Subject: Re: HELP w/ipf, DHCP & postfix
To: Pimin <pimin@rockhead.com>
From: Tobias Nygren <tnn+nbsd@nygren.pp.se>
List: netbsd-help
Date: 11/11/2006 10:32:42
I don't think that kind of routing setup can be made with ipf.
The provider will only route traffic originating from it's own
ip address space due to spoofing issues.
It might work if you switch to pf. (there's a kernel module available)
Look at the pf.conf manual page and the reply-to keyword in
particular.
-Tobias
Pimin wrote:
> Running NetBSD 3.0.1 & postfix 2.3.3.
>
> Apologies if I'm in the wrong list, being incredible dense and/or not including relevant
> information.
>
> I've appended the ipf settings for tlp1 (cable). "Cable" is a DHCP connection.
> When "cable" is up it is my default route. Postfix has been told (via inet_interfaces)
> that it should use the "DSL" (rockhead.com) line. Things seem to work well except that
> I get the following on the "cable" interface:
>
> 11:58:29.493860 IP rockhead.com.smtp > dsl-189-156-21-235.prod-infinitum.com.mx.2041: \
> S 1045339041:1045339041(0) ack 331392030 win 32768 <mss 1460,sackOK,nop,nop>
>
> The "DSL" addr seems to be actually going out the "cable" interface, I get responses
> on the "DSL" interface.
>
> I don't understand why the "DSL" ip addr is being used on the "cable" interface.
> I must have to do something else to get the "cable" ipaddr to be used on the "cable"
> interface? The ".smtp" traffic is the only traffic I see with the "DSL" ipaddr.
> (Using "tcpdump -i tlp1 host rockhead.com")
>
> I use fetchmail to retrieve my "cable" mail so a complete remap of port 25 to "DSL"
> doesn't seem doable.
>
> I thought the first 7 lines from the ipf.conf file would fix this problem?
>
> Where did I go wrong?
>
> TIA,
> Paul
>
> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.40 to any
> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.41 to any
> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.42 to any
> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.43 to any
> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.44 to any
> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.45 to any
> pass out log quick on tlp1 to tlp0 proto tcp/udp from 209.128.91.46 to any
> pass out log quick on tlp1 to ppp0 proto tcp/udp from any to 172.17/24
> block in log quick on tlp1 from any to 172.16.89.42 port = 25
> block in log quick on tlp1 from any to 172.16.89.42 port = 25
> pass out log quick on tlp1 to tlp0 from 209.128.91.40 to any
> pass out log quick on tlp1 to tlp0 from 209.128.91.41 to any
> pass out log quick on tlp1 to tlp0 from 209.128.91.42 to any
> pass out log quick on tlp1 to tlp0 from 209.128.91.43 to any
> pass out log quick on tlp1 to tlp0 from 209.128.91.44 to any
> pass out log quick on tlp1 to tlp0 from 209.128.91.45 to any
> pass out log quick on tlp1 to tlp0 from 209.128.91.46 to any
> block in log quick on tlp1 proto icmp from any to w95.rockhead.com
> block in log quick on tlp1 from any to w95.rockhead.com port = 376
> block in log quick on tlp1 from any to w95.rockhead.com port = 25
> block in log quick on tlp1 from any to w95.rockhead.com port = 80
> block in log quick on tlp1 from any to w95.rockhead.com port = 134
> block out log quick on tlp1 from any to w95.rockhead.com port = 135
> block in log quick on tlp1 from any to w95.rockhead.com port = 135
> block in log quick on tlp1 from any to w95.rockhead.com port = 136
> block in log quick on tlp1 from any to w95.rockhead.com port = 160
> block in log quick on tlp1 from any to w95.rockhead.com port = 445
> block out log quick on tlp1 from any to w95.rockhead.com port = 445
> block out log quick on tlp1 from any to w95.rockhead.com port = 1024
> block out log quick on tlp1 from any to w95.rockhead.com port = 1080
> block out log quick on tlp1 from any to w95.rockhead.com port = 2000
> block out log quick on tlp1 from any to w95.rockhead.com port = 2001
> block in log quick on tlp1 from any to w95.rockhead.com port = 5554
> block out log quick on tlp1 from any to w95.rockhead.com port = 5554
> block in log quick on tlp1 from any to w95.rockhead.com port = 5742
> block out log quick on tlp1 from any to w95.rockhead.com port = 5742
> block in log quick on tlp1 from any to w95.rockhead.com port = 9996
> block out log quick on tlp1 from any to w95.rockhead.com port = 9996
> block out log quick on tlp1 from any to w95.rockhead.com port = 12345
> block out log quick on tlp1 from any to w95.rockhead.com port = 12346
> block out log quick on tlp1 from any to w95.rockhead.com port = 20034
> block out log quick on tlp1 from any to w95.rockhead.com port = 31337
