OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Sending mail from external firewall to external mail server (behind firewall)

From: Albert Chin (openbsd-miscmlists.thewrittenword.com)
Date: Tue Feb 19 2008 - 22:36:20 CST

We have the following network layout:

                     ------------
                    | Internet |
                     ------------
                           |
                           |
                           |(fxp4: 67.95.107.117)
                           | : 67.95.107.111)
                           | : et. al.)
                   ---------------------
                  | External Firewall |(vlan104: 192.168.13.81)
                  | (hammer) |----------
                   --------------------- \
                                                   | (em0: 192.168.13.82)
                                           ---------------------
                                          | External Mail |
                                          | (emma) |
                                           ---------------------

hammer% ifconfig fxp4
fxp4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:07:e9:5d:62:f8
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 67.95.107.117 netmask 0xffffffe0 broadcast 67.95.107.127
        inet6 fe80::207:e9ff:fe5d:62f8%fxp4 prefixlen 64 scopeid 0x6
        inet 67.95.107.111 netmask 0xffffffff broadcast 67.95.107.111
        ...

I have the following pf.conf rules applicable to this setup:
  ext_if = "fxp4"
  mail_ip = "67.95.107.111"
  emma_gw = "192.168.13.82"

  set skip on { lo0 }

  rdr pass log on $ext_if inet proto tcp from any to $mail_ip \
    port = smtp -> $emma_gw

From the Internet, if I "telnet 67.95.107.111 25", everything works.
But, on hammer:
  hammer% telnet 67.95.107.111 25
  Trying 67.95.107.111...
  telnet: connect to address 67.95.107.111: Connection refused

Digging further:
  hammer% netstat -rn | grep 67.95.107.111
  67.95.107.111 127.0.0.1 UGHS 0 317 33224 lo0
  67.95.107.111/32 link#6 UC 0 0 - fxp4

So, I then did this:
  hammer% telnet 67.95.107.111 25
  Trying 67.95.107.111...
  telnet: connect to address 67.95.107.111: Connection refused

While running the telnet, tcpdump reported:
  hammer% tcpdump -n -i lo0
  18:06:44.364940 67.95.107.111.2877 > 67.95.107.111.25: S 71726850:71726850(0) win 16384 <mss 33184,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1184513159 0> (DF) [tos 0x10]
  18:06:44.364949 67.95.107.111.25 > 67.95.107.111.2877: R 0:0(0) ack 71726851 win 0 (DF)

Makes sense considering the netstat output. So, on hammer, how do I
get "telnet 67.95.107.111 25" working?

According to pf.conf(5):
     set skip on <ifspec>
           List interfaces for which packets should not be filtered. Packets
           passing in or out on such interfaces are passed as if pf was dis-
           abled, i.e. pf does not process them in any way. This can be use-
           ful on loopback and other virtual interfaces, when packet filtering
           is not desired and can have unexpected effects. For example:

                 set skip on lo0

Is the standard solution to configure mail on hammer so delivery is
through 192.168.13.82, not 67.95.107.111?

--
albert chin (chinathewrittenword.com)