schotty
September 17th, 2002, 13:13
Hey all!

I got a firewall that is to pass email packets in and out. I got it working on the outgoing fine, but the incoming like to block just about everything.

[code:1:e0906bde25]
lan_if = "ne3" # LAN adapter, for administration
ext_if = "ne4" # External WAN adapter
int_if = "ne5" # Internal Service side adapter, in our case AVO1

## In Rules ##

# In bridge mode, we only need to filter on one interface,
# nameley in our case, the internal interface. We will pass all traffic
# on the external
pass in quick on $ext_if all
pass out quick on $ext_if all
pass out quick on $int_if from any to any keep state

#Block and log everything by default.
block in log on $int_if all

#Pass in all email type packets
pass in quick on $int_if proto tcp from any to any port 25 # SMTP
pass in quick on $int_if proto tcp from any to any port 109 #pop2
pass in quick on $int_if proto tcp from any to any port 110 #pop3
pass in quick on $int_if proto tcp from any to any port 119 #nntp
pass in quick on $int_if proto tcp from any to any port 143 #imap
pass in quick on $int_if proto tcp from any to any port 209 #qmtp
pass in quick on $int_if proto tcp from any to any port 220 #imap3
pass in quick on $int_if proto tcp from any to any port 420 #smtpe
pass in quick on $int_if proto tcp from any to any port 993 #imap ssl
pass in quick on $int_if proto tcp from any to any port 994 #pop3 ssl

# Pass in ICMP Ping packets
pass in on $int_if inet proto icmp all icmp-type 8 code 0 keep state

## Out Rules ##

#Pass out mail packets
pass out quick on $int_if proto tcp from any to any port 25 # SMTP
pass out quick on $int_if proto tcp from any to any port 109 #pop2
pass out quick on $int_if proto tcp from any to any port 110 #pop3
pass out quick on $int_if proto tcp from any to any port 119 #nntp
pass out quick on $int_if proto tcp from any to any port 143 #imap
pass out quick on $int_if proto tcp from any to any port 209 #qmtp
pass out quick on $int_if proto tcp from any to any port 220 #imap3
pass out quick on $int_if proto tcp from any to any port 420 #smtpe
pass out quick on $int_if proto tcp from any to any port 993 #imap ssl
pass out quick on $int_if proto tcp from any to any port 994 #pop3 ssl

#Pass ICMP Ping packets out
pass out on $int_if inet proto icmp all icmp-type 8 code 0 keep state

#Pass out all UDP/TCP and keep state
pass out on $int_if proto udp all keep state
pass out on $int_if proto tcp all modulate state
[/code:1:e0906bde25]

