# IMAP-SSL timeouts, since I use a FreeBSD/PF gateway



## mariourk (Aug 8, 2012)

I'm using a FreeBSD serve with PF as my gateway for some time now. Everything seemd to work fine, except that I notice Evolution trying to reach a mailserver on the internet for minutes, until it times out. When I cancel that, it usually works fine right away. But every now and than something goes wrong and it doesn't. I have no idea what causes this problem.

Another strange thing is when I try to post to a forum. This one, for example. When I click on _Submit_, or _Preview_, I get a _22 invalid argument_ error. But when I click on refesh, it works fine.

Here is my firewall configuration. Does some have an idea what causes this strange behavious?


```
int_if = "em0"
ext_if = "fxp0"
tcp_services = "{ 22,80,443,25,587,993 }"
icmp_types = "echoreq"
priv_nets = "{ 192.168.10.0/24 }"

set block-policy drop
set loginterface $ext_if
set skip on lo0

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)


### filter rules
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
```

Feel free to point out any rookie mistake too


----------



## SirDice (Aug 8, 2012)

There's no rule that allows _outgoing_ traffic.


----------



## mariourk (Aug 8, 2012)

SirDice said:
			
		

> There's no rule that allows _outgoing_ traffic.



Aren't these rules doing that?

```
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
```
Also, if outgoing traffic was not allowed, how is it possible that I can surf the web?

I'm not trying to mock you. I'm just trying to understand what you mean and what I'm doing wrong


----------



## SirDice (Aug 8, 2012)

Oops, didn't scroll all the way down on the code box :r


----------



## quintessence (Aug 8, 2012)

Hello,

Change (remove modulate state)



> pass out on $ext_if proto tcp all modulate state flags S/SA




```
pass out on $ext_if proto tcp
```


----------



## mariourk (Aug 9, 2012)

Unfortunately, that didn't make any difference


----------



## CoTones (Aug 9, 2012)

Looks pretty good. Try adding


```
scrub out on $ext_if all max-mss 1440
```


----------



## mariourk (Aug 9, 2012)

That also doesn't solve the issue :\


----------



## quintessence (Aug 9, 2012)

Hello,

Are you sure the server you are trying to connect is connectable? What says 

```
pfctl -ss | grep 993
```

Can you able to resolve the server you are trying to connect? If not try to connect to its IP address instead hostname.

"Mailserver on the internet", this means some external server, not yours or?

Can you able to connect to the same server via other place?

Did you try to connect via telnet instead via your local mail client?


----------



## mariourk (Aug 10, 2012)

here is the output, when the problem occured.

192.168.1.99 is the internal network address of my PC. 10.0.0.150 is the IP of my modem.

The server is still accessable when this problem occures.


----------



## mariourk (Aug 16, 2012)

Still no solution 

Anyone?


----------



## gkontos (Aug 16, 2012)

I don't see the point in here but this is irrelevant from your problem:


```
# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
```

Now, you might want to check your external router for CRC errors. You might also want to expand the ICMP types, { echorep, echoreq, timex, paramprob, unreach code needfrag }. Finally, you can try to measure your packet loss generally.


----------

