From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 06:45:39 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0D2716A41A for ; Thu, 6 Sep 2007 06:45:38 +0000 (UTC) (envelope-from gavin@shadow-security.net) Received: from pecan.exetel.com.au (pecan.exetel.com.au [220.233.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id 4CB4713C467 for ; Thu, 6 Sep 2007 06:45:38 +0000 (UTC) (envelope-from gavin@shadow-security.net) Received: from 39.233.233.220.exetel.com.au ([220.233.233.39] helo=[192.168.1.150]) by pecan.exetel.com.au with esmtp (Exim 4.63) (envelope-from ) id 1IT8VK-0002Sz-Go for freebsd-pf@freebsd.org; Thu, 06 Sep 2007 13:58:07 +1000 Message-ID: <46DF7AD3.9010104@shadow-security.net> Date: Thu, 06 Sep 2007 13:58:11 +1000 From: Gavin Cooper User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ports/mail/spamd not greylisting correctly X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 06:45:39 -0000 Hi all, I've been playing with this for a while to get it working and below is my status. First, my setup - (NB, all servers mentioned are running 6-STABLE). I have a FreeBSD tri-homed gateway/router which is where I'm trying to run spamd. On one NIC of the router I have my modem, the second has my private network, the third has my DMZ. The private network doesn't come into this story much at all. The DMZ has my FreeBSD/Qmail Mailserver. My intention is to run spamd on the gateway to reduce the amount of processing the mailserver has to run for Spam Filtering. My strategy is this - spamd on the gateway using a moderate to gentle selection of block lists via spamd-setup. I also (more so) want to configure greylisting. My understanding is that with this setup, pf and spamd work together to send all unknown servers a 455 Temp Failure error and asking them politely to come back later. If they come back after 30 mins (default) they're added to the pf table via spamd. When they come back a third time they're rdr'd to my real mailserver which to this point has no knowledge of the SMTP attempt. Failing to retry the SMTP session in the alloted time essentially means nothing other than the sending server failed to send me mail - presumably spam if they're too busy / poorly configured to come back. Additionally, I can modify a table via a txt file of servers which need not proceed through the greylisting treatment. All servers added via spamd-setup are entered into the table and are immediately tarpitted/stuttered on connection. Assuming my understanding is correct thus far, I've configured as follows - spamd is started via rc.conf thus: # options for pf and spamd pf_enable="YES" pfspamd_enable="YES" pfspamd_flags="-g -v -p 8025" pfspamlogd_enable="YES" my spamd.conf is this: (I'll more carefully select lists when I know the config is working) all:\ :spews1:china:korea: # Mirrored from http://www.spews.org/spews_list_level1.txt spews1:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=/usr/local/etc/spamd/spews_list_level1.txt: # Mirrored from http://www.spews.org/spews_list_level2.txt spews2:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=www.openbsd.org/spamd/spews_list_level2.txt.gz: # Mirrored from http://www.okean.com/chinacidr.txt china:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=/usr/local/etc/spamd/chinacidr.txt: # Mirrored from http://www.okean.com/koreacidr.txt korea:\ :black:\ :msg=/usr/local/etc/spamdMsg.txt:\ :method=file:\ :file=/usr/local/etc/spamd/koreacidr.txt: I've mounted fdescfs on /dev/fd (fdescfs) manually and added the appropriate line to my fstab file. I've checked that spamd is running and have proven to myself it's working by telnetting to port 8025 on the localhost and am tarpitted. (On that, I'm note sure that I *should* be tarpitted, but more on that later). In my pf.conf I have commented out my default rdr of tcp/25 to my mailserver and added these six lines: (I've also included a full copy of my pf.conf at the end of this message) table persist table persist table persist file "/usr/local/etc/spamd-mywhite" rdr pass on $ext_if inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from to any port smtp -> $mail port smtp Those