and here is a few lines of my pflog that shows the stuff getting blocked

[code:1:e0906bde25]
05:00:50.368803 192.168.254.1.netbios-dgm > 192.168.254.255.netbios-dgm: udp 212
05:00:50.368877 192.168.254.1.netbios-dgm > 192.168.254.255.netbios-dgm: udp 212
05:01:03.343155 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:03.343203 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:03.344276 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:03.344312 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:03.897516 192.168.254.1.smtp > f156.law11.hotmail.com.1638: S 11227767:11227767(0) ack 2078115006 win 8760 <mss 1460> (DF)
05:01:04.088270 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:04.088297 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:04.088338 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:04.088368 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:04.839482 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:04.839508 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:04.839546 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:04.839576 192.168.254.1.netbios-ns > 192.168.254.255.netbios-ns: udp 50
05:01:06.862526 192.168.254.1.smtp > f156.law11.hotmail.com.1638: S 11227767:11227767(0) ack 2078115006 win 8760 <mss 1460> (DF)
05:01:07.128028 192.168.254.1.smtp > f156.law11.hotmail.com.1638: . ack 1 win 8760 (DF)
05:01:12.872065 192.168.254.1.smtp > f156.law11.hotmail.com.1638: S 11227767:11227767(0) ack 2078115006 win 8760 <mss 1460> (DF)
05:01:13.691424 192.168.254.1.smtp > f156.law11.hotmail.com.1638: . ack 1 win 8760 (DF)
05:01:24.891022 192.168.254.1.smtp > f156.law11.hotmail.com.1638: S 11227767:11227767(0) ack 2078115006 win 8760 <mss 1460> (DF)
05:01:29.939995 192.168.254.1.3887 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:30.940865 192.168.254.1.3887 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:31.441438 192.168.254.1.3887 > mclddns03.mcleodusa.net.domain: 168+[|domain]
05:01:31.942488 192.168.254.1.3887 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 168+[|domain]
05:01:33.945546 192.168.254.1.3887 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:33.945678 192.168.254.1.3887 > mclddns03.mcleodusa.net.domain: 168+[|domain]
05:01:33.945798 192.168.254.1.3887 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 168+[|domain]
05:01:37.952105 192.168.254.1.3887 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:37.952392 192.168.254.1.3887 > mclddns03.mcleodusa.net.domain: 168+[|domain]
05:01:37.952674 192.168.254.1.3887 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 168+[|domain]
05:01:48.532227 192.168.254.1.3889 > mclddns02.mcleodusa.net.domain: 489+ MX? page.nextel.com. (33)
05:01:48.935077 192.168.254.1.3890 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:49.934700 192.168.254.1.3890 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:50.434445 192.168.254.1.3890 > mclddns03.mcleodusa.net.domain: 168+[|domain]
05:01:50.935312 192.168.254.1.3890 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 168+[|domain]
05:01:52.939111 192.168.254.1.3890 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:52.939241 192.168.254.1.3890 > mclddns03.mcleodusa.net.domain: 168+[|domain]
05:01:52.939397 192.168.254.1.3890 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 168+[|domain]
05:01:53.538901 192.168.254.1.3889 > mclddns03.mcleodusa.net.domain: 489+ MX? page.nextel.com. (33)
05:01:56.944906 192.168.254.1.3890 > mclddns02.mcleodusa.net.domain: 168+[|domain]
05:01:56.945185 192.168.254.1.3890 > mclddns03.mcleodusa.net.domain: 168+[|domain]
05:01:56.945466 192.168.254.1.3890 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 168+[|domain]
05:01:58.547087 192.168.254.1.3889 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 489+ MX? page.nextel.com. (33)
05:02:03.552300 192.168.254.1.3889 > mclddns02.mcleodusa.net.domain: 489+ MX? page.nextel.com. (33)
05:02:04.945360 192.168.254.1.netbios-ns > f156.law11.hotmail.com.netbios-ns: udp 50
05:02:06.446744 192.168.254.1.netbios-ns > f156.law11.hotmail.com.netbios-ns: udp 50
05:02:06.556963 192.168.254.1.3889 > mclddns03.mcleodusa.net.domain: 489+ MX? page.nextel.com. (33)
05:02:07.949275 192.168.254.1.netbios-ns > f156.law11.hotmail.com.netbios-ns: udp 50
