[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems with PF



Hi,

I am having a strange problem with pf on OpenBSD 3.6-stable GENERIC. I have this box as the egress unit on our network. It runs pf with ALTQ. The systems manages a few queues and also blocks some traffic (mainly MS stuff). The problem is that it will (seemingly) randomly stop allowing syn/ack packets back into our network, where such packets are destined for (seemingly) random internal IP's.

Here are the outputs of tcpdump of each interface on the PF box. Interface rl0 is internal and fxp0 is external, captured from 2 terminals over the same period. The problem is pretty random, but it's always possible to see it in action once a client reports it. Other symptoms include:-

1. no trouble accessing services local to our network
2. traceroute works to local and external destinations
3. had reports from mainly Win XP, but one FreeBSD as well

Any help will be appreciated,

Abdul

16:27:50 - 16:28:37 is the initial problem
16:29:52 - 16:30:31 is after I issued a pfctl -f /etc/pf.conf
16:31:23 - 16:31:53 is after I disabled then enable pf (pfctl -d followed by pfctl -e)
16:32:24 is after I disabled pf (pfctl -d) and left it turned off


# tcpdump -ni rl0 host 196.35.86.108
tcpdump: listening on rl0
16:27:50.551608 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:27:52.554728 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:28:07.109826 196.35.86.108.3158 > 66.102.11.104.80: S 1886978942:1886978942(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:10.020236 196.35.86.108.3158 > 66.102.11.104.80: S 1886978942:1886978942(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:16.033175 196.35.86.108.3158 > 66.102.11.104.80: S 1886978942:1886978942(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:27.991228 196.35.86.108.3159 > 66.102.11.99.80: S 1891819288:1891819288(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:31.017272 196.35.86.108.3159 > 66.102.11.99.80: S 1891819288:1891819288(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:37.034239 196.35.86.108.3159 > 66.102.11.99.80: S 1891819288:1891819288(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:29:52.028883 196.35.86.108.3164 > 66.102.11.104.80: S 1911278228:1911278228(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:29:54.919236 196.35.86.108.3164 > 66.102.11.104.80: S 1911278228:1911278228(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:00.933837 196.35.86.108.3164 > 66.102.11.104.80: S 1911278228:1911278228(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:12.871176 196.35.86.108.3165 > 66.102.11.99.80: S 1916126514:1916126514(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:15.918492 196.35.86.108.3165 > 66.102.11.99.80: S 1916126514:1916126514(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:21.933758 196.35.86.108.3165 > 66.102.11.99.80: S 1916126514:1916126514(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:51.002421 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:30:52.963438 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:31:23.935530 196.35.86.108.3170 > 66.102.11.104.80: S 1932582854:1932582854(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:26.796544 196.35.86.108.3170 > 66.102.11.104.80: S 1932582854:1932582854(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:32.810367 196.35.86.108.3170 > 66.102.11.104.80: S 1932582854:1932582854(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:44.857556 196.35.86.108.3171 > 66.102.11.99.80: S 1937431129:1937431129(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:47.794688 196.35.86.108.3171 > 66.102.11.99.80: S 1937431129:1937431129(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:53.812990 196.35.86.108.3171 > 66.102.11.99.80: S 1937431129:1937431129(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:32:24.596353 196.35.86.108.3176 > 66.102.11.104.80: S 1946754719:1946754719(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:32:24.778532 66.102.11.104.80 > 196.35.86.108.3176: S 103432278:103432278(0) ack 1946754720 win 8190 <mss 1460> [tos 0x28]
16:32:24.987941 196.35.86.108.3176 > 66.102.11.104.80: . ack 1 win 8760 (DF)
16:32:25.014060 196.35.86.108.3176 > 66.102.11.104.80: P 1:332(331) ack 1 win 8760 (DF)
16:32:25.198996 66.102.11.104.80 > 196.35.86.108.3176: . ack 332 win 7859 [tos 0x28]
16:32:25.200619 66.102.11.104.80 > 196.35.86.108.3176: . ack 332 win 6432 [tos 0x28]
16:32:25.240307 66.102.11.104.80 > 196.35.86.108.3176: . 1:1431(1430) ack 332 win 6432 [tos 0x28]
16:32:25.241294 66.102.11.104.80 > 196.35.86.108.3176: P 1431:2498(1067) ack 332 win 6432 [tos 0x28]
16:32:25.737245 66.102.11.104.80 > 196.35.86.108.3176: . 1:1431(1430) ack 332 win 6432 [tos 0x28]
16:32:25.742563 196.35.86.108.3176 > 66.102.11.104.80: . ack 1431 win 7330 (DF)
16:32:25.926478 66.102.11.104.80 > 196.35.86.108.3176: P 1431:2498(1067) ack 332 win 6432 [tos 0x28]
16:32:26.239827 196.35.86.108.3176 > 66.102.11.104.80: P 332:1034(702) ack 2498 win 8760 (DF)
16:32:26.427359 66.102.11.104.80 > 196.35.86.108.3176: . ack 1034 win 8030 [tos 0x28]
16:32:26.439777 196.35.86.108.3176 > 66.102.11.104.80: . ack 2498 win 8760 (DF)
16:32:26.604651 66.102.11.104.80 > 196.35.86.108.3176: . 2498:3928(1430) ack 1034 win 8030 [tos 0x28]
16:32:26.605296 66.102.11.104.80 > 196.35.86.108.3176: P 3928:4717(789) ack 1034 win 8030 [tos 0x28]
16:32:26.703523 196.35.86.108.3176 > 66.102.11.104.80: . ack 2498 win 8760 (DF)
16:32:27.274358 196.35.86.108.3176 > 66.102.11.104.80: . ack 3928 win 7330 (DF)
16:32:27.491520 196.35.86.108.3176 > 66.102.11.104.80: . ack 4717 win 8760 (DF)
16:33:32.336056 196.35.86.108.3176 > 66.102.11.104.80: R 1946755753:1946755753(0) win 0 (DF)
^C
393576 packets received by filter
0 packets dropped by kernel



