On Sun, May 3, 2009 at 10:14 AM, dug <[email protected]> wrote: > Thans for your reply. > > Le 2 mai 09 ` 10:59, ropers a icrit : > >> 2009/5/1 dug <[email protected]>: >> 0> >> 1> #Allow SMTP, HTTPS >> 2> pass quick proto tcp from any to {<public-ip> <mail-server>} port >> 25 >> 3> pass quick proto tcp from any to {<public-ip> <mail-server>} port >> 443 >> 4> pass quick proto tcp from {<public-ip> <mail-server>} port 25 to >> any >> 5> pass quick proto tcp from {<public-ip> <mail-server>} port 25 to >> any >> 6> pass quick proto tcp from any port 25 to {<public-ip> <mail- >> server>} >> 7> pass quick proto tcp from {<public-ip> <mail-server>} to any >> port 25 >> >> Line 4 and 5 are identical. Presumably you wanted to write port 443 >> in line 5? > > Ok. It's just a mistake rewriting the rule in the mail. > In my pf.conf, it's set to port 443, not port 25. > >>> >>> block in on em0: mail-server.59902 > 81.255.99.202.25: [|tcp] (ttl >>> 63, id >>> 14511, len 40) >>> >>> block in on em0: mail-server.59902 > 81.255.99.202.25: [|tcp] (ttl >>> 63, id >>> 40161, len 52) >>> >> >> Not sure what's going on here; line 7 should match these. > > That's my problem and what I don't understand .... > In a perfect world, my rule must match these packets .... But > currently not. > > >>> block in on em0: mail-server.25 > 81.28.185.240.1777: [|tcp] (ttl >>> 63, id >>> 4151, len 41) >>> >> >> Not sure what's going on there; line 4 (and, currently, 5) should >> match these. > > Setting the rule "pass quick from any to any" at the beginning of my > pf.conf file doesn't solve the problem. > I always have block on these packets .... > > Logs of pftop tool : > > pfTop: Up Rule 1-55/71, View: rules, Cache: 10000 > > RULE ACTION DIR LOG Q IF PR K PKTS BYTES > STATES MAX INFO > 0 Pass Any Q K 560 69035 > 96 all flags S/SA > 1 Block Any Log 44 1772 > 0 drop all > > > This is the option in the pf.conf file : > > set block-policy drop > set skip on {gif0} > set loginterface $ext_if > set limit { states 100000, frags 50000 } > set optimization normal > set state-policy if-bound
Remove that last line and it should work. If not, send the output of pfctl -s rules. -HKS > > scrub all no-df random-id fragment reassemble > > Regards.
