# ipfw can't send mail



## graudeejs (Mar 25, 2010)

I started switching from pf to ipfw, so far so good, but here's my problem: I can't send my to outside my server


```
# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
EFDFC9213       710 Thu Mar 25 20:43:21  aldis@bsdroot.lv
                    (connect to 127.0.0.1[127.0.0.1]:10025: Permission denied)
                                         killasmurf86@gmail.com

-- 1 Kbytes in 1 Request.
```
in this message you can see that postfix want to connect to clamav antivirus, it then should send mail.

here's (what I think) relevant part of ipfw rules

```
#!/bin/sh
cmd="/sbin/ipfw -q"


$cmd flush

# setup loopback
$cmd add 00010 allow ip from 127.0.0.0/8 to 127.0.0.0/8 via lo0
$cmd add 00020 deny ip from any to 127.0.0.0/8
$cmd add 00030 deny ip from 127.0.0.0/8 to any

$cmd add 00060 check-state

$cmd add 00500 allow tcp from $root_ip to any smtp,submission out via $e_if keep-state
```


I tried many different combos related to loopback, but I fail to figure this out, any ideas?
If you need more info, let me know


Should I mention that it works if ipfw is off


----------



## jailed (Mar 25, 2010)

$root_ip and $e_if is not defined in your script, so your rule #500 won't work.

Why do you use local loopback ip for smtp use instead of lan or wan ip?

You can remark all rules and add allow all from any to any so that you can test variations before this rule. Is your ipfw set to open or close?


----------



## graudeejs (Mar 25, 2010)

they are defined, I simply showed relevant part, whole script is about 50 lines.
I think it's set to close....
I will try your suggestion about allowing any to any [heck why didn't I thought of this  ] tomorrow. tonight is late


----------



## graudeejs (Mar 26, 2010)

When I remove this:

```
# setup loopback
$cmd add 00010 allow ip from 127.0.0.0/8 to 127.0.0.0/8 via lo0
$cmd add 00020 deny ip from any to 127.0.0.0/8
$cmd add 00030 deny ip from 127.0.0.0/8 to any
```

and add:

```
$cmd add 00010 allow ip from me to me
```
postfix can send mail


----------



## phoenix (Mar 26, 2010)

Change rule 10 to be just:

```
allow ip from any to any via lo0
```

You want to allow everything over the loopback device, otherwise a lot of things will fail.


----------



## smoofy (Jul 23, 2013)

Hi, 

I'm currently having a similar problem. Please see my `ipfw list` below:


```
00010 allow ip from any to any via lo0
00015 check-state
00100 allow tcp from x.y.z.254 to x.y.z.164 dst-port 22 via vtnet0 setup keep-state
00101 allow tcp from x.y.z.164 22 to any via vtnet0 setup keep-state
00110 allow udp from any to any dst-port 53 via vtnet0
00120 allow { udp or tcp } from any to any dst-port 25,113,465 out keep-state
00130 allow log tcp from any to any dst-port 25,465 in
65535 deny ip from any to any
```

Yet I'm unable to send mail to localhost nor to outside network. When I turn off the firewall, email could be sent to localhost. Any advice?

Thx


----------



## Savagedlight (Jul 23, 2013)

smoofy said:
			
		

> Hi,
> I'm currently having similar problem. Please see my ipfw list below:
> 
> 
> ...


You forgot keep-state on rule 130. Currently, it will allow packets in on port 25 and 465, but it won't allow any communication going out from those ports.


----------



## smoofy (Jul 23, 2013)

Thanks for the reply, great point. But still that would make a sense for outgoing connections only, right? The rule has nothing to do with communication on localhost by which is locally sent email treated or am I wrong?
I thought that this line:


```
00010 allow ip from any to any via lo0
```

means that all communication on loopback is allowed and therefore even locally sent mails. And as I said before, when IPFW is stopped, mail will arrive normally.


----------



## Savagedlight (Jul 23, 2013)

SYN packets are allowed to pass in through your firewall to port 25. ACK (or SYN/ACK) from port 25 to whatever port the connection was initialized from, is blocked by the catch-all deny rule. This makes the connection fail to establish.

Therefore, you either need keep-state, or add some other rule which allows traffic from port 25 on your host to anyone, on any interface.


----------