rules make the most sense to me for what I'm trying to do - my understanding is the first hands the table generated by the lists in spamd-setup straight through to the spamd for tarpitting. The second rule sends anything that's NOT in my spamd-mywhite table to spamd to be given a 445 temp failure until they finally prove themselves as sane and are added to spamd-white which is covered by the third rule and sent straight through to my mailserver. So what's happening? When the above rules are applied to pf (pfctl -f /etc/pf.conf) I tested and received the following: telnet port 25 from an external, unknown server and I am tarpitted. Try again after 30 minutes and I'm still tarpitted. /var/log/spamd.log reports xxx.xxx.xxx.xxx Connection 1/10 - or something to that effect. After either typing 'quit' or finishing the SMTP telnet session the log reports xxx.xxx.xxx.xxx disconnected after 383 seconds. This is my biggest problem. It seems no matter what, grey servers are never submitted into the table. Servers in the spamd-mywhite table are allowed through, no questions asked and servers in are tarpitted (that's fine by me). I tested with first an unknown server, was tarpitted indefinitely. I then added the same server to my table and was allowed through. This ws done by issuing the command 'pfctl -t spamd-white -T add xxx.xxx.xxx.xxx'. I then removed this (-T delete xxx.xxx.xxx.xxx) and added the server to the table and was tarpitted. So basically, can anyone see where I'm going wrong with my configuration? My apologies this message is quite lengthy, but I'm hoping that I've provided all information necessary. I eagerly await any assistance provided. Check below for my full pf.conf Kind Regards, Sh4d03 ----- /etc/pf.conf ------ (comments about remainder of ruleset are welcome) # Macros # # User-defined variables may be defined and used later, simplifying the # configuration file. Macros must be defined before they are referenced. # # available interfaces ext_if= "tun0" int_if= "vr0" dmz_if= "sis0" # list of networks ext_ip= "2xx.xxx.xxx.xxx" int_net= "192.168.1.0/24" dmz_net= "10.10.1.0/24" # list of hosts mail= "10.10.1.10" mail2= "10.10.1.11" ns= "10.10.1.12" ns2= "10.10.1.13" fserv= "10.10.1.14" desktop= "192.168.1.150" # list of ports webports= "{ 80 }" mailports= "{ 43, 110, 143, 789 }" dnsports= "{ 53 }" fservSSH= "{ 7878 }" fservNFS= "{ 111, 2049, 9875 }" samba= "{ 137, 128, 445 }" mailSSH= "{ 3232 }" mail2SSH= "{ 3333 }" ntp= "{ 123 }" cvsupd= "{ 5999 }" dataweb= "{ 9980 }" torrentflux= "{ 49160:49300 }" rdp= "{ 3389 }" ############################################################################### # Tables # # Tables provide a mechanism for increasing the performance and flexibility # of rules with large numbers of source or destination addresses. # table const { 10/8, 172.16/12 } table persist table persist table persist file "/usr/local/etc/spamd-mywhite" ############################################################################### # Options # # Options tune the behaviour of the packet filtering engine. # set optimization normal set block-policy drop set skip on lo0 ############################################################################### # Traffic Normalization # # Traffic normalization protects internal machines against in Internet # protocols and implementations. # scrub in all no-df random-id scrub out all ############################################################################### # Translation # # Translation rules specify how addresses are to be mapped or redirected to # other addresses. # nat on $ext_if inet from $int_if:network to any -> $ext_ip nat on $ext_if inet from $dmz_if:network to any -> $ext_ip ############################################################################### # Redirection # # Traffic Redirection (or Port Forwarding) enables traffic to be routed to # different interfaces, ports and addresses. # # Redirect via FTP proxy rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $dmz_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # Redirect for mail and web traffic rdr on $ext_if inet proto tcp from any to any port $mailports -> $mail rdr