From owner-freebsd-pf@FreeBSD.ORG  Mon Mar 12 23:44:12 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 347B8106564A
	for <freebsd-pf@freebsd.org>; Mon, 12 Mar 2012 23:44:12 +0000 (UTC)
	(envelope-from dougs@dawnsign.com)
Received: from mailfilter.dawnsign.com (hydra.dawnsign.com [69.198.101.212])
	by mx1.freebsd.org (Postfix) with ESMTP id 0C8FB8FC0A
	for <freebsd-pf@freebsd.org>; Mon, 12 Mar 2012 23:44:11 +0000 (UTC)
Received: from mailfilter.dawnsign.com (localhost [127.0.0.1])
	by mailfilter.dawnsign.com (Postfix) with ESMTP id 4BDEF9B401
	for <freebsd-pf@freebsd.org>; Mon, 12 Mar 2012 16:44:05 -0700 (PDT)
Received: from Draco.dawnsign.com (draco.dawnsign.com [192.168.101.33])
	by mailfilter.dawnsign.com (Postfix) with ESMTP id 2E7B995826
	for <freebsd-pf@freebsd.org>; Mon, 12 Mar 2012 16:44:05 -0700 (PDT)
Received: from DRACO.dawnsign.com ([fe80::6062:7fef:2376:a729]) by
	Draco.dawnsign.com ([fe80::6062:7fef:2376:a729%10]) with mapi id
	14.01.0355.002; Mon, 12 Mar 2012 16:43:53 -0700
From: Doug Sampson <dougs@dawnsign.com>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Thread-Topic: Differences in PF between FBSD 8.2 & 9.0?
Thread-Index: AczrwaDiR0Lf3/s3RAyJ81meINaqDQTQd3lwADj7I4AAMAtAsA==
Date: Mon, 12 Mar 2012 23:43:53 +0000
Message-ID: <E6B2517F8D6DBF4CABB8F38ACA367E78071AE8@Draco.dawnsign.com>
References: <D358EEF1F9124D44B25B0ED225C8FDE6356CF7@hydra.dawnsign.com>
	<4F3B76DB.1040301@my.gd>
	<E6B2517F8D6DBF4CABB8F38ACA367E780708CB@Draco.dawnsign.com>
	<183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org>
In-Reply-To: <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.168.101.149]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Scanned: ClamAV using ClamSMTP
Subject: RE: Differences in PF between FBSD 8.2 & 9.0?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2012 23:44:12 -0000

> > I'm now getting back to this issue after being diverted to other
> projects. Spam has been noticed by our staff and they're not happy. :)
> >
> > Here's what the tcp dump show:
> >
> > mailfilter-root@~# tcpdump -nei pflog0 port 8025
> > tcpdump: WARNING: pflog0: no IPv4 address assigned
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
> 65535 bytes
> > 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
> 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> > 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
> 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> > ...
> >
> >
> > The pflog0 shows that all incoming packets are blocked by rule #0 which
> is:
> >
> > @0 scrub in all fragment reassemble
> > @0 block drop in log all
> >
> >
> > And
> >
> > mailfilter-root@~# spamdb | g GREY
> > mailfilter-root@~#
> >
> > No greytrapping is occurring. Is the 'scrub' rule screwing up our
> packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to
> 9.0.
> >
> > Also why am I being warned that there isn't an IPv4 address assigned to
> pflog0?
> >
> > Pertinent pf.conf section related to spamd:
> >
> > # spamd-setup puts addresses to be redirected into table <spamd>.
> > table <spamd> persist
> > table <spamd-white> persist
> > table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
> > table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
> > #no rdr on { lo0, lo1 } from any to any
> > # redirect to spamd
> > rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd-spf> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd-white> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.=
1
> port spamd
> > rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port spamd
> >
> > # block all incoming packets but allow ssh, pass all outgoing tcp and
> udp
> > # connections and keep state, logging blocked packets.
> > block in log all
> >
> > # allow inbound/outbound mail! also to log to pflog
> > pass in log inet proto tcp from any to $external_addr port smtp flags
> S/SA synproxy state
> > pass out log inet proto tcp from $external_addr to any port smtp flags
> S/SA synproxy state
> > pass in log inet proto tcp from $internal_net to $int_if port smtp flag=
s
> S/SA synproxy state
> > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/S=
A
> synproxy state
>=20
> I wouldn't claim to be an expert on pf, but no one else has replied.  Her=
e
> is my understanding - The redirect rules (rdr) change the destination
> first to 127.0.0.1 port spamd (which appears to be 8025 from the dump).
> Then pf applies the filter rules (block pass) to the new addresses.  The
> only filter rule which references port 8025 is the first one: block in lo=
g
> all.  I believe you need a rule to permit mail in on the 8025 port.
>=20

I modified the following rules:
# allow inbound/outbound mail! also to log to pflog
pass in log inet proto tcp from any to $external_addr port smtp flags S/SA =
synproxy state
pass in log inet proto tcp from any to 127.0.0.1 port smtp flags S/SA synpr=
oxy state
pass in log inet proto tcp from any to 127.0.0.1 port spamd flags S/SA synp=
roxy state
pass out log inet proto tcp from $external_addr to any port smtp flags S/SA=
 synproxy state=20
pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/=
SA synproxy state
pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA sy=
nproxy state

I now am seeing packets to port 25 on the external interface being passed t=
o lo0 port 25. Packets destined for port 8025 on the lo0 interface are bein=
g passed. So far so good. The trouble is I am not seeing GREYTRAP entries i=
n the spamdb like I used to see previously. Netstat -an reports connections=
 between various smtp servers and our smtp server.

I am at loss. Should I rebuild the spamd port considering that our greytrap=
ping mechanism broke down when I upgraded from 8.3 to 9.0?

~Doug