> block out log quick on tlp1 from any to w95.rockhead.com port = 40421
> block out log quick on tlp1 from any to w95.rockhead.com port = 40425
> block out log quick on tlp1 from any to w95.rockhead.com port = 54320
> block in log quick on tlp1 proto icmp from any to pauls-pc
> block in log quick on tlp1 from any to pauls-pc port = 376
> block in log quick on tlp1 from any to pauls-pc port = 25
> block in log quick on tlp1 from any to pauls-pc port = 80
> block in log quick on tlp1 from any to pauls-pc port = 134
> block out log quick on tlp1 from any to pauls-pc port = 135
> block in log quick on tlp1 from any to pauls-pc port = 135
> block in log quick on tlp1 from any to pauls-pc port = 136
> block in log quick on tlp1 from any to pauls-pc port = 160
> block in log quick on tlp1 from any to pauls-pc port = 445
> block out log quick on tlp1 from any to pauls-pc port = 445
> block out log quick on tlp1 from any to pauls-pc port = 1024
> block out log quick on tlp1 from any to pauls-pc port = 1080
> block out log quick on tlp1 from any to pauls-pc port = 2000
> block out log quick on tlp1 from any to pauls-pc port = 2001
> block in log quick on tlp1 from any to pauls-pc port = 5554
> block out log quick on tlp1 from any to pauls-pc port = 5554
> block in log quick on tlp1 from any to pauls-pc port = 5742
> block out log quick on tlp1 from any to pauls-pc port = 5742
> block in log quick on tlp1 from any to pauls-pc port = 9996
> block out log quick on tlp1 from any to pauls-pc port = 9996
> block out log quick on tlp1 from any to pauls-pc port = 12345
> block out log quick on tlp1 from any to pauls-pc port = 12346
> block out log quick on tlp1 from any to pauls-pc port = 20034
> block out log quick on tlp1 from any to pauls-pc port = 31337
> block out log quick on tlp1 from any to pauls-pc port = 40421
> block out log quick on tlp1 from any to pauls-pc port = 40425
> block out log quick on tlp1 from any to pauls-pc port = 54320
> block in log quick on tlp1 proto icmp from any to glorias-pc.rockhead.com
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 376
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 25
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 80
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 134
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 135
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 135
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 136
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 160
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 445
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 445
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 1024
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 1080
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 2000
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 2001
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 5554
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 5554
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 5742
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 5742
> block in log quick on tlp1 from any to glorias-pc.rockhead.com port = 9996
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 9996
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 12345
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 12346
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 20034
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 31337
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 40421
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 40425
> block out log quick on tlp1 from any to glorias-pc.rockhead.com port = 54320
> block in log quick on tlp1 proto icmp from any to glorias-pc
> block in log quick on tlp1 from any to glorias-pc port = 376
> block in log quick on tlp1 from any to glorias-pc port = 80
> block in log quick on tlp1 from any to glorias-pc port = 134
> block out log quick on tlp1 from any to glorias-pc port = 135
> block in log quick on tlp1 from any to glorias-pc port = 135
> block in log quick on tlp1 from any to glorias-pc port = 136
> block in log quick on tlp1 from any to glorias-pc port = 160
> block in log quick on tlp1 from any to glorias-pc port = 445
> block out log quick on tlp1 from any to glorias-pc port = 445
> block in log quick on tlp1 from any to glorias-pc port = 5554
> block out log quick on tlp1 from any to glorias-pc port = 5554
> block in log quick on tlp1 from any to glorias-pc port = 5742
> block out log quick on tlp1 from any to glorias-pc port = 5742
> block in log quick on tlp1 from any to glorias-pc port = 9996
