Firewall Blocking SMTP
-
Hello all,
I have been battling an issue for over a week now and was hoping someone here could be of help. We recently replaced our office router with a pfSense box and are having issues with email leaving our SMTP server if "disable packet filtering" is not checked off.
-
allow all rules have been configured for all interfaces
-
default "deny all" rules have been commented out in the /etc/inc/filter.inc
-
"Bypass firewall rules for traffic on the same interface" has been enabled
We do require the firewall to be enabled though as I have set up traffic shaping on it.
When the firewall is enabled emails will not leave the queue folder on our Windows Server 2008 SMTP server. As soon as I "disable packet filtering" the emails start to flow fine again.
There are NO errors showing in my SMTP logs on the server, and the firewall logs on the pfSense box DO NOT show anything being blocked.
Any suggestions are appreciated.
Thanks in advance.
-
-
- default "deny all" rules have been commented out in the /etc/inc/filter.inc
Kindly do a reinstall.
After you have done that, undo this nonsense:
- allow all rules have been configured for all interfaces
- "Bypass firewall rules for traffic on the same interface" has been enabled
After that:
- post a screenshot of your WAN/LAN/whatever rules where you see SMTP blocked.
- post the screenshot of relevant firewall log entires showing the blocked traffic.
-
Reinstall not an easy option at this point as the router is live. I could possibly configure a second box and swap out during some downtime hours.
In regards to your second request, no where it "showing SMTP being blocked". That's the problem.
Emails just sit in the queue until the firewall is completely disabled.
-
"default "deny all" rules have been commented out in the /etc/inc/filter.inc "
This is got to be one of the dumbest things I have heard anyone ever do on a "firewall"
So are you using a proxy, do you have any other stuff installed on pfsense? I would undo that nonsense, then post up your rules.. If your smtp server is on your lan segment with the default any any there should be no issues. Did you modify the default rules. Did you install any other packages?
Did you put some rules in your floating tab?
-
This appliance is internal. No need for the firewall to block anything.
It's only needed as a router.
Only reason I need to have the firewall enabled is for traffic shaping.
-
People can only debug something in known sane state.
Other than that, there's literally no info to debug anything.
- You won't of couse get anything logged when you allow everything everywhere.
- You also won't get any FW logs when you disable the packet filter altogether.
- There are packet captures under Diagnostics menu.
Also, information about your traffic shaping is nonexistent. What kind of traffic shaping are you doing with packet filter disabled? ::)
-
Obviously I am not doing any traffic shaping currently till I get this resolved.
-
Yeah. So, the box is sitting there, completely screwed by mad misconfiguration and messing with the code, and cannot work even for the limited purpose you have contemplated it for… Hmmm. No idea how you expect anyone to debug a dead box.
-
If you want it to just be a router with traffic shaping. Then turn off nat and create any any rules.
I am fairly sure the traffic shaping requires the filtering to be running..
-
"default "deny all" rules have been commented out in the /etc/inc/filter.inc "
This is got to be one of the dumbest things I have heard anyone ever do on a "firewall"
So are you using a proxy, do you have any other stuff installed on pfsense? I would undo that nonsense, then post up your rules.. If your smtp server is on your lan segment with the default any any there should be no issues. Did you modify the default rules. Did you install any other packages?
Did you put some rules in your floating tab?
I work with pdpugliese, wanted to add in some input as well.
As far as the firewall goes, we would leave it completely disabled if not for the need of traffic shaping, so as far as commenting out the "default "deny all" in the filter.inc, we did that as it seemed to be the only option we could find online to disable the functionality of the firewall while still leaving it enabled for traffic shaping purposes (at least in the short term until we figure out why our "allow all" rules weren't working (perhaps they were being implemented AFTER some block rules)).
We haven't installed any other packages.
There are rules in the floating tab in regards to the traffic shaping (none of which deal with SMTP).
Only some emails get blocked from our internal SMTP server when going through pfsense with the firewall enabled (with the default block rules being commented out). It almost seems like anything with an attachment or HTML gets blocked, but plain-text emails go through fine.
I can post the output of pfctl -sa if that would help at all.
-
If you want it to just be a router with traffic shaping. Then turn off nat and create any any rules.
+1 - This is all you needed to do. Instead, you did who knows what.
-
If you want it to just be a router with traffic shaping. Then turn off nat and create any any rules.
+1 - This is all you needed to do. Instead, you did who knows what.
We did that, the firewall was still blocking services, even with ANY ANY rules on WAN and LAN, obviously something was done wrong or something isn't working, but the focus seems to be on how we improperly disabled the firewall, that isn't our issue, our issue is that our SMTP server's emails are intermittently being blocked/dropped by PFSense.
-
How do you know they are be being block or dropped by pfsense - you have nothing in the logs showing that.. Why would it block emails with html content vs plain text emails?? Pfsense doesn't care what is in the email.. Its just packets to pfsense, they either are allowed or blocked based upon your rules witch are protocol tcp/udp for example source IP, dest IP, dest port, etc.. And the state of the connection.
Pfsense wouldn't give 2 shits if your email had html in it or plan text, etc. I would have to assume you have something else going on and your thinking its pfsense without any real evidence to that..
I would get a clean setup normal pfsense setup no traffic shaping as of yet.. disable the nat and create any any rules. If your still seeing the same sort of issue then sniff and see what is actually going on if your email server is not telling you want is going wrong with those emails.
-
We did that, the firewall was still blocking services, even with ANY ANY rules on WAN and LAN
No, it wasn't. You might have thought it was, or botched up the rules, or botched up disabling NAT, or didn't disable block private addresses on WAN or something, but the firewall wasn't blocking the traffic if everything was done correctly.
Reset to factory and start over.
-
Unless you sanitize your bo, that is
- undo the code "improvements", preferably by reinstall
- reset this to default config
- create a sane configuration
there's really no point in continuing here. In current state, the box is unusable for any purpose, you cannot provide any information and in general you could just replace the box with a switch.
-
If little things get through but not big things, then perhaps there is an MTU/MSS issue.
Is there some bigger MTU set on the mail erver and on the router that is on the upstream WAN side of pfSense?I would start with a clean and simple pfSense install (like others have instructed) then do some packet capture to see what comes and how big it is. Even some ping from the mail server to somewhere across the other side of pfSense might show what can go missing.
