From owner-freebsd-pf@FreeBSD.ORG Sun Mar 11 09:45:13 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38654106566C for ; Sun, 11 Mar 2012 09:45:13 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailout.jr-hosting.nl (mailout.jr-hosting.nl [IPv6:2a01:4f8:141:5ffd::1:25]) by mx1.freebsd.org (Postfix) with ESMTP id C82018FC0A for ; Sun, 11 Mar 2012 09:45:12 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:141:5ffd::25]) by mailout.jr-hosting.nl (Postfix) with ESMTP id 5ECED3902786; Sun, 11 Mar 2012 09:45:04 +0000 (UTC) Received: from [10.0.2.10] (178-85-126-244.dynamic.upc.nl [178.85.126.244]) by mail.jr-hosting.nl (Postfix) with ESMTPSA id 1F7E238B1326; Sun, 11 Mar 2012 09:45:03 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=iso-8859-1 From: Remko Lodder In-Reply-To: Date: Sun, 11 Mar 2012 10:45:04 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: just man man X-Mailer: Apple Mail (2.1257) Cc: freebsd-pf@freebsd.org Subject: Re: Shaping bandwith vlan X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 09:45:13 -0000 Hello, I am not sure whether bandwidth shaping on VLANS actually work. Besides = that you are questioning a FreeBSD mailinglist on how OpenBSD should be = configured? In that case I have to disappoint you and tell you that we cannot = actually help you. In the above case you could contact misc@OpenBSD.org to get support. = Though it is expected that you try to search for the information yourself prior to = getting into contact with the mailinglist (e.g. search on the internet and try to solve the = problem yourself first). Goodluck :) Remko On Mar 11, 2012, at 12:15 AM, just man man wrote: > We have openbsd conected with swicth catalist cisco 2950,in catalist > configure vlan 10,vlan 20,vlan 30. > do you know how to make shaping bandwith management if we have many = vlan? >=20 > thank you > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 /"\ With kind regards, | remko@elvandar.org \ / Remko Lodder | remko@FreeBSD.org X FreeBSD | = http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes From owner-freebsd-pf@FreeBSD.ORG Sun Mar 11 17:41:27 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 24487106566B for ; Sun, 11 Mar 2012 17:41:27 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id C31258FC1B for ; Sun, 11 Mar 2012 17:41:26 +0000 (UTC) Received: from [10.0.1.2] (pool-96-229-186-65.lsanca.fios.verizon.net [96.229.186.65]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id q2BHV9Aj079790; Sun, 11 Mar 2012 10:31:09 -0700 (PDT) (envelope-from bc979@lafn.org) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: Doug Hardie In-Reply-To: Date: Sun, 11 Mar 2012 10:31:09 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org> References: <4F3B76DB.1040301@my.gd> To: Doug Sampson X-Mailer: Apple Mail (2.1257) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Differences in PF between FBSD 8.2 & 9.0? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 17:41:27 -0000 On 10 March 2012, at 13:34, Doug Sampson wrote: >> On 2/15/12 2:22 AM, Doug Sampson wrote: >>> I got bitten by PF when upgrading from 8.2 to 9.0. It refused to = allow >>> any incoming mail. I'm using spamd in conjunction with pf. I use a >>> combination of natting along with redirections in conjunction with = the >>> normal pass/block rules. >>>=20 >>=20 >> Toggle logging on both your default drop rule and your allow mail = ones. >>=20 >> Then tcpdump -nei pflog0 ip and port 465 (or 25, whichever) >> See what rule number matches your packets, then find out what rule = that >> is with pfctl -vvvsr >>=20 >>=20 >=20 > I'm now getting back to this issue after being diverted to other = projects. Spam has been noticed by our staff and they're not happy. :) >=20 > Here's what the tcp dump show: >=20 > mailfilter-root@~# tcpdump -nei pflog0 port 8025 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture = size 65535 bytes > 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: = 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win = 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale = 0,nop,nop,sackOK], length 0 > 