Date: Thu, 16 Sep 2004 04:12:51 -0000 From: Jett Tayer <jett@sycorax.ath.cx> To: pf4freebsd@freelists.org Subject: [pf4freebsd] pf and spamd Message-ID: <3ABA53F8-F323-11D8-A696-00039311ED22@sycorax.ath.cx>
next in thread | raw e-mail | index | archive | help
hello,
Im using FreeBSD 5.2.1 and im having problems making pf work with spamd
(mail/spamd)
when i try load one of my ip addresses in <spamd> table and try to
telnet
to it at port 25 from another server whose ip is added in spamd table,
i can't see the usual:
Escape character is '^]'.
220 mybox.myhostname.mydomain ESMTP spamd IP-based SPAM blocker; Sat
Aug 21 11:27:57 2004
it just say Trying mybox.myhostname.mydomain... and thats it.
below is my pf.conf
# pf.conf
# Macros
# ext_if -- the interface to the outside world
ext_if="em0"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types= "echoreq"
# Tables:
table <spamd> persist
# Options
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set require-order yes
set block-policy drop
set optimization normal
set loginterface none
set fingerprints "/usr/local/etc/pf.os"
# Normalize packets
scrub in all
scrub out all
no rdr on { lo0 } from any to any
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
pass in quick inet proto tcp from <spamd> to 127.0.0.1 port 8025 keep
state
# Filter packets
# block all incoming connections sent from the outside
# log all blocked packets
block in log all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# block all inbound connections to port 113 (auth)
# and return ICMP destination-unreachable
block return-rst in quick on $ext_if proto tcp \
from any to $ext_if port auth
pass out keep state
pass in quick on lo0 all
# pass all connections originating from external hosts to
# port 22 (SSH) on the bastion host
pass in quick on $ext_if proto tcp \
from any to $ext_if port 22 \
flags S/SA keep state
# pass all connections originating from external hosts to
# port 25 (SMTP) on the bastion host
pass in quick on $ext_if inet proto tcp \
from any to $ext_if port 25 \
flags S/SA keep state
# pass all connections originating from external hosts to
# port 53 (DNS) on the bastion host
pass in quick on $ext_if inet proto tcp \
from any to $ext_if port 53 \
flags S/SA keep state
# pass all connections originating from external hosts to
# port 53 (DNS) on the bastion host
pass in quick on $ext_if inet proto udp \
from any to $ext_if port 53 \
keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out quick on $ext_if proto { tcp,udp } \
from $ext_if to any keep state
# antispoof rule on the external interface
antispoof for $ext_if
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ABA53F8-F323-11D8-A696-00039311ED22>