netbsd-help: NetBSD ipfilter firewall.

Subject: NetBSD ipfilter firewall.
To: None <netbsd-help@netbsd.org>
From: Mine Sakiyama <msakiyam@yahoo.com>
List: netbsd-help
Date: 05/22/2003 10:31:51
Hello.
I am running NetBSD1.6 on sparc as firewall using ipfilter. Recently I added another host (RedHat
Linux) behinde firewall as sendmail server. I have added following lines to the /etc/ipf.conf and
/etc/ipnat.conf respectively,,(The connection to the internet is via DSL (pppoe0)

#ipfilter
pass in log quick on pppoe0 proto tcp from any to any port = 25 keep state
# block all other incoming traffic...
block in log quick on pppoe0 all

#ipnat
rdr pppoe0 0.0.0.0/0 port 25 -> 192.168.0.2  port 25 tcp

I have tested sending mails from outside, most mails worked, except when it tries to receive mails
from the netbsd's mailing list, the sendmail server logs following (see below) in the maillog and
it cannot receive mails.. I see some packets are blocked by ipfilter as well.

May 22 08:17:13 alex ipmon[82]: 08:17:13.316211 pppoe0 @0:33 b mail.netbsd.org[155.53.1.253] ->
internet.internal.com[192.168.0.2] PR tcp len 20 (164) frag 144@1336 IN (entire session log
below).

What changes do I need to make on ipfiler to allow mails from NetBSD? I acctually had a similar
problem accessing NetBSD website, ended up allowing all incoming TCP packets from NetBSD's web
server. The confusing thing is, I was able to receive some mails sent to port-sparc64 and
nertbsd-help list, but when I looked at sendmail and ipfiler logs there were bucnh that did not
come thru.

#sendmail log on linux
May 22 08:18:18 localhost sendmail[8984]: h4MF9l0B008984: collect: premature EOM: Connection reset
by mail.netbsd.org
May 22 08:18:18 localhost sendmail[8984]: h4MF9l0B008984: SYSERR(root): collect: I/O error on
connection from mail.netbsd.org, from=<port-sparc64-owner-msakiyam=sakiyama.mine.nu@netbsd.org>
May 22 08:18:18 localhost sendmail[8984]: h4MF9l0B008984:
from=<port-sparc64-owner-msakiyam=sakiyama.mine.nu@netbsd.org>, size=1002, class=-30, nrcpts=1,
proto=SMTP, daemon=MTA, relay=mail.netbsd.org [155.53.1.253]


# IPF log on NetBSD
May 22 08:16:10 alex ipmon[82]: 08:16:09.322812 pppoe0 @0:29 p mail.netbsd.org[155.53.1.253],57365
-> internet.internal.com[192.168.0.2],smtp PR tcp len 20 1356 -A K-S IN
May 22 08:16:10 alex ipmon[82]: 08:16:09.322886 hme0 @0:29 p mail.netbsd.org[155.53.1.253],57365
-> internet.internal.com[192.168.0.2],smtp PR tcp len 20 1356 -A K-S OUT
May 22 08:16:10 alex ipmon[82]: 08:16:09.324362 pppoe0 @0:32 b mail.netbsd.org[155.53.1.253] ->
internet.internal.com[192.168.0.2] PR tcp len 20 (164) frag 144@1336 IN
May 22 08:16:39 alex ipmon[82]: 08:16:39.315727 hme0 @-1:-1 p internet.internal.com[192.168.0.2]
-> mail.netbsd.org[155.53.1.253] PR icmp len 20 576 icmp timxceed/reassem for
mail.netbsd.org[155.53.1.253],57365 - internet.internal.com[192.168.0.2],smtp PR tcp len 20 1356
K-S IN
May 22 08:16:39 alex ipmon[82]: 08:16:39.315808 pppoe0 @-1:-1 p
adsl-67-121-152-159.dsl.pltn13.pacbell.net[67.121.152.159] -> mail.netbsd.org[155.53.1.253] PR
icmp len 20 576 icmp timxceed/reassem for mail.netbsd.org[155.53.1.253],57365 -
adsl-67-121-152-159.dsl.pltn13.pacbell.net[67.121.152.159],smtp PR tcp len 20 1356 K-S OUT
May 22 08:17:13 alex ipmon[82]: 08:17:13.314939 pppoe0 @0:29 p mail.netbsd.org[155.53.1.253],57365
-> internet.internal.com[192.168.0.2],smtp PR tcp len 20 1356 -A K-S IN
May 22 08:17:13 alex ipmon[82]: 08:17:13.315039 hme0 @0:29 p mail.netbsd.org[155.53.1.253],57365
-> internet.internal.com[192.168.0.2],smtp PR tcp len 20 1356 -A K-S OUT
May 22 08:17:13 alex ipmon[82]: 08:17:13.316211 pppoe0 @0:33 b mail.netbsd.org[155.53.1.253] ->
internet.internal.com[192.168.0.2] PR tcp len 20 (164) frag 144@1336 IN
May 22 08:17:44 alex ipmon[82]: 08:17:43.307297 hme0 @-1:-1 p internet.internal.com[192.168.0.2]
-> mail.netbsd.org[155.53.1.253] PR icmp len 20 576 icmp timxceed/reassem for
mail.netbsd.org[155.53.1.253],57365 - internet.internal.com[192.168.0.2],smtp PR tcp len 20 1356
K-S IN
May 22 08:17:44 alex ipmon[82]: 08:17:43.307384 pppoe0 @-1:-1 p
adsl-67-121-152-159.dsl.pltn13.pacbell.net[67.121.152.159] -> mail.netbsd.org[155.53.1.253] PR
icmp len 20 576 icmp timxceed/reassem for mail.netbsd.org[155.53.1.253],57365 -
adsl-67-121-152-159.dsl.pltn13.pacbell.net[67.121.152.159],smtp PR tcp len 20 1356 K-S OUT
May 22 08:18:17 alex ipmon[82]: 08:18:17.288337 pppoe0 @0:29 p mail.netbsd.org[155.53.1.253],57365
-> internet.internal.com[192.168.0.2],smtp PR tcp len 20 40 -AR K-S IN
May 22 08:18:17 alex ipmon[82]: 08:18:17.288409 hme0 @0:29 p mail.netbsd.org[155.53.1.253],57365
-> internet.internal.com[192.168.0.2],smtp PR tcp len 20 40 -AR K-S OUT

Thanks 

Mine

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com