> block out log quick on tlp1 from any to glorias-pc port = 9996
> block out log quick on tlp1 from any to glorias-pc port = 12345
> block out log quick on tlp1 from any to glorias-pc port = 12346
> block out log quick on tlp1 from any to glorias-pc port = 20034
> block out log quick on tlp1 from any to glorias-pc port = 31337
> block out log quick on tlp1 from any to glorias-pc port = 40421
> block out log quick on tlp1 from any to glorias-pc port = 40425
> block out log quick on tlp1 from any to glorias-pc port = 54320
> block out log quick on tlp1 from any to shell4.bayarea.net port = 25
> block out log quick on tlp1 from any to shell4.bayarea.net port = 109
> block out log quick on tlp1 from any to shell4.bayarea.net port = 110
> block out log quick on tlp1 from any to smtpout1.bayarea.net port = 25
> block out log quick on tlp1 from any to smtpout1.bayarea.net port = 109
> block out log quick on tlp1 from any to smtpout1.bayarea.net port = 110
> block out log quick on tlp1 from any to 205.219.84.13
> block out log quick on tlp1 from any to mail.bayarea.net port = 25
> block out log quick on tlp1 from any to mail.bayarea.net port = 109
> block out log quick on tlp1 from any to mail.bayarea.net port = 110
> pass in log on tlp1 proto tcp/udp from any to any port = 22 # ssh/scp
> pass in log on tlp1 proto tcp/udp from any to any port = 2222 # ssh/scp
> pass in log on tlp1 proto tcp/udp from any to any port = 22022 # ssh/scp
> pass in log on tlp1 proto tcp/udp from any to any port = 22222 # ssh/scp
> block in log on tlp1 proto tcp/udp from any to any port = 13 # daytime
> block in log on tlp1 proto tcp/udp from any to any port = 19 # chargen
> block out log on tlp1 proto tcp/udp from any to any port = 19 # chargen
> block in log on tlp1 proto tcp/udp from any to any port = 21 # ftp
> block in log on tlp1 proto tcp/udp from any to any port = 23 # telnet
> block in log on tlp1 from any to any port = 23 # telnet
> block in log on tlp1 proto tcp/udp from any to any port = 79 # finger
> block in log on tlp1 proto tcp/udp from any to any port = 80 # www ... because at home blocks them anyway
> block in log on tlp1 proto tcp/udp from any to any port = 109 # pop2 ... because at home blocks them anyway
> block in log on tlp1 proto tcp/udp from any to any port = 110 # pop3 ... because at home blocks them anyway
> block in log on tlp1 proto tcp/udp from any to any port = 111 # sunrpc
> block in log on tlp1 proto tcp/udp from any to any port = 119 # news
> block out log on tlp1 proto tcp/udp from any to any port = 135 # loc-srv
> block out log on tlp1 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
> block in log on tlp1 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
> block out log on tlp1 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
> block in log on tlp1 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
> block out log on tlp1 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
> block in log on tlp1 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
> block in log on tlp1 proto tcp/udp from any to any port = 143 # imap3
> block in log on tlp1 proto tcp/udp from any to any port = 161 # snmp
> block in log on tlp1 proto tcp/udp from any to any port = 177 # xdmcp
> block in log on tlp1 proto tcp/udp from any to any port = 213 # IPX
> block in log on tlp1 proto tcp/udp from any to any port = 396 # netware-ip
> block in log on tlp1 proto tcp/udp from any to any port = 445 # microsoft-ds
> block in log on tlp1 proto tcp/udp from any to any port = 512 # exec/biff
> block in log on tlp1 proto tcp/udp from any to any port = 513 # who/rlogin
> block in log on tlp1 proto tcp/udp from any to any port = 514 # shell/syslog
> block in log on tlp1 proto tcp/udp from any to any port = 515 # print spool
> block out log on tlp1 proto tcp/udp from any to any port = 520 # route
> block in log on tlp1 proto tcp/udp from any to any port = 525 # timed
> block in log on tlp1 proto tcp/udp from any to any port = 540 # uucp
> block in log on tlp1 proto tcp/udp from any to any port = 541 # rdist
> block in log on tlp1 proto tcp/udp from any to any port = 556 # remotefs
> block in log on tlp1 proto tcp/udp from any to any port = 587 # submission
> block in log on tlp1 proto tcp/udp from any to any port = 2049 # nfs
> block in log on tlp1 proto tcp/udp from any to any port = 3128 # squid-http
> block in log on tlp1 proto tcp/udp from any to any port = 6000 # X11 Window system
> block in log on tlp1 proto tcp/udp from any to any port = 8888 # sun-answerbook
> block in log on tlp1 proto tcp/udp from any to any port = 9119 # HTTPD news
>