# tcpdump -ni fxp0 host 196.35.86.108
tcpdump: listening on fxp0
16:27:27.641074 64.236.16.84.80 > 196.35.86.108.3155: R 0:0(0) win 0 [tos 0x28]
16:27:50.541695 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:27:52.547207 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:28:07.109865 196.35.86.108.3158 > 66.102.11.104.80: S 1886978942:1886978942(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:07.308516 66.102.11.104.80 > 196.35.86.108.3158: S 1104655753:1104655753(0) ack 1886978943 win 8190 <mss 1460> [tos 0x28]
16:28:10.020272 196.35.86.108.3158 > 66.102.11.104.80: S 1886978942:1886978942(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:10.220938 66.102.11.104.80 > 196.35.86.108.3158: S 1104655753:1104655753(0) ack 1886978943 win 8190 <mss 1460> [tos 0x28]
16:28:16.033209 196.35.86.108.3158 > 66.102.11.104.80: S 1886978942:1886978942(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:16.238870 66.102.11.104.80 > 196.35.86.108.3158: S 1104655753:1104655753(0) ack 1886978943 win 8190 <mss 1460> [tos 0x28]
16:28:27.991267 196.35.86.108.3159 > 66.102.11.99.80: S 1891819288:1891819288(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:28.281081 66.102.11.99.80 > 196.35.86.108.3159: S 2031984562:2031984562(0) ack 1891819289 win 8190 <mss 1460> [tos 0x28]
16:28:31.017306 196.35.86.108.3159 > 66.102.11.99.80: S 1891819288:1891819288(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:31.314207 66.102.11.99.80 > 196.35.86.108.3159: S 2031984562:2031984562(0) ack 1891819289 win 8190 <mss 1460> [tos 0x28]
16:28:37.034277 196.35.86.108.3159 > 66.102.11.99.80: S 1891819288:1891819288(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:28:37.334538 66.102.11.99.80 > 196.35.86.108.3159: S 2031984562:2031984562(0) ack 1891819289 win 8190 <mss 1460> [tos 0x28]
16:29:52.028927 196.35.86.108.3164 > 66.102.11.104.80: S 1911278228:1911278228(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:29:52.219690 66.102.11.104.80 > 196.35.86.108.3164: S 1548754717:1548754717(0) ack 1911278229 win 8190 <mss 1460> [tos 0x28]
16:29:54.919282 196.35.86.108.3164 > 66.102.11.104.80: S 1911278228:1911278228(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:29:55.100973 66.102.11.104.80 > 196.35.86.108.3164: S 1548754717:1548754717(0) ack 1911278229 win 8190 <mss 1460> [tos 0x28]
16:30:00.933882 196.35.86.108.3164 > 66.102.11.104.80: S 1911278228:1911278228(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:01.115249 66.102.11.104.80 > 196.35.86.108.3164: S 1290370110:1290370110(0) ack 1911278229 win 8190 <mss 1460> [tos 0x28]
16:30:12.871220 196.35.86.108.3165 > 66.102.11.99.80: S 1916126514:1916126514(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:13.156568 66.102.11.99.80 > 196.35.86.108.3165: S 3095985941:3095985941(0) ack 1916126515 win 8190 <mss 1460> [tos 0x28]
16:30:15.918537 196.35.86.108.3165 > 66.102.11.99.80: S 1916126514:1916126514(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:16.212821 66.102.11.99.80 > 196.35.86.108.3165: S 3095985941:3095985941(0) ack 1916126515 win 8190 <mss 1460> [tos 0x28]
16:30:21.933806 196.35.86.108.3165 > 66.102.11.99.80: S 1916126514:1916126514(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:30:22.219768 66.102.11.99.80 > 196.35.86.108.3165: S 3095985941:3095985941(0) ack 1916126515 win 8190 <mss 1460> [tos 0x28]