05:02:09.561769 192.168.254.1.3889 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 489+ MX? page.nextel.com. (33)
05:02:12.566542 192.168.254.1.3889 > mclddns02.mcleodusa.net.domain: 489+ MX? page.nextel.com. (33)
05:02:18.538129 192.168.254.1.3892 > mclddns02.mcleodusa.net.domain: 490+ MX? sbcglobal.net. (31)
05:02:18.576086 192.168.254.1.3889 > mclddns03.mcleodusa.net.domain: 489+ MX? page.nextel.com. (33)
05:22:08.384030 192.168.254.1.3971 > mclddns02.mcleodusa.net.domain: 184+[|domain]
05:22:09.377864 192.168.254.1.3971 > mclddns02.mcleodusa.net.domain: 184+[|domain]
05:22:09.878235 192.168.254.1.3971 > mclddns03.mcleodusa.net.domain: 184+[|domain]
05:22:10.379099 192.168.254.1.3971 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 184+[|domain]
05:22:12.382535 192.168.254.1.3971 > mclddns02.mcleodusa.net.domain: 184+[|domain]
05:22:12.382699 192.168.254.1.3971 > mclddns03.mcleodusa.net.domain: 184+[|domain]
05:22:12.382819 192.168.254.1.3971 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 184+[|domain]
05:22:16.389250 192.168.254.1.3971 > mclddns02.mcleodusa.net.domain: 184+[|domain]
05:22:16.389527 192.168.254.1.3971 > mclddns03.mcleodusa.net.domain: 184+[|domain]
05:22:16.389804 192.168.254.1.3971 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 184+[|domain]
05:22:26.462621 192.168.254.1.3973 > mclddns02.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:22:31.462337 192.168.254.1.3973 > mclddns03.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:22:36.470141 192.168.254.1.3973 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 498+ MX? page.nextel.com. (33)
05:22:41.478304 192.168.254.1.3973 > mclddns02.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:22:44.483033 192.168.254.1.3973 > mclddns03.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:22:47.487784 192.168.254.1.3973 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 498+ MX? page.nextel.com. (33)
05:22:50.492547 192.168.254.1.3973 > mclddns02.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:22:56.502013 192.168.254.1.3973 > mclddns03.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:23:02.511231 192.168.254.1.3973 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 498+ MX? page.nextel.com. (33)
05:23:08.520712 192.168.254.1.3973 > mclddns02.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:23:21.531609 192.168.254.1.3973 > mclddns03.mcleodusa.net.domain: 498+ MX? page.nextel.com. (33)
05:30:26.954737 192.168.254.1.3986 > mclddns02.mcleodusa.net.domain: 162+[|domain]
05:30:27.955133 192.168.254.1.3986 > mclddns02.mcleodusa.net.domain: 162+[|domain]
05:30:28.455843 192.168.254.1.3986 > mclddns03.mcleodusa.net.domain: 162+[|domain]
05:30:28.956700 192.168.254.1.3986 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 162+[|domain]
05:30:30.959725 192.168.254.1.3986 > mclddns02.mcleodusa.net.domain: 162+[|domain]
05:30:30.959856 192.168.254.1.3986 > mclddns03.mcleodusa.net.domain: 162+[|domain]
05:30:30.959981 192.168.254.1.3986 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 162+[|domain]
05:30:34.966284 192.168.254.1.3986 > mclddns02.mcleodusa.net.domain: 162+[|domain]
05:30:34.966555 192.168.254.1.3986 > mclddns03.mcleodusa.net.domain: 162+[|domain]
05:30:34.966842 192.168.254.1.3986 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 162+[|domain]
05:30:43.391633 192.168.254.1.netbios-dgm > 192.168.254.255.netbios-dgm: udp 201
05:30:43.391682 192.168.254.1.netbios-dgm > 192.168.254.255.netbios-dgm: udp 201
05:30:44.826728 192.168.254.1.3988 > mclddns02.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
05:30:49.829534 192.168.254.1.3988 > mclddns03.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
05:30:50.632944 192.168.254.1.netbios-dgm > 192.168.254.255.netbios-dgm: udp 212
05:30:50.632991 192.168.254.1.netbios-dgm > 192.168.254.255.netbios-dgm: udp 212
05:30:54.837814 192.168.254.1.3988 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 503+ MX? page.nextel.com. (33)
05:30:59.845584 192.168.254.1.3988 > mclddns02.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
05:31:02.850350 192.168.254.1.3988 > mclddns03.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
