Date: Wed, 16 Dec 2009 19:50:36 -0800 From: Doug Hardie <bc979@lafn.org> To: freebsd-questions - <freebsd-questions@freebsd.org> Subject: Re: I am not understanding something about pf Message-ID: <59459CE1-CC01-40A2-88C0-7098F7D2ADE8@lafn.org> In-Reply-To: <F382ED5D-85A1-4365-9395-4D391405ACBE@lafn.org> References: <F382ED5D-85A1-4365-9395-4D391405ACBE@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11 December 2009, at 19:30, Doug Hardie wrote:
> I am running 7.2-Stable with pf. I have the following pf.conf:
>=20
> no rdr inet proto tcp from <spamd-white-local> to any port smtp
> no rdr inet proto tcp from <spamd-white> to any port smtp
> rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port =
spamd
>=20
> This is the basic spamd configuration with an extra table =
<spamd-white-local> which lists hosts to go directly to the mail server. =
Everything works properly. Hosts not in either spamd table go to spamd =
and those in either spamd table go directly to the mail server. =
However, the pf statistics don't seem to make sense to me. I always see =
the following:
>=20
> no rdr inet proto tcp from <spamd-white-local> to any port =3D smtp
> [ Evaluations: 1193433 Packets: 0 Bytes: 0 =
States: 0 ]
> [ Inserted: uid 0 pid 73310 ]
> no rdr inet proto tcp from <spamd-white> to any port =3D smtp
> [ Evaluations: 110124 Packets: 0 Bytes: 0 =
States: 0 ]
> [ Inserted: uid 0 pid 73310 ]
> rdr pass inet proto tcp from any to any port =3D smtp -> 127.0.0.1 =
port 8025
> [ Evaluations: 110124 Packets: 63 Bytes: 3516 =
States: 1 ]
> [ Inserted: uid 0 pid 73310 ]
>=20
> Where the first two entries never show any Packets and the third shows =
everything. Does "no rdr" work differently than "rdr" with the =
statistics? I understood from the Book of PF that the rules were =
evaluated such that the last matching rule is used. Hence I think that =
with the above conf file the spamd-white-local table would never get =
used as the connection will match one of the 2 following rules.
>=20
> So I ran another test by putting the first rule last:
>=20
> no rdr inet proto tcp from <spamd-white> to any port smtp
> rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port =
spamd
> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>=20
> Now entries in <spamd-white-local> are ignored and, the statistics are =
quite different:
>=20
> no rdr inet proto tcp from <spamd-white> to any port =3D smtp
> [ Evaluations: 79 Packets: 0 Bytes: 0 =
States: 0 ]
> [ Inserted: uid 0 pid 86983 ]
> rdr pass inet proto tcp from any to any port =3D smtp -> 127.0.0.1 =
port 8025
> [ Evaluations: 52 Packets: 25 Bytes: 1395 =
States: 1 ]
> [ Inserted: uid 0 pid 86983 ]
> no rdr inet proto tcp from <spamd-white-local> to any port =3D smtp
> [ Evaluations: 0 Packets: 0 Bytes: 0 =
States: 0 ]
> [ Inserted: uid 0 pid 86983 ]
>=20
>=20
> Now the last rule says its never evaluated. This indicates that its =
the first rule that matches that is used rather than the last. However, =
why are there never any packets counted in the "no rdr" rules?
>=20
It appears that my reply with the full pf.conf didn't make the list. Am =
trying again.
MAILHOSTS =3D "{zoon.lafn.org}"
table <spamd> persist
table <spamd-white> persist
table <spamd-white-local> persist file "/etc/mail/whitelist"
no rdr on { lo0, lo1 } from any to any
no rdr inet proto tcp from <spamd-white-local> to any port smtp
no rdr inet proto tcp from <spamd-white> to any port smtp
rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port =
spamd
pass in log inet proto tcp to $MAILHOSTS port smtp keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59459CE1-CC01-40A2-88C0-7098F7D2ADE8>