From owner-freebsd-questions@FreeBSD.ORG Sat Dec 12 07:31:12 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83A831065670 for ; Sat, 12 Dec 2009 07:31:12 +0000 (UTC) (envelope-from xsappyx@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id DEFD78FC1A for ; Sat, 12 Dec 2009 07:31:11 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so408853fgg.13 for ; Fri, 11 Dec 2009 23:31:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=LeKeJ9SfJDQxVEx4OY04+1t8bVuAwqeXtGwNWpgdL1g=; b=NkSRwnw3OHTPDrTw85UxJ6dGr1PhO/sMt8A9Qs3q+APWiAGYOp7ZG2KZJ/UTnIQ3Gt omwX4p9Md09Kfx2i+oxGzI9zNNCCRuiSgX895R/cCKpzAPlnBkAYaPOUQqdPbhpKUCqu CvBESIYmMq+Ou0K9Z4JjkD0quV07gTCEAVkkk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=XFjYthLyvQ4mpebhws/+Fo+eJjZBy15X41d30NAI5MNEkU0XQpK7JZqao4446a54dN STydQX3dXs1Tx/UfSuI7iSKMuN1Y4SPjSs6v8bC/cq+N1xuyQm0ly4mfOJunoDisXK8n iOtJ3/Q6jqRIGl1WI2YqXKI5NDwOZ2vfvgxgQ= MIME-Version: 1.0 Received: by 10.239.168.213 with SMTP id l21mr234385hbe.26.1260603070394; Fri, 11 Dec 2009 23:31:10 -0800 (PST) In-Reply-To: References: Date: Fri, 11 Dec 2009 23:31:10 -0800 Message-ID: <8206ae960912112331p447a4057s8387c15e391dd9ef@mail.gmail.com> From: xSAPPYx To: Doug Hardie Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions - Subject: Re: I am not understanding something about pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Dec 2009 07:31:12 -0000 On Fri, Dec 11, 2009 at 7:30 PM, Doug Hardie wrote: > I am running 7.2-Stable with pf. I have the following pf.conf: > > no rdr inet proto tcp from to any port smtp > no rdr inet proto tcp from to any port smtp > rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd > > This is the basic spamd configuration with an extra table > which lists hosts to go directly to the mail server. > Everything works properly. Hosts not in either spamd table go to spamd and > those in either spamd table go directly to the mail server. However, the pf > statistics don't seem to make sense to me. I always see the following: > > no rdr inet proto tcp from to any port = smtp > [ Evaluations: 1193433 Packets: 0 Bytes: 0 States: 0 > ] > [ Inserted: uid 0 pid 73310 ] > no rdr inet proto tcp from to any port = smtp > [ Evaluations: 110124 Packets: 0 Bytes: 0 States: 0 > ] > [ Inserted: uid 0 pid 73310 ] > rdr pass inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025 > [ Evaluations: 110124 Packets: 63 Bytes: 3516 States: 1 > ] > [ Inserted: uid 0 pid 73310 ] > > Where the first two entries never show any Packets and the third shows > everything. Does "no rdr" work differently than "rdr" with the statistics? > I understood from the Book of PF that the rules were evaluated such that > the last matching rule is used. Hence I think that with the above conf file > the spamd-white-local table would never get used as the connection will > match one of the 2 following rules. > > So I ran another test by putting the first rule last: > > no rdr inet proto tcp from to any port smtp > rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd > no rdr inet proto tcp from to any port smtp > > Now entries in are ignored and, the statistics are > quite different: > > no rdr inet proto tcp from to any port = smtp > [ Evaluations: 79 Packets: 0 Bytes: 0 States: 0 > ] > [ Inserted: uid 0 pid 86983 ] > rdr pass inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025 > [ Evaluations: 52 Packets: 25 Bytes: 1395 States: 1 > ] > [ Inserted: uid 0 pid 86983 ] > no rdr inet proto tcp from to any port = smtp > [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 > ] > [ Inserted: uid 0 pid 86983 ] > > > Now the last rule says its never evaluated. This indicates that its the > first rule that matches that is used rather than the last. However, why are > there never any packets counted in the "no rdr" rules? > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > Do you have a "pass in proto tcp to port smpt" or some such rule that is capturing the rest of the packets/accounting stats? I believe the "pass" in the second test (rdr pass inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025) is short circuiting your assumed "last match wins". The full pf.conf would be helpful