on $ext_if inet proto tcp from any to any port $webports -> $mail rdr on $ext_if inet proto tcp from any to any port $mailSSH -> $mail rdr on $ext_if inet proto tcp from any to any port $mail2SSH -> $mail2 #rdr on $ext_if inet proto tcp from any to any port smtp -> $mail port smtp # Redirect for DNS rdr on $ext_if inet proto { tcp, udp } from any to any port 53 -> $ns # Redirect for dataserver rdr on $ext_if inet proto tcp from any to any port $fservSSH -> $fserv rdr on $ext_if inet proto { tcp, udp } from any to any port $torrentflux -> $fserv rdr on $ext_if inet proto { tcp, udp } from any to any port $dataweb -> $fserv rdr on $ext_if inet proto { tcp } from any to any port $rdp -> $desktop # Redirect for spamd rdr pass on $ext_if inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 rdr pass on $ext_if inet proto tcp from to any port smtp -> $mail port smtp ############################################################################### # Packet Filtering # # Stateful and stateless packet filtering provides rule-based blocking or # passing of packets. # # DO NOT ENABLE THE FOLLOWING WITHOUT CAREFUL CONSIDERATION!!! #pass quick all # Uncomment the following to allow pings #pass quick inet proto icmp keep state # default policy block in log all block out log all block quick from # trusted interfaces pass in quick on $int_if all keep state pass out quick on $int_if all keep state # dmz interface pass in quick on $dmz_if inet from $dmz_net to !$int_net keep state pass out log quick on $dmz_if inet all flags S/SA modulate state # Cvsup from Lan to DMZ (dataserver) pass in quick on $int_if inet proto tcp from $int_if:network to $fserv port $cvsupd keep state # Samba from Lan to DMZ (dataserver) pass in quick on $int_if inet proto tcp from $int_if:network to $fserv port $samba keep state pass in quick on $int_if inet proto tcp from $int_if:network to $mail port $mailSSH keep state # anti-spoofing block drop in quick on $ext_if inet from to any block drop out quick on $ext_if inet from any to # anti-ping block drop quick inet proto icmp # outbound traffic (icmp, udp, tcp) pass out on $ext_if inet proto { tcp } all flags S/SA modulate state pass out on $ext_if inet proto { udp } all keep state pass out on $ext_if inet proto { icmp } all keep state # inbound traffic (firewall) pass in on $dmz_if inet proto { tcp, udp } from any to $dmz_if port 53 keep state pass in on $int_if inet proto { tcp, udp } from any to $int_if port 53 keep state pass in on $int_if inet proto udp from $int_if:network to $int_if port $ntp keep state pass in on $dmz_if inet proto udp from $dmz_if:network to $dmz_if port $ntp keep state # inbound traffic (web/mail) pass in on $ext_if inet proto tcp from any to $mail port $webports keep state \ (max-src-conn-rate 9/10, overload flush global) pass in on $ext_if inet proto tcp from any to $mail port $mailports flags S/SA modulate state \ (max-src-conn-rate 9/10, overload flush global) pass in log on $ext_if inet proto tcp from any to $mail port smtp flags S/SA modulate state \ (max-src-conn-rate 9/10, overload flush global) pass in on $ext_if inet proto tcp from any to $mail port $mailSSH flags S/SA modulate state \ (max-src-conn-rate 5/10, overload flush global) pass in on $ext_if inet proto tcp from any to $mail2 port $mail2SSH flags S/SA modulate state \ (max-src-conn-rate 5/10, overload flush global) # inbound traffic (dns) pass in on $ext_if inet proto { tcp, udp } from any to $ns port 53 keep state pass out on $dmz_if inet proto { tcp, udp } from any to $ns port 53 keep state # inbound traffic (fileserver) pass in on $ext_if inet proto tcp from any to any port $fservSSH keep state pass in on $ext_if inet proto tcp from any to any port $torrentflux keep state pass in on $ext_if inet proto tcp from any to any port $dataweb keep state pass in on $int_if inet proto { tcp, udp } from any to any port $fservNFS keep state pass out on $dmz_if inet proto {tcp, udp } from any to any port $fservNFS keep state # inbound traffic (desktop) pass in on $ext_if inet proto tcp from any to any port $rdp keep state pass out on $int_if inet proto tcp from any to any port $rdp keep state