Date: Mon, 12 Mar 2012 23:43:53 +0000 From: Doug Sampson <dougs@dawnsign.com> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: Differences in PF between FBSD 8.2 & 9.0? Message-ID: <E6B2517F8D6DBF4CABB8F38ACA367E78071AE8@Draco.dawnsign.com> In-Reply-To: <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org> References: <D358EEF1F9124D44B25B0ED225C8FDE6356CF7@hydra.dawnsign.com> <4F3B76DB.1040301@my.gd> <E6B2517F8D6DBF4CABB8F38ACA367E780708CB@Draco.dawnsign.com> <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I'm now getting back to this issue after being diverted to other
> projects. Spam has been noticed by our staff and they're not happy. :)
> >
> > Here's what the tcp dump show:
> >
> > mailfilter-root@~# tcpdump -nei pflog0 port 8025
> > tcpdump: WARNING: pflog0: no IPv4 address assigned
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
> 65535 bytes
> > 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
> 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> > 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
> 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> > ...
> >
> >
> > The pflog0 shows that all incoming packets are blocked by rule #0 which
> is:
> >
> > @0 scrub in all fragment reassemble
> > @0 block drop in log all
> >
> >
> > And
> >
> > mailfilter-root@~# spamdb | g GREY
> > mailfilter-root@~#
> >
> > No greytrapping is occurring. Is the 'scrub' rule screwing up our
> packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to
> 9.0.
> >
> > Also why am I being warned that there isn't an IPv4 address assigned to
> pflog0?
> >
> > Pertinent pf.conf section related to spamd:
> >
> > # spamd-setup puts addresses to be redirected into table <spamd>.
> > table <spamd> persist
> > table <spamd-white> persist
> > table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
> > table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
> > #no rdr on { lo0, lo1 } from any to any
> > # redirect to spamd
> > rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd-spf> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd-white> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.=
1
> port spamd
> > rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port spamd
> >
> > # block all incoming packets but allow ssh, pass all outgoing tcp and
> udp
> > # connections and keep state, logging blocked packets.
> > block in log all
> >
> > # allow inbound/outbound mail! also to log to pflog
> > pass in log inet proto tcp from any to $external_addr port smtp flags
> S/SA synproxy state
> > pass out log inet proto tcp from $external_addr to any port smtp flags
> S/SA synproxy state
> > pass in log inet proto tcp from $internal_net to $int_if port smtp flag=
s
> S/SA synproxy state
> > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/S=
A
> synproxy state
>=20
> I wouldn't claim to be an expert on pf, but no one else has replied. Her=
e
> is my understanding - The redirect rules (rdr) change the destination
> first to 127.0.0.1 port spamd (which appears to be 8025 from the dump).
> Then pf applies the filter rules (block pass) to the new addresses. The
> only filter rule which references port 8025 is the first one: block in lo=
g
> all. I believe you need a rule to permit mail in on the 8025 port.
>=20
I modified the following rules:
# allow inbound/outbound mail! also to log to pflog
pass in log inet proto tcp from any to $external_addr port smtp flags S/SA =
synproxy state
pass in log inet proto tcp from any to 127.0.0.1 port smtp flags S/SA synpr=
oxy state
pass in log inet proto tcp from any to 127.0.0.1 port spamd flags S/SA synp=
roxy state
pass out log inet proto tcp from $external_addr to any port smtp flags S/SA=
synproxy state=20
pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/=
SA synproxy state
pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA sy=
nproxy state
I now am seeing packets to port 25 on the external interface being passed t=
o lo0 port 25. Packets destined for port 8025 on the lo0 interface are bein=
g passed. So far so good. The trouble is I am not seeing GREYTRAP entries i=
n the spamdb like I used to see previously. Netstat -an reports connections=
between various smtp servers and our smtp server.
I am at loss. Should I rebuild the spamd port considering that our greytrap=
ping mechanism broke down when I upgraded from 8.3 to 9.0?
~Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E6B2517F8D6DBF4CABB8F38ACA367E78071AE8>