Re: Odd ipfilter/postfix interaction

Victor Duchovni wrote:
>
> The issue is not the specific MTU value, but rather blocking of the ICMP
> messages that signal the need to reduce the MTU.
>

That thought occurred to me, too. So, I tried these statements at the
top of my ruleset, and that didn't make any difference:

pass in quick on tun0 proto icmp from any to any
pass out quick on tun0 proto icmp from any to any

My next thought was that perhaps the ICMP message announcing a MUST
FRAGMENT segment was being blocked upstream. But, if that was the case,
then the messages shouldn't have gone through when I dropped ipfilter,
either since the upstream network conditions wouldn't have changed.

> If you want to lower the MTU, reduce it on the Postfix server, not the
> firewall (that merely compounds the problem). It is also possible that

In this case, the firewall and the postfix server are one and the same.

For those interested in the ruleset I use:

tun0 - DSL tunnel
xl0 and dc0 - internal interfaces

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ipf.conf
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

block in quick all with short
block in quick all with ipopts
block return-rst in quick proto tcp from any to 0/32 port = 113 flags S/SA

pass in quick on tun0 proto icmp from any to any
pass out quick on tun0 proto icmp from any to any

pass in quick on tun0 proto tcp from any to any port = 17325 flags S/SA
keep state keep frags
pass in quick on tun0 proto udp from any to any port = 22717
pass out quick on tun0 proto udp from any port = 22717 to any

block out on tun0 all head 16
block out quick on tun0 proto tcp from any to any port = 137 group 16
block out quick on tun0 proto tcp from any to any port = 138 group 16
block out quick on tun0 proto tcp from any to any port = 139 group 16
block out quick on tun0 proto udp from any to any port = 137 group 16
block out quick on tun0 proto udp from any to any port = 138 group 16
block out quick on tun0 proto udp from any to any port = 139 group 16
block out quick on tun0 proto tcp from any to any port = 201 group 16
block out quick on tun0 proto tcp from any to any port = 202 group 16
block out quick on tun0 proto tcp from any to any port = 204 group 16
block out quick on tun0 proto tcp from any to any port = 206 group 16
block out quick on tun0 proto udp from any to any port = 201 group 16
block out quick on tun0 proto udp from any to any port = 202 group 16
block out quick on tun0 proto udp from any to any port = 204 group 16
block out quick on tun0 proto udp from any to any port = 206 group 16
block in log on tun0

block in quick on tun0 proto tcp/udp from any to any port = 137
block in quick on tun0 proto tcp/udp from any to any port = 138
block in quick on tun0 proto tcp/udp from any to any port = 139


pass out quick on tun0 proto icmp from 0/32 to any keep state keep frags
pass out on tun0 proto tcp/udp from any to any keep state keep frags

pass in quick on xl0 proto tcp/udp from xxx.xxx.xxx.0/24 to any keep
state keep frags
pass in quick on xl0 proto icmp from xxx.xxx.xxx.0/24 to any keep state
keep frags

block out on xl0 all head 55
pass out quick on xl0 proto tcp/udp from xxx.xxx.xxx.1/32 to
xxx.xxx.xxx.0/24 keep state group 55
pass out quick on xl0 proto icmp from xxx.xxx.xxx.1/32 to
xxx.xxx.xxx.0/24 keep state group 55

pass in quick on dc0 proto tcp from any to yyy.yyy.yyy.1/32 port = 1776
flags S/SA keep state keep frags

block in on dc0 all head 117
pass in quick on dc0 proto udp from any port = 68 to any port = 67
group 117
pass in quick on dc0 proto udp from any port = 500 to any port = 500
group 117
pass in quick on dc0 proto esp from any to any group 117
pass in quick on dc0 proto udp from yyy.yyy.yyy.2/32 to
yyy.yyy.yyy.1/32 port = 53 group 117
block in log on dc0

block out on dc0 all head 118
pass out quick on dc0 proto udp from any port = 67 to any port = 68
group 118
pass out quick on dc0 proto udp from any port = 500 to any port = 500
group 118
pass out quick on dc0 proto esp from any to any group 118
pass out quick on dc0 proto udp from yyy.yyy.yyy.1/32 port = 53 to
yyy.yyy.yyy.2/32 group 118

pass out quick on dc0 proto tcp/udp from yyy.yyy.yyy.1/32 to any keep
state keep frags
pass out quick on dc0 proto icmp from yyy.yyy.yyy.1/32 to any keep state
keep frags
block out log on dc0

pass in quick on lo0
pass out quick on lo0

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ipnat.conf
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
rdr xl0 from 0.0.0.0/0 to xxx.xxx.xxx.1/32 port = 80 -> 127.0.0.1 port 80
rdr xl0 0.0.0.0/0 port 80 -> xxx.xxx.xxx.1 port 3128
map dc0 xxx.xxx.xxx.0/24 -> yyy.yyy.yyy.1/32
map tun0 xxx.xxx.xxx.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 0/0 -> 0/32 proxy port ftp ftp/tcp
map tun0 xxx.xxx.xxx.0/24 -> 0/32 portmap tcp/udp 10000:20000
map tun0 xxx.xxx.xxx.0/24 -> 0/32
map tun0 yyy.yyy.yyy.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 yyy.yyy.yyy.0/24 -> 0/32 portmap tcp/udp 10000:20000
map tun0 yyy.yyy.yyy.0/24 -> 0/32