Jeff A. Earickson wrote:
Darren,
If I change my port 25 rule from:
pass in quick proto tcp from any to 137.146.28.72 port = 25 flags S
keep state keep frags
pass out quick proto tcp from 137.146.28.72 to any port = 25 flags S
keep state keep frags
to:
pass in quick proto tcp from any to 137.146.28.72 port = 25
pass out quick proto tcp from 137.146.28.72 to any port = 25
Then all/most of my email traffic halts. I am using Sun multipathing,
If you want stateless rules, then you need to allow reply packets, which
you haven't done. Try the following (syntax from memory, so...):
pass out quick proto tcp from 137.146.28.72 to any port = 25
pass in quick proto tcp from any port = 25 to 137.146.28.72 port >
32767 flags A/A
pass in quick proto tcp from any to 137.146.28.72 port = 25
pass out quick proto tcp from 137.146.28.72 port = 25 to any port > 1023
flags A/A
You'll note that the inbound rule is more restrictive with ports. You've
said you're running Solaris, so the anonymous port range is
32768-65535 (unless you've changed it). The Internet has a much broader
range of anonymous ports (but always >= 1024, in my experience).
Personally, I'd get rid of the outbound ACK rule port restriction
entirely, unless you have naughty users running things on your mail
server...
--
Carson
|