume you will be as its be out for years, I would highly recommend switching to pf. The rule sets are really easy and you can do a lot more far more easily than ipfw. I always found getting the rule order a bit fidgety in ipfw, not the case with pf _______________________________________________ freebsd-questions@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..." |
| Free embeddable forum powered by Nabble | Forum Help |