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: = 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win = 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale = 0,nop,nop,sackOK], length 0 > ... >=20 >=20 > The pflog0 shows that all incoming packets are blocked by rule #0 = which is: >=20 > @0 scrub in all fragment reassemble > @0 block drop in log all >=20 >=20 > And >=20 > mailfilter-root@~# spamdb | g GREY > mailfilter-root@~# >=20 > No greytrapping is occurring. Is the 'scrub' rule screwing up our = packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to = 9.0. >=20 > Also why am I being warned that there isn't an IPv4 address assigned = to pflog0? >=20 > Pertinent pf.conf section related to spamd: >=20 > # spamd-setup puts addresses to be redirected into table . > table persist > table persist > table persist file = "/usr/local/etc/spamd/spamd-mywhite" > table persist file "/usr/local/etc/spamd/spamd-spf.txt" > #no rdr on { lo0, lo1 } from any to any > # redirect to spamd > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port smtp > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port smtp > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port smtp > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port spamd > rdr inet proto tcp from ! to $external_addr port smtp = -> 127.0.0.1 port spamd >=20 > # block all incoming packets but allow ssh, pass all outgoing tcp and = udp > # connections and keep state, logging blocked packets. > block in log all >=20 > # allow inbound/outbound mail! also to log to pflog > pass in log inet proto tcp from any to $external_addr port smtp flags = S/SA synproxy state > pass out log inet proto tcp from $external_addr to any port smtp flags = S/SA synproxy state > pass in log inet proto tcp from $internal_net to $int_if port smtp = flags S/SA synproxy state > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags = S/SA synproxy state I wouldn't claim to be an expert on pf, but no one else has replied. = Here is my understanding - The redirect rules (rdr) change the = destination first to 127.0.0.1 port spamd (which appears to be 8025 from = the dump). Then pf applies the filter rules (block pass) to the new = addresses. The only filter rule which references port 8025 is the first = one: block in log all. I believe you need a rule to permit mail in on = the 8025 port. =20 From owner-freebsd-pf@FreeBSD.ORG Mon Mar 12 11:07:18 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 65C701065670 for ; Mon, 12 Mar 2012 11:07:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 540D18FC17 for ; Mon, 12 Mar 2012 11:07:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q2CB7I9T072421 for ; Mon, 12 Mar 2012 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q2CB7HhC072419 for freebsd-pf@FreeBSD.org; Mon, 12 Mar 2012 11:07:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Mar 2012 11:07:17 GMT Message-Id: <201203121107.q2CB7HhC072419@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2012 11:07:18 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 48 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Mar 12 23:44:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 347B8106564A for ; Mon, 12 Mar 2012 23:44:12 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (hydra.dawnsign.com [69.198.101.212]) by mx1.freebsd.org (Postfix) with ESMTP id 0C8FB8FC0A for ; Mon, 12 Mar 2012 23:44:11 +0000 (UTC) Received: from mailfilter.dawnsign.com (localhost [127.0.0.1]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 4BDEF9B401 for ; Mon, 12 Mar 2012 16:44:05 -0700 (PDT) Received: from Draco.dawnsign.com (draco.dawnsign.com [192.168.101.33]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 2E7B995826 for ; Mon, 12 Mar 2012 16:44:05 -0700 (PDT) Received: from DRACO.dawnsign.com ([fe80::6062:7fef:2376:a729]) by Draco.dawnsign.com ([fe80::6062:7fef:2376:a729%10]) with mapi id 14.01.0355.002; Mon, 12 Mar 2012 16:43:53 -0700 From: Doug Sampson To: "freebsd-pf@freebsd.org" Thread-Topic: Differences in PF between FBSD 8.2 & 9.0? Thread-Index: AczrwaDiR0Lf3/s3RAyJ81meINaqDQTQd3lwADj7I4AAMAtAsA== Date: Mon, 12 Mar 2012 23:43:53 +0000 Message-ID: References: <4F3B76DB.1040301@my.gd> <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org> In-Reply-To: <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.101.149] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP Subject: RE: Differences in PF between FBSD 8.2 & 9.0? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2012 23:44:12 -0000 > > I'm now getting back to this issue after being diverted to other > projects. Spam has been noticed by our staff and they're not happy. :) > > > > Here's what the tcp dump show: > > > > mailfilter-root@~# tcpdump -nei pflog0 port 8025 > > tcpdump: WARNING: pflog0: no IPv4 address assigned > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 65535 bytes > > 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: > 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win > 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale > 0,nop,nop,sackOK], length 0 > > 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: > 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win > 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale > 0,nop,nop,sackOK], length 0 > > ... > > > > > > The pflog0 shows that all incoming packets are blocked by rule #0 which > is: > > > > @0 scrub in all fragment reassemble > > @0 block drop in log all > > > > > > And > > > > mailfilter-root@~# spamdb | g GREY > > mailfilter-root@~# > > > > No greytrapping is occurring. Is the 'scrub' rule screwing up our > packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to > 9.0. > > > > Also why am I being warned that there isn't an IPv4 address assigned to > pflog0? > > > > Pertinent pf.conf section related to spamd: > > > > # spamd-setup puts addresses to be redirected into table . > > table persist > > table persist > > table persist file "/usr/local/etc/spamd/spamd-mywhite" > > table persist file "/usr/local/etc/spamd/spamd-spf.txt" > > #no rdr on { lo0, lo1 } from any to any > > # redirect to spamd > > rdr inet proto tcp from to $external_addr port smtp -> > 127.0.0.1 port smtp > > rdr inet proto tcp from to $external_addr port smtp -> > 127.0.0.1 port smtp > > rdr inet proto tcp from to $external_addr port smtp -> > 127.0.0.1 port smtp > > rdr inet proto tcp from to $external_addr port smtp -> 127.0.0.= 1 > port spamd > > rdr inet proto tcp from ! to $external_addr port smtp -> > 127.0.0.1 port spamd > > > > # block all incoming packets but allow ssh, pass all outgoing tcp and > udp > > # connections and keep state, logging blocked packets. > > block in log all > > > > # allow inbound/outbound mail! also to log to pflog > > pass in log inet proto tcp from any to $external_addr port smtp flags > S/SA synproxy state > > pass out log inet proto tcp from $external_addr to any port smtp flags > S/SA synproxy state > > pass in log inet proto tcp from $internal_net to $int_if port smtp flag= s > S/SA synproxy state > > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/S= A > synproxy state >=20 > I wouldn't claim to be an expert on pf, but no one else has replied. Her= e > is my understanding - The redirect rules (rdr) change the destination > first to 127.0.0.1 port spamd (which appears to be 8025 from the dump). > Then pf applies the filter rules (block pass) to the new addresses. The > only filter rule which references port 8025 is the first one: block in lo= g > all. I believe you need a rule to permit mail in on the 8025 port. >=20 I modified the following rules: # allow inbound/outbound mail! also to log to pflog pass in log inet proto tcp from any to $external_addr port smtp flags S/SA = synproxy state pass in log inet proto tcp from any to 127.0.0.1 port smtp flags S/SA synpr= oxy state pass in log inet proto tcp from any to 127.0.0.1 port spamd flags S/SA synp= roxy state pass out log inet proto tcp from $external_addr to any port smtp flags S/SA= synproxy state=20 pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/= SA synproxy state pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA sy= nproxy state I now am seeing packets to port 25 on the external interface being passed t= o lo0 port 25. Packets destined for port 