pfsense regel greift nicht für IMAP.

[Kay Martinen]

Hallo

ich habe hier eine Virtuelle pfsense community Version (2.4.5-RELEASE-p1
(amd64 aktuell) die zwischen meinem LAN und dem WAN-Router liegt. Dort
habe ich die IPs von Mailhosts im LAN als Aliase eingetragen und für das
LAN Interface je eine Allow Regel die von diesen Alias an IMAP, IMAPS,
SMTP und SMTPS erlaubt. Dann habe ich die Default Allow any IPv4 Regel
deaktiviert. Webtraffic der nicht durch eine Regel speziell erfasst ist
geht nach Filter Reload weiterhin durch, aber mein Thunderbird kommt nun
nicht mehr an die Externen Mailserver heran. Die fraglichen Allow Regeln
sind ganz oben im Ruleset, die Default Allow Regel ganz unten.

Wenn ich diese Default Allow Regel wieder aktiviere dann klappt es mit
dem Mailzugriff. Es scheint als wäre da lt. filterlog noch eine
Default-Deny IPv4 Regel aktiv die aber nicht im Ruleset angezeigt wird.
Deshalb könnte ich die auch nicht verschieben aber die Blockiert dann
offenbar alles was nicht erlaubt ist. Nur, die Allow Regeln greifen dann
offenbar immer noch nicht.

Ich fand leider nichts wo ich die Regeln direkt in einer Textliste
ausgeben könnte, hier ist daher die ausgabe von filter-reload

> Initializing
> Creating aliases
> Creating gateway group item...
> Generating Limiter rules
> Generating NAT rules
> Creating 1:1 rules...
> Creating advanced outbound rule Auto created rule - localhost to WAN
> Creating advanced outbound rule Auto created rule - localhost to WAN
> Creating advanced outbound rule Auto created rule - LAN to WAN
> Setting up TFTP helper
> Checking for nat PF hooks in package /usr/local/pkg/squid.inc
> Processing early nat rules for package /usr/local/pkg/squid.inc
> Generating filter rules
> Creating default rules
> Checking for pfearly PF hooks in package /usr/local/pkg/squid.inc
> Processing early pfearly rules for package /usr/local/pkg/squid.inc
> Pre-caching block IPv6...
> Creating filter rule block IPv6 ...
> Creating filter rules block IPv6 ...
> Setting up pass/block rules
> Setting up pass/block rules block IPv6
> Creating rule block IPv6
> Pre-caching Allow Access to external IMAP-S from LAN...
> Creating filter rule Allow Access to external IMAP-S from LAN ...
> Creating filter rules Allow Access to external IMAP-S from LAN ...
> Setting up pass/block rules
> Setting up pass/block rules Allow Access to external IMAP-S from LAN
> Creating rule Allow Access to external IMAP-S from LAN
> Pre-caching Allow Access to external IMAP from LAN...
> Creating filter rule Allow Access to external IMAP from LAN ...
> Creating filter rules Allow Access to external IMAP from LAN ...
> Setting up pass/block rules
> Setting up pass/block rules Allow Access to external IMAP from LAN
> Creating rule Allow Access to external IMAP from LAN
> Pre-caching Allow Access to external SMTP from LAN...
> Creating filter rule Allow Access to external SMTP from LAN ...
> Creating filter rules Allow Access to external SMTP from LAN ...
> Setting up pass/block rules
> Setting up pass/block rules Allow Access to external SMTP from LAN
> Creating rule Allow Access to external SMTP from LAN
> Pre-caching Allow Access to external SMTP-S from LAN...
> Creating filter rule Allow Access to external SMTP-S from LAN ...
> Creating filter rules Allow Access to external SMTP-S from LAN ...
> Setting up pass/block rules
> Setting up pass/block rules Allow Access to external SMTP-S from LAN
> Creating rule Allow Access to external SMTP-S from LAN
> Pre-caching Allow Access to SPH from Internal Device...
> Creating filter rule Allow Access to SPH from Internal Device ...
> Creating filter rules Allow Access to SPH from Internal Device ...
> Setting up pass/block rules
> Setting up pass/block rules Allow Access to SPH from Internal Device
> Creating rule Allow Access to SPH from Internal Device
> Pre-caching Pass DNS to the Firewall...
> Creating filter rule Pass DNS to the Firewall ...
> Creating filter rules Pass DNS to the Firewall ...
> Setting up pass/block rules
> Setting up pass/block rules Pass DNS to the Firewall
> Creating rule Pass DNS to the Firewall
> Pre-caching Block DNS to Everything Else...
> Creating filter rule Block DNS to Everything Else ...
> Creating filter rules Block DNS to Everything Else ...
> Setting up pass/block rules
> Setting up pass/block rules Block DNS to Everything Else
> Creating rule Block DNS to Everything Else
> Pre-caching Block https to 1.1.1.1 (DoT)...
> Creating filter rule Block https to 1.1.1.1 (DoT) ...
> Creating filter rules Block https to 1.1.1.1 (DoT) ...
> Setting up pass/block rules
> Setting up pass/block rules Block https to 1.1.1.1 (DoT)
> Creating rule Block https to 1.1.1.1 (DoT)
> Pre-caching Block https to 8.8.8.8 (DoT)...
> Creating filter rule Block https to 8.8.8.8 (DoT) ...
> Creating filter rules Block https to 8.8.8.8 (DoT) ...
> Setting up pass/block rules
> Setting up pass/block rules Block https to 8.8.8.8 (DoT)
> Creating rule Block https to 8.8.8.8 (DoT)
> Pre-caching Default allow LAN to any rule...
> Creating filter rule Default allow LAN to any rule ...
> Creating filter rules Default allow LAN to any rule ...
> Setting up pass/block rules
> Setting up pass/block rules Default allow LAN to any rule
> Creating rule Default allow LAN to any rule
> Creating IPsec rules...
> Creating uPNP rules...
> Generating ALTQ queues
> Loading filter rules
> Setting up logging information
> Setting up SCRUB information
> Checking for filter PF hooks in package /usr/local/pkg/squid.inc
> Processing early filter rules for package /usr/local/pkg/squid.inc
> Processing down interface states
> Running plugins
> Done

Fällt da jemandem etwas auf was mir nicht auffällt?
Da wird zum WAN hin NAT gemacht, SPH ist mein WAN Router und die
Anti-Lockout und Block Bogon Rule wird IMHO auch nicht erwähnt. Ich bin
auch noch nicht fertig damit und die letzten Regeln unten sollen DNS
over TLS unterbinden lt. der pfsense doku.

Ich finde auch nirgends eine Festlegung des Standard-verhaltens der
Firewall bei In, Out oder Forward was hier offenbar mit versteckten
Regeln geschiet die ich nicht sichtbar machen konnte. Oder geht das
irgendwo? Ich bin leider auch mehr auf linux/ipfire zuhause als auf
BSD/pfsense.

Kay

--
Posted via leafnode