05:31:05.855043 192.168.254.1.3988 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 503+ MX? page.nextel.com. (33)
05:31:08.859685 192.168.254.1.3988 > mclddns02.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
05:31:14.869313 192.168.254.1.3988 > mclddns03.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
05:31:20.878877 192.168.254.1.3988 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 503+ MX? page.nextel.com. (33)
05:31:26.888376 192.168.254.1.3988 > mclddns02.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
05:31:39.899044 192.168.254.1.3988 > mclddns03.mcleodusa.net.domain: 503+ MX? page.nextel.com. (33)
10:54:34.001426 192.168.254.1.4005 > mclddns02.mcleodusa.net.domain: 158+[|domain]
10:54:34.999158 192.168.254.1.4005 > mclddns02.mcleodusa.net.domain: 158+[|domain]
10:54:35.499540 192.168.254.1.4005 > mclddns03.mcleodusa.net.domain: 158+[|domain]
10:54:36.001428 192.168.254.1.4005 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 158+[|domain]
10:54:37.478746 192.168.254.1.1333 > 63.230.13.179.netbios-ns: udp 50
10:54:37.535250 192.168.254.1.4006 > mclddns02.mcleodusa.net.domain: 224+[|domain]
10:54:38.003926 192.168.254.1.4005 > mclddns02.mcleodusa.net.domain: 158+[|domain]
10:54:38.004054 192.168.254.1.4005 > mclddns03.mcleodusa.net.domain: 158+[|domain]
10:54:38.004174 192.168.254.1.4005 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 158+[|domain]
10:54:38.534475 192.168.254.1.4006 > mclddns02.mcleodusa.net.domain: 224+[|domain]
10:54:39.035101 192.168.254.1.4006 > mclddns03.mcleodusa.net.domain: 224+[|domain]
10:54:39.536138 192.168.254.1.4006 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 224+[|domain]
10:54:41.539230 192.168.254.1.4006 > mclddns02.mcleodusa.net.domain: 224+[|domain]
10:54:41.539530 192.168.254.1.4006 > mclddns03.mcleodusa.net.domain: 224+[|domain]
10:54:41.539809 192.168.254.1.4006 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 224+[|domain]
10:54:42.010648 192.168.254.1.4005 > mclddns02.mcleodusa.net.domain: 158+[|domain]
10:54:42.010812 192.168.254.1.4005 > mclddns03.mcleodusa.net.domain: 158+[|domain]
10:54:42.010933 192.168.254.1.4005 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 158+[|domain]
10:54:42.190406 192.168.254.1.1333 > 63.230.13.179.netbios-ns: udp 50
10:54:45.545503 192.168.254.1.4006 > mclddns02.mcleodusa.net.domain: 224+[|domain]
10:54:45.545671 192.168.254.1.4006 > mclddns03.mcleodusa.net.domain: 224+[|domain]
10:54:45.545793 192.168.254.1.4006 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 224+[|domain]
10:54:51.045333 192.168.254.1.4008 > mclddns02.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:54:53.548939 192.168.254.1.netbios-ns > 63.230.13.179.netbios-ns: udp 50
10:54:55.050345 192.168.254.1.netbios-ns > 63.230.13.179.netbios-ns: udp 50
10:54:56.052337 192.168.254.1.4008 > mclddns03.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:54:56.552695 192.168.254.1.netbios-ns > 63.230.13.179.netbios-ns: udp 50
10:54:56.613610 192.168.254.1.1333 > 63.230.13.179.netbios-ns: udp 50
10:55:01.060176 192.168.254.1.4008 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 506+ MX? page.nextel.com. (33)
10:55:06.067962 192.168.254.1.4008 > mclddns02.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:55:09.072843 192.168.254.1.4008 > mclddns03.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:55:12.077594 192.168.254.1.4008 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 506+ MX? page.nextel.com. (33)
10:55:15.082104 192.168.254.1.4008 > mclddns02.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:55:21.091917 192.168.254.1.4008 > mclddns03.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:55:21.852939 192.168.254.1.1333 > 63.230.13.179.netbios-ns: udp 50
10:55:27.101088 192.168.254.1.4008 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 506+ MX? page.nextel.com. (33)
10:55:33.110809 192.168.254.1.4008 > mclddns02.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:55:46.121128 192.168.254.1.4008 > mclddns03.mcleodusa.net.domain: 506+ MX? page.nextel.com. (33)
10:55:56.107126 192.168.254.1.1333 > 63.230.13.179.netbios-ns: udp 50
10:55:59.131797 192.168.254.1.4008 > mpdr0-adm.milwaukee.wi.ameritech.net.domain: 506+ MX? page.nextel.com. (33)
[/code:1:e0906bde25]

