From owner-freebsd-questions@FreeBSD.ORG Mon Jul 27 21:27:24 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D69E6106566C for ; Mon, 27 Jul 2009 21:27:23 +0000 (UTC) (envelope-from jhall@socket.net) Received: from mf5.socket.net (mf5b.socket.net [216.106.26.210]) by mx1.freebsd.org (Postfix) with ESMTP id BA2CC8FC13 for ; Mon, 27 Jul 2009 21:27:23 +0000 (UTC) (envelope-from jhall@socket.net) Received: from [10.129.40.202] (216.106.12.14.reverse.socket.