8025 on the lo0 interface are bein= g passed. So far so good. The trouble is I am not seeing GREYTRAP entries i= n the spamdb like I used to see previously. Netstat -an reports connections= between various smtp servers and our smtp server. I am at loss. Should I rebuild the spamd port considering that our greytrap= ping mechanism broke down when I upgraded from 8.3 to 9.0? ~Doug From owner-freebsd-pf@FreeBSD.ORG Tue Mar 13 22:52:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id ADDF2106564A for ; Tue, 13 Mar 2012 22:52:41 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 8A96B8FC0C for ; Tue, 13 Mar 2012 22:52:41 +0000 (UTC) Received: from [10.0.1.2] (pool-96-229-186-65.lsanca.fios.verizon.net [96.229.186.65]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id q2DMqSZr050022; Tue, 13 Mar 2012 15:52:29 -0700 (PDT) (envelope-from bc979@lafn.org) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: Doug Hardie In-Reply-To: Date: Tue, 13 Mar 2012 15:52:28 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <3BF129FF-9C11-40B5-AB90-49B46F9118B5@lafn.org> References: <4F3B76DB.1040301@my.gd> <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org> To: Doug Sampson X-Mailer: Apple Mail (2.1257) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Cc: "freebsd-pf@freebsd.org" Subject: Re: Differences in PF between FBSD 8.2 & 9.0? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2012 22:52:41 -0000 On 12 March 2012, at 16:43, Doug Sampson wrote: >>> I'm now getting back to this issue after being diverted to other >> projects. Spam has been noticed by our staff and they're not happy. = :) >>>=20 >>> Here's what the tcp dump show: >>>=20 >>> mailfilter-root@~# tcpdump -nei pflog0 port 8025 >>> tcpdump: WARNING: pflog0: no IPv4 address assigned >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >>> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture = size >> 65535 bytes >>> 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: >> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win >> 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale >> 0,nop,nop,sackOK], length 0 >>> 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: >> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win >> 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale >> 0,nop,nop,sackOK], length 0 >>> ... >>>=20 >>>=20 >>> The pflog0 shows that all incoming packets are blocked by rule #0 = which >> is: >>>=20 >>> @0 scrub in all fragment reassemble >>> @0 block drop in log all >>>=20 >>>=20 >>> And >>>=20 >>> mailfilter-root@~# spamdb | g GREY >>> mailfilter-root@~# >>>=20 >>> No greytrapping is occurring. Is the 'scrub' rule screwing up our >> packets? Our pf.conf worked fine in version 8.2 prior to the upgrade = to >> 9.0. >>>=20 >>> Also why am I being warned that there isn't an IPv4 address assigned = to >> pflog0? >>>=20 >>> Pertinent pf.conf section related to spamd: >>>=20 >>> # spamd-setup puts addresses to be redirected into table . >>> table persist >>> table persist >>> table persist file = "/usr/local/etc/spamd/spamd-mywhite" >>> table persist file "/usr/local/etc/spamd/spamd-spf.txt" >>> #no rdr on { lo0, lo1 } from any to any >>> # redirect to spamd >>> rdr inet proto tcp from to $external_addr port smtp = -> >> 127.0.0.1 port smtp >>> rdr inet proto tcp from to $external_addr port smtp -> >> 127.0.0.1 port smtp >>> rdr inet proto tcp from to $external_addr port smtp -> >> 127.0.0.1 port smtp >>> rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 >> port spamd >>> rdr inet proto tcp from ! to $external_addr port smtp = -> >> 127.0.0.1 port spamd >>>=20 >>> # block all incoming packets but allow ssh, pass all outgoing tcp = and >> udp >>> # connections and keep state, logging blocked packets. >>> block in log all >>>=20 >>> # allow inbound/outbound mail! also to log to pflog >>> pass in log inet proto tcp from any to $external_addr port smtp = flags >> S/SA synproxy state >>> pass out log inet proto tcp from $external_addr to any port smtp = flags >> S/SA synproxy state >>> pass in log inet proto tcp from $internal_net to $int_if port smtp = flags >> S/SA synproxy state >>> pass in log inet proto tcp from $dmz_net to $int_if port smtp flags = S/SA >> synproxy state >>=20 >> I wouldn't claim to be an expert on pf, but no one else has replied. = Here >> is my understanding - The redirect rules (rdr) change the destination >> first to 127.0.0.1 port spamd (which appears to be 8025 from the = dump). >> Then pf applies the filter rules (block pass) to the new addresses. = The >> only filter rule which references port 8025 is the first one: block = in log >> all. I believe you need a rule to permit mail in on the 8025 port. >>=20 >=20 > I modified the following rules: > # allow inbound/outbound mail! also to log to pflog > pass in log inet proto tcp from any to $external_addr port smtp flags = S/SA synproxy state > pass in log inet proto tcp from any to 127.0.0.1 port smtp flags S/SA = synproxy state > pass in log inet proto tcp from any to 127.0.0.1 port spamd flags S/SA = synproxy state > pass out log inet proto tcp from $external_addr to any port smtp flags = S/SA synproxy state=20 > pass in log inet proto tcp from $internal_net to $int_if port smtp = flags S/SA synproxy state > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags = S/SA synproxy state >=20 > I now am seeing packets to port 25 on the external interface being = passed to lo0 port 25. Packets destined for port 8025 on the lo0 = interface are being passed. So far so good. The trouble is I am not = seeing GREYTRAP entries in the spamdb like I used to see previously. = Netstat -an reports connections between various smtp servers and our = smtp server. >=20 > I am at loss. Should I rebuild the spamd port considering that our = greytrapping mechanism broke down when I upgraded from 8.3 to 9.0? I am in the process of converting my development machine to 9.0 and ran = tests on pf. Here is the pf.conf file that works with 9.0 for spam: ext_if=3D"bge0" # Tables: similar to macros, but more flexible for many addresses. # spamd-setup puts addresses to be redirected into table . table persist table persist table persist file "/etc/mail/whitelist" rdr pass on $ext_if inet proto tcp from to any port = smtp -> 127.0.0.1 port smtp rdr pass on $ext_if inet proto tcp from to any port smtp = -> 127.0.0.1 port smtp rdr pass on $ext_if inet proto tcp from any to any port smtp -> = 127.0.0.1 port spamd I am not using any separate pass rules which means there is no way to = log any of this. You could add some pass rules for loggin purposes = though and remove the pass flags from the rdr's. From owner-freebsd-pf@FreeBSD.ORG Thu Mar 15 09:06:55 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DE82106566C for ; Thu, 15 Mar 2012 09:06:55 +0000 (UTC) (envelope-from lauren@obeyyourbody.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id C9A4D8FC14 for ; Thu, 15 Mar 2012 09:06:54 +0000 (UTC) Received: by vcmm1 with SMTP id m1so3972408vcm.13 for ; Thu, 15 Mar 2012 02:06:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=tWYJVeRvtOBadh0Yt7rn/IZkEhar/lxUeFmd0wAQZTw=; b=Is5sIoxK5k1WEiI8fE2H5TMK6vIggRGI36XgbD+tSIUtqxXtGi/4ELY06r5cADoUr2 FJYX5q4tTYQafRBdzYfemiRvwV8J85UK2kpxAjo594w4e47l6dyraNX/tMcg7Gj8YsmM zee0SGbF1umXVvnMzo6IqpDG1AaWoD91WWCoD2UDOM47y2ttvxT9vlVr5jPZDdoB5RcI k/DJH3UyMhwCLFWYhryvYZXClCKk+yeiRxRvSMcHh/dnkzcriZg4qBUQCaprc8w5PKOx agTCzR0wGgsM0HNcJzwYqHgFFbXhivH3G7BxM7EHayXs095BZdBpVlfHJEsKLrmbkeIf QWYA== MIME-Version: 1.0 Received: by 10.52.71.80 with SMTP id s16mr4042176vdu.131.1331802414105; Thu, 15 Mar 2012 02:06:54 -0700 (PDT) Received: by 10.52.34.208 with HTTP; Thu, 15 Mar 2012 02:06:54 -0700 (PDT) Date: Thu, 15 Mar 2012 11:06:54 +0200 Message-ID: From: Lauren Mirfin To: freebsd-pf@freebsd.org X-Gm-Message-State: ALoCoQmbtkylASZPPl8NKcc0z2iEQ8NHEmdvgfe5dc30ix5vauRVAjvhEDFRljT08uCRBelaaY1A Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Drive A New Car from R499 P/M X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 09:06:55 -0000 Hi there I need more information about this please. Please contact me on the details listed below. Thank you. Kind regards Lauren Mirfin Office Manager Genome Cosmetics 021 551 4483 082 585 5986 lauren@obeyyourbody.com