16:30:50.961268 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:30:52.963374 70.20.40.111.28573 > 196.35.86.108.51710: udp 98 [tos 0x28]
16:31:23.935579 196.35.86.108.3170 > 66.102.11.104.80: S 1932582854:1932582854(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:24.120114 66.102.11.104.80 > 196.35.86.108.3170: S 900119944:900119944(0) ack 1932582855 win 8190 <mss 1460> [tos 0x28]
16:31:26.796581 196.35.86.108.3170 > 66.102.11.104.80: S 1932582854:1932582854(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:26.983403 66.102.11.104.80 > 196.35.86.108.3170: S 900119944:900119944(0) ack 1932582855 win 8190 <mss 1460> [tos 0x28]
16:31:32.810418 196.35.86.108.3170 > 66.102.11.104.80: S 1932582854:1932582854(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:32.992606 66.102.11.104.80 > 196.35.86.108.3170: S 900119944:900119944(0) ack 1932582855 win 8190 <mss 1460> [tos 0x28]
16:31:44.857605 196.35.86.108.3171 > 66.102.11.99.80: S 1937431129:1937431129(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:47.794733 196.35.86.108.3171 > 66.102.11.99.80: S 1937431129:1937431129(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:48.068529 66.102.11.99.80 > 196.35.86.108.3171: S 3558646129:3558646129(0) ack 1937431130 win 8190 <mss 1460> [tos 0x28]
16:31:53.813037 196.35.86.108.3171 > 66.102.11.99.80: S 1937431129:1937431129(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:31:54.086589 66.102.11.99.80 > 196.35.86.108.3171: S 3558646129:3558646129(0) ack 1937431130 win 8190 <mss 1460> [tos 0x28]
16:32:24.596366 196.35.86.108.3176 > 66.102.11.104.80: S 1946754719:1946754719(0) win 8760 <mss 1460,nop,nop,sackOK> (DF)
16:32:24.778481 66.102.11.104.80 > 196.35.86.108.3176: S 103432278:103432278(0) ack 1946754720 win 8190 <mss 1460> [tos 0x28]
16:32:24.987952 196.35.86.108.3176 > 66.102.11.104.80: . ack 1 win 8760 (DF)
16:32:25.014070 196.35.86.108.3176 > 66.102.11.104.80: P 1:332(331) ack 1 win 8760 (DF)
16:32:25.198982 66.102.11.104.80 > 196.35.86.108.3176: . ack 332 win 7859 [tos 0x28]
16:32:25.200596 66.102.11.104.80 > 196.35.86.108.3176: . ack 332 win 6432 [tos 0x28]
16:32:25.240291 66.102.11.104.80 > 196.35.86.108.3176: . 1:1431(1430) ack 332 win 6432 [tos 0x28]
16:32:25.241279 66.102.11.104.80 > 196.35.86.108.3176: P 1431:2498(1067) ack 332 win 6432 [tos 0x28]
16:32:25.737228 66.102.11.104.80 > 196.35.86.108.3176: . 1:1431(1430) ack 332 win 6432 [tos 0x28]
16:32:25.742574 196.35.86.108.3176 > 66.102.11.104.80: . ack 1431 win 7330 (DF)
16:32:25.926463 66.102.11.104.80 > 196.35.86.108.3176: P 1431:2498(1067) ack 332 win 6432 [tos 0x28]
16:32:26.239839 196.35.86.108.3176 > 66.102.11.104.80: P 332:1034(702) ack 2498 win 8760 (DF)
16:32:26.427343 66.102.11.104.80 > 196.35.86.108.3176: . ack 1034 win 8030 [tos 0x28]
16:32:26.439789 196.35.86.108.3176 > 66.102.11.104.80: . ack 2498 win 8760 (DF)
16:32:26.604632 66.102.11.104.80 > 196.35.86.108.3176: . 2498:3928(1430) ack 1034 win 8030 [tos 0x28]
16:32:26.605283 66.102.11.104.80 > 196.35.86.108.3176: P 3928:4717(789) ack 1034 win 8030 [tos 0x28]
16:32:26.703535 196.35.86.108.3176 > 66.102.11.104.80: . ack 2498 win 8760 (DF)
16:32:27.274370 196.35.86.108.3176 > 66.102.11.104.80: . ack 3928 win 7330 (DF)
16:32:27.491531 196.35.86.108.3176 > 66.102.11.104.80: . ack 4717 win 8760 (DF)
16:33:32.336069 196.35.86.108.3176 > 66.102.11.104.80: R 1946755753:1946755753(0) win 0 (DF)
^C
333327 packets received by filter
0 packets dropped by kernel


System info:-

# uname -a
OpenBSD rubberband.eastcoast.co.za 3.6 RUBBERBAND#0 i386
# cd /usr/src/sys/arch/i386/conf/
# diff RUBBERBAND GENERIC
# dmesg
OpenBSD 3.6-stable (RUBBERBAND) #0: Sat Apr 2 12:48:16 SAST 2005
[email protected]:/usr/src/sys/arch/i386/compile/ RUBBERBAND
cpu0: Intel(R) Celeron(R) CPU 1.70GHz ("GenuineIntel" 686-class) 1.72 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM
real mem = 502837248 (491052K)
avail mem = 451833856 (441244K)
using 4278 buffers containing 25243648 bytes (24652K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(f5) BIOS, date 10/28/02, BIOS32 rev. 0 @ 0xfad40
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xd754
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd6d0/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 5 9 11 12
pcibios0: PCI Interrupt Router at 000:02:0 ("SIS 85C503 System" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "SIS 650 PCI" rev 0x01
ppb0 at pci0 dev 1 function 0 "SIS 86C201 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "SIS 650 VGA" rev 0x00: aperture at 0xe0000000, size 0x400000
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 2 function 0 "SIS 85C503 System" rev 0x10
pciide0 at pci0 dev 2 function 5 "SIS 5513 EIDE" rev 0xd0: 650: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <ST380011A>
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <E-IDE, CD-ROM 52X/AKH, A63> SCSI0 5/cdrom removable
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
fxp0 at pci0 dev 9 function 0 "Intel 82557" rev 0x0c: irq 11, address 00:02:b3:a3:7c:ce
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
rl0 at pci0 dev 16 function 0 "Realtek 8139" rev 0x10: irq 11 address 00:20:ed:50:7a:b6
rlphy0 at rl0 phy 0: RTL internal phy
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
lm0 at isa0 port 0x290/8: W83697HF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask f765 netmask ff65 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302


# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.


# Macros: define common values, so they can be referenced and changed easily.
ext_if="fxp0" # replace with actual external interface name i.e., dc0
int_if="rl0" # replace with actual internal interface name i.e., dc1


# Tables: similar to macros, but more flexible for many addresses.
table <dial> { 196.35.86.0/24, 196.33.34.64/26 }
table <routers> { 196.33.34.237/32, 196.33.34.246/32, 196.33.34.247/32, 196.33.34.248/32, 196.33.34.249/32, 196.33.34.250/32, 196.33.34.251/32, 196.33.34.252/32, 196.33.34.253/32 }
table <rfc1918> { 10/8, 172.16/12, 192.168/16 }
table <scribe> { 196.33.34.233/32 }
table <jamiat> { 196.33.34.217/32 }
table <afriprod> { 196.33.34.221/32 }


# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all


# Queueing: rule-based bandwidth control.
altq on $int_if bandwidth 3072Kb cbq (red, ecn) queue { dflt_i, mail_i, jamiat_i }
queue dflt_i bandwidth 2528Kb cbq (default, red, ecn)
queue mail_i bandwidth 512Kb cbq (borrow, red, ecn)
queue jamiat_i bandwidth 32Kb cbq (red, ecn)


altq on $ext_if bandwidth 3072Kb cbq (red, ecn) queue { dflt_o, mail_o, jamiat_o }
queue dflt_o bandwidth 2528Kb cbq (default, red, ecn)
queue mail_o bandwidth 512Kb cbq (borrow, red, ecn)
queue jamiat_o bandwidth 32Kb cbq (red, ecn)


# Filtering: the implicit first two rules are
pass in all
pass out all

# restrict access to our routers
block in quick on $ext_if from any to <routers>

# block rfc 1918 addresses in or out
block in quick from any to <rfc1918>
block in quick from <rfc1918> to any

# block smtp connects from our dial pool
block in quick log on $int_if proto tcp from <dial> to any port smtp

# block ms networking shit and mydoom
block in quick log proto { tcp, udp } from any to any port { 135, 137, 139, 3126><3199, 445, 1433 }


# assign traffic to queues
pass out quick on $int_if proto tcp from any to <scribe> port { smtp, pop3, imap } keep state queue mail_i
pass out quick on $int_if from any to <jamiat> keep state queue jamiat_i


pass out quick on $ext_if proto tcp from <scribe> to any port { smtp } keep state queue mail_o
pass out quick on $ext_if from <jamiat> to any keep state queue jamiat_o
#