# Problems with pf blocking smtp



## sam0016 (Apr 19, 2013)

I have been trying to get this to work for hours but I just cant get it to work. pf blocks the emails going out with this config. Can anyone see what is wrong?


```
SYN_ONLY="S/FSRA"
EXT_NIC="em0"
INT_NIC="em0"

EXT_IP="Removed"

block all

pass in log quick on $EXT_NIC proto TCP from any to $EXT_IP port 22 keep state
pass in log quick on $EXT_NIC proto TCP from any to $EXT_IP port 80 keep state
pass in log quick on $EXT_NIC proto TCP from any to $EXT_IP port 443 keep state

pass in log on $EXT_NIC proto TCP from any to any port 25
pass out log on $EXT_NIC proto TCP from any to any port 25

pass in quick on lo0 all
pass out quick on lo0 all
```


----------



## sam0016 (Apr 19, 2013)

If I add this in it works.


```
pass out log quick on $EXT_NIC proto TCP all keep state
```


----------



## ShelLuser (Apr 19, 2013)

My first suggestion was statefull filtering, then I glimpsed at the packet filter guide (I'm more of an ipfilter guy) and statefull filtering is implied so we can scratch that idea.

Even so; I'd suggest trying to use telnet to contact the remote SMTP server manually using `$ telnet [host] 25`. That way you can see for yourself what's happening; your box should be able to contact the remote, but do you also see any response data?


----------



## ShelLuser (Apr 19, 2013)

sam0016 said:
			
		

> If I add this in it works.
> 
> 
> ```
> ...


Then my suggestion would be correct, but it makes little sense because the packet filter guide explicitly states that all pass rules create a state entry (see the state section of that guide).

As such something doesn't add up here.

Glad to hear you managed to solve it though; happens to all of us. _Just_ after you asked for help you finally see the problem :e


----------



## sam0016 (Apr 19, 2013)

ShelLuser said:
			
		

> Then my suggestion would be correct, but it makes little sense because the packet filter guide explicitly states that all pass rules create a state entry (see the state section of that guide).
> 
> As such something doesn't add up here.
> 
> Glad to hear you managed to solve it though; happens to all of us. _Just_ after you asked for help you finally see the problem :e



I changed it to this and it is still working but it is now not blocking anything on other ports 


```
pass out log on $EXT_NIC proto UDP from $EXT_IP to any port 53
```

Never mind I forgot to reenable pf  it's been a long day it's working now though.


----------



## J65nko (Apr 19, 2013)

If you want to allow outgoing mail this should do it:


```
pass out log quick on $EXT_NIC proto TCP from any to any port 25
```

You can delete those rules for allowing loopback lo0 traffic by using:

```
set skip on lo0
```
 at the beginning of your rule set.

You can view the blocked traffic if you use:


```
block [color=blue]log[/color] all
```

and run tcpdump on the pflog0 device:


```
[cmd=#]tcpdump -tttt -eni pflog0[/cmd]
2013-04-19 21:16:48.767552 rule 16..16777216/0(match): block in on re0:
 74.9.218.18.11727 > myserverip.1080: Flags [S], seq 3193498077, 
 win 65535, options [mss 1380,nop,nop,sackOK], length 0

2013-04-19 21:16:48.908457 rule 16..16777216/0(match): block in on re0:
  74.9.218.18.11728 > myserverip.1080: Flags [S], seq 3435152698,
   win 65535, options [mss 1380,nop,nop,sackOK], length 0

2013-04-19 21:20:50.465815 rule 16..16777216/0(match): block in on re0:
   81.94.201.44.53145 > myserverip.445: Flags [S], seq 1722286079,
   win 512, length 0
```

These blocked connection attempts are probes for:

```
[cmd=$]egrep '1080|445' /etc/services[/cmd]

microsoft-ds    445/tcp                         # Microsoft-DS
microsoft-ds    445/udp                         # Microsoft-DS
socks           1080/tcp                        # Socks
```

You also can run tcpdump on the /var/log/pflog file:

`# tcpdump -tttt -enr /var/log/pflog`


----------