What I was trying to do here was mostly test pages to my nextel (hence the nextel.com shit)

Pretty much if I clear the rules, it flips on thru. re enable it and try it -- the email sits. Now, what I have yet to figure out is, why is it even getting blocked? Shouldn't MS Exchange (yeah I am using evilware) find an open port? I have the list of available outgoing ports identical to the incoming ports.

Well, thanks for the help! the only modifications I did to the pf.conf were adding in all of the quicks (originally the only quicks were to the generic pass in/out all) and the adding the explicit pass out quick lines for each port. Other than that, I am pretty much stumped.

TIA!

Schotty
elmore
September 17th, 2002, 15:43
What about trying this:

[code:1:180438a59b]

#setup Variables
lan_if = "ne3" # LAN adapter, for administration
ext_if = "ne4" # External WAN adapter
int_if = "ne5" # Internal Service side adapter, in our case AVO1
Email = "{ 25, 109, 110, 119, 143, 209, 220, 420, 993, 994 }"

#Rules#
scrub in all

#Default Deny#
block in log on $ext_if all
block out log on $int_if all

#Email Rules#
pass in quick on $ext_if proto tcp from any to any port $Email # SMTP, pop, imap and others
pass out quick on $int_if proto tcp from any to any port $Email # SMTP, pop, imap and others

#ICMP Rules#
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $int_if inet proto icmp all icmp-type 8 code 0 keep state

[/code:1:180438a59b]

This ruleset should allow for all E-mail types to pass in and out as well as ICMP type 8 (ping). Everything else should be blocked by default. Try that see if that works for you.

Additionally an nmap scan from an outside or in this case even inside should report these ports as open. Try a syn scan something like:

[code:1:180438a59b]
nmap -v -v -v -v -sS -P0 <hostname>
[/code:1:180438a59b]

Provided you're running all these services on the host.
schotty
September 17th, 2002, 16:27
thanks, I will have someone nnap me again with the new ruleset. I had a few buddies from LJR do that Monday morning before I hooked it up to the mail server. The ports that showed up were the same ones I specified to be open. Except the imap, pop2 ports were listed as closed. The mail server is still behind its own firewall (which is about to go), so this isnt life and death. Just frustrating :)

Thanks much Elmore, I will check out your conf and let you know.
schotty
September 17th, 2002, 16:54
[code:1:19e05d7440]<rick420-work> (The 1596 ports scanned but not shown below are in state: filtered)
<rick420-work> Port State Service
<rick420-work> 25/tcp open smtp
<rick420-work> 110/tcp open pop-3
<rick420-work> 143/tcp open imap2
<rick420-work> 220/tcp closed imap3
<rick420-work> 993/tcp open imaps
<rick420-work> all done
<Schotty> kewl, thanks
[/code:1:19e05d7440]

here is the results of the nmap probe with teh new file you made.


here is again what is happening when I try to send out:

[code:1:19e05d7440]
14:44:03.695702 mclddns02.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:44:08.686446 mclddns03.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/13/8[|domain] (DF)
14:44:13.693538 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:44:18.715795 mclddns02.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:44:21.705798 mclddns03.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/13/8[|domain] (DF)
14:44:24.709074 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:44:24.733360 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:44:24.733402 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:44:26.738646 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
14:44:26.738690 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
14:44:27.730208 mclddns02.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:44:33.723206 mclddns03.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/13/8[|domain] (DF)
14:44:39.739682 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:44:42.481179 mclddns02.mcleodusa.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:43.474908 mclddns02.mcleodusa.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:44.004479 mclddns03.mcleodusa.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:44.461155 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:45.762107 mclddns02.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:44:46.465238 mclddns03.mcleodusa.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:46.480847 mclddns02.mcleodusa.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:46.483790 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:50.485990 mclddns02.mcleodusa.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:50.488644 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:50.518083 mclddns03.mcleodusa.net.domain > 192.168.254.1.4189: 170 1/2/2 (155) (DF)
14:44:56.818885 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:44:56.818935 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:44:58.441991 phx11.phoenixinv.com.netbios-ns > 192.168.254.1.netbios-ns: udp 229 (DF)
14:44:58.754324 mclddns03.mcleodusa.net.domain > 192.168.254.1.4188: 527 4/13/8[|domain] (DF)
14:44:58.824255 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
14:44:58.824294 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
14:44:59.941883 phx11.phoenixinv.com.netbios-ns > 192.168.254.1.netbios-ns: udp 229 (DF)
14:45:01.444350 phx11.phoenixinv.com.netbios-ns > 192.168.254.1.netbios-ns: udp 229 (DF)
14:45:03.923038 mclddns02.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:08.908943 mclddns03.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/13/8[|domain] (DF)
14:45:11.766056 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4188: 527 4/2/6[|domain] (DF)
14:45:13.918522 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:18.940922 mclddns02.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:21.923446 mclddns03.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:24.933912 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:27.955113 mclddns02.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:28.904565 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:45:28.904614 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:45:30.909887 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
14:45:30.909932 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
14:45:33.940545 mclddns03.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:39.959432 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:45.984571 mclddns02.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:51.114998 mclddns02.mcleodusa.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:45:52.113859 mclddns02.mcleodusa.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:45:53.100514 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:45:55.114122 mclddns03.mcleodusa.net.domain > 192.168.254.1.4192: 194*[|domain] (DF)
14:45:55.119777 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:45:55.122697 mclddns02.mcleodusa.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:45:56.445563 mclddns03.mcleodusa.net.domain > 192.168.254.1.4192: 194*[|domain] (DF)
14:45:58.972070 mclddns03.mcleodusa.net.domain > 192.168.254.1.4191: 528 4/2/6[|domain] (DF)
14:45:59.110997 mclddns03.mcleodusa.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:45:59.126655 mpdr0-adm.milwaukee.wi.ameritech.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:45:59.129989 mclddns02.mcleodusa.net.domain > 192.168.254.1.4192: 194[|domain] (DF)
14:46:00.990202 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:46:00.990252 192.168.254.254.route > 192.168.254.255.route: RIPv1-resp [items 1]: {0.0.0.0}(1)
14:46:02.995429 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
14:46:02.995482 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
[/code:1:19e05d7440]

I am lost :?: It stilla int working. I noticed some UDP port 229 crap so I tried to open that up, yet it still shows up in my firewall log. Plus I have noticed that from port 4180 sonmething all the way to 4220 are alot of shit from some McLeod DNS server. I aint sure if thats the remoteside or what. Unless I am inadvertently blocking DNS too... I am going to take a look into that.
elmore
September 17th, 2002, 17:26
well you'll need a redirect rule to route into your internal subnet from the outside, but.... Aren't both of these servers private. I think that you might need a bridge here to filter between the two subnets.. Like this:

[code:1:81925561d2]

Internet
|
|
Subnet1--------Subnet2


[/code:1:81925561d2]

If you want subnet2 to talk to subnet1 you need to bridge. Is this what you're trying to do here?
schotty
September 17th, 2002, 18:39
Well, I got it further than before. I got some wierd results. I added in my DNS servers and the DSL router subnet to the accept policy. Here is what I get when I try to send to my RoadRunner account :

