Firewall Blocking SMTP
-
Obviously I am not doing any traffic shaping currently till I get this resolved.
-
Yeah. So, the box is sitting there, completely screwed by mad misconfiguration and messing with the code, and cannot work even for the limited purpose you have contemplated it for… Hmmm. No idea how you expect anyone to debug a dead box.
-
If you want it to just be a router with traffic shaping. Then turn off nat and create any any rules.
I am fairly sure the traffic shaping requires the filtering to be running..
-
"default "deny all" rules have been commented out in the /etc/inc/filter.inc "
This is got to be one of the dumbest things I have heard anyone ever do on a "firewall"
So are you using a proxy, do you have any other stuff installed on pfsense? I would undo that nonsense, then post up your rules.. If your smtp server is on your lan segment with the default any any there should be no issues. Did you modify the default rules. Did you install any other packages?
Did you put some rules in your floating tab?
I work with pdpugliese, wanted to add in some input as well.
As far as the firewall goes, we would leave it completely disabled if not for the need of traffic shaping, so as far as commenting out the "default "deny all" in the filter.inc, we did that as it seemed to be the only option we could find online to disable the functionality of the firewall while still leaving it enabled for traffic shaping purposes (at least in the short term until we figure out why our "allow all" rules weren't working (perhaps they were being implemented AFTER some block rules)).
We haven't installed any other packages.
There are rules in the floating tab in regards to the traffic shaping (none of which deal with SMTP).
Only some emails get blocked from our internal SMTP server when going through pfsense with the firewall enabled (with the default block rules being commented out). It almost seems like anything with an attachment or HTML gets blocked, but plain-text emails go through fine.
I can post the output of pfctl -sa if that would help at all.
-
If you want it to just be a router with traffic shaping. Then turn off nat and create any any rules.
+1 - This is all you needed to do. Instead, you did who knows what.
-
If you want it to just be a router with traffic shaping. Then turn off nat and create any any rules.
+1 - This is all you needed to do. Instead, you did who knows what.
We did that, the firewall was still blocking services, even with ANY ANY rules on WAN and LAN, obviously something was done wrong or something isn't working, but the focus seems to be on how we improperly disabled the firewall, that isn't our issue, our issue is that our SMTP server's emails are intermittently being blocked/dropped by PFSense.
-
How do you know they are be being block or dropped by pfsense - you have nothing in the logs showing that.. Why would it block emails with html content vs plain text emails?? Pfsense doesn't care what is in the email.. Its just packets to pfsense, they either are allowed or blocked based upon your rules witch are protocol tcp/udp for example source IP, dest IP, dest port, etc.. And the state of the connection.
Pfsense wouldn't give 2 shits if your email had html in it or plan text, etc. I would have to assume you have something else going on and your thinking its pfsense without any real evidence to that..
I would get a clean setup normal pfsense setup no traffic shaping as of yet.. disable the nat and create any any rules. If your still seeing the same sort of issue then sniff and see what is actually going on if your email server is not telling you want is going wrong with those emails.
-
We did that, the firewall was still blocking services, even with ANY ANY rules on WAN and LAN
No, it wasn't. You might have thought it was, or botched up the rules, or botched up disabling NAT, or didn't disable block private addresses on WAN or something, but the firewall wasn't blocking the traffic if everything was done correctly.
Reset to factory and start over.
-
Unless you sanitize your bo, that is
- undo the code "improvements", preferably by reinstall
- reset this to default config
- create a sane configuration
there's really no point in continuing here. In current state, the box is unusable for any purpose, you cannot provide any information and in general you could just replace the box with a switch.
-
If little things get through but not big things, then perhaps there is an MTU/MSS issue.
Is there some bigger MTU set on the mail erver and on the router that is on the upstream WAN side of pfSense?I would start with a clean and simple pfSense install (like others have instructed) then do some packet capture to see what comes and how big it is. Even some ping from the mail server to somewhere across the other side of pfSense might show what can go missing.