[code:1:d68cec8b7a]
16:16:35.521799 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: . ack 1 win 65340 (DF)
16:16:35.923809 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 2469318053:2469318053(0) ack 11618476 win 65340 <mss 1460> (DF)
16:16:41.539097 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: . ack 1 win 65340 (DF)
16:16:42.675551 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 2469318053:2469318053(0) ack 11618476 win 65340 <mss 1460> (DF)
16:16:53.550558 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: . ack 1 win 65340 (DF)
16:16:56.178999 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 2469318053:2469318053(0) ack 11618476 win 65340 <mss 1460> (DF)
16:16:57.539204 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
16:17:23.185300 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 2469318053:2469318053(0) ack 11618476 win 65340 <mss 1460> (DF)
16:17:29.624876 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
16:18:01.710475 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
16:18:02.689605 vamx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 3518674858:3518674858(0) ack 11618641 win 10164 <mss 1452> (DF)
16:18:05.690027 vamx01.mgw.rr.com.smtp > 192.168.254.1.4316: . ack 1 win 10164 (DF)
16:18:06.185566 vamx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 3518674858:3518674858(0) ack 11618641 win 10164 <mss 1452> (DF)
16:18:11.698650 vamx01.mgw.rr.com.smtp > 192.168.254.1.4316: . ack 1 win 10164 (DF)
16:18:12.587343 vamx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 3518674858:3518674858(0) ack 11618641 win 10164 <mss 1452> (DF)
16:18:17.197739 kcmx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 2469318053:2469318053(0) ack 11618476 win 65340 <mss 1460> (DF)
16:18:23.718855 vamx01.mgw.rr.com.smtp > 192.168.254.1.4316: . ack 1 win 10164 (DF)
16:18:25.389323 vamx01.mgw.rr.com.smtp > 192.168.254.1.4316: S 3518674858:3518674858(0) ack 11618641 win 10164 <mss 1452> (DF)
16:18:29.368458 vm01.mx.execpc.com.smtp > 192.168.254.1.4321: S 1665428311:1665428311(0) ack 11618664 win 32736 <mss 1452>
16:18:32.374327 vm01.mx.execpc.com.smtp > 192.168.254.1.4321: S 1665428311:1665428311(0) ack 11618664 win 32736 <mss 1452>
16:18:33.795965 192.168.254.254.route > RIP2-ROUTERS.MCAST.NET.route: RIPv2-resp [items 1]: {0.0.0.0}(1)
16:18:38.375114 vm01.mx.execpc.com.smtp > 192.168.254.1.4321: S 1665428311:1665428311(0) ack 11618664 win 32736 <mss 1452>
[/code:1:d68cec8b7a]

Apparently someone tried to send something to ExecPC as well. Now, as far as the routing -- Wont matter. I am doing the transparent firewall thingie.

So my topology looks like this

[code:1:d68cec8b7a]

Internet
-
-
-
DSL Nat Router
-
-
-
OpenBSD Firewall Bridge ----
- -
- - LAN -->
- -
Exchange Server ------
[/code:1:d68cec8b7a]


there ya go.
elmore
September 17th, 2002, 21:08
Hmmmm, why don;t you just turn nat off on the DSL router and let your OBSD box do the natting for you? It'd probably work better and IMHO would be way easier to configure. Also since OBSD 2.8 you have the ability to do ppoe straight from your box thus really eliminating the need for a router all together. IMHO that's really the way to go here. Throwing that router into the mix is just confusing things.


I'm confused as to how your packets in your internal subnet reach the exchange server at all with no clear gateway. Hmmmm, let's see if I were to set this up I would probably do something more along the lines of this.

[code:1:9f33d2772d]

Internet
-
-
-
Invisible/Bridge-----PDMZ
-
-
-
FW/NAT/PPOE
-
-
-
LAN

[/code:1:9f33d2772d]

Then your rulesets are simple. There's a clear path for the data to follow. Any reason you can;t do it this way? you could even leave out the Invisible Bridge and PDMZ and just redirect your mail traffic to an internal box inside your LAN.
schotty
September 17th, 2002, 21:38
Hmmmm, why don;t you just turn nat off on the DSL router and let your OBSD box do the natting for you? It'd probably work better and IMHO would be way easier to configure. Also since OBSD 2.8 you have the ability to do ppoe straight from your box thus really eliminating the need for a router all together. IMHO that's really the way to go here. Throwing that router into the mix is just confusing things.


well, e are broke here at amerivoice, so buying a pppoe card is not feasible. The Router dohigge has the DSL port and several ethernets. If it was a brodge, like a client of mine got, yes, I would do that.


I'm confused as to how your packets in your internal subnet reach the exchange server at all with no clear gateway.

well, the mail server has the gateway setup. It uses the router. Which will work fine if the firewall is not on in the BSD bridge. Thats what is weird. It looks like there is some reandom port for the data to fly back on which is getting blocked. BlackICE, although shitty, is doing the job currently. And from the bosses standpoint, this should be able to be done in BSD if it is any good. Now we both know that this can be accompished far better with BSD. I am just confused as to where my obvious error is.

I am lost as to what is happening. BlackICE is setup to firewall based on IP and/or port. We have the same ports opened up on BlackIce. The rest is LAN allows and blocks to outside attackers' IPs. I am confused as to where my logic failed me. It appears that there is something wrong on the ougoing rules. Either something is missing, or conflicting.

For example, right now, pf is on, but no rules are loaded. the firewalling is done by BlackICE. It works. You send me mail, I get it. I reply, you get it. I flip the rules into pf, and I cant send, but can recieve. the problem is now, that there are packets getting blocked in on goofy ports, apparent reciepts or ahndshakes. Why? Why are these ports closed on BlackIce, but when PF does that, it blocks the shit stops working. Is there an option to allow the connection to continue, is that what keep state does? Cuz, that would more than likely fix it. Any how, I got a few more tricks to try. I am getting real anal on this one :)
elmore
September 17th, 2002, 21:48
Hmmmm.... Have you tried just loading a open ruleset and seeing if it works? Try that, from there you can narrow it down a bit. then you could always try just letting all traffic out with these lines:

[code:1:2b107ba165]
# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
# ALSO ALLOW isakmp outgoing
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
[/code:1:2b107ba165]

Those rules should let all of your traffic out. then take away rules as you eliminate.
schotty
September 17th, 2002, 22:22
Hmmmm.... Have you tried just loading a open ruleset and seeing if it works? Try that, from there you can narrow it down a bit. then you could always try just letting all traffic out with these lines:

[code:1:941ee41800]
# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
# ALSO ALLOW isakmp outgoing
block out on $ExtIF all
pass out on $ExtIF inet proto tcp all flags S/SA keep state
pass out on $ExtIF inet proto udp all keep state
pass out on $ExtIF inet proto icmp all keep state
[/code:1:941ee41800]

Those rules should let all of your traffic out. then take away rules as you eliminate.

I am sure that will help one way or another. Let me try it out and see. I will want to put the port numbers in too, right? Well, Ill check the OpenBSD manual pages for that info.

Thanks much!
elmore
September 17th, 2002, 22:40
try a ruleset like this one:

[code:1:85d29cedd8]

#setup Variables
lan_if = "ne3" # LAN adapter, for administration
ext_if = "ne4" # External WAN adapter
int_if = "ne5" # Internal Service side adapter, in our case AVO1
Email = "{ 25, 109, 110, 119, 143, 209, 220, 420, 993, 994 }"

#Rules#
scrub in all

#Default Deny#
block in log on $ext_if all

#Email Rules#
pass in quick on $ext_if proto tcp from any to any port $Email # SMTP, pop, imap and others

# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto udp all keep state
pass out on $ext_if inet proto icmp all keep state
[/code:1:85d29cedd8]
schotty
September 19th, 2002, 13:12
Thanks, It works great!

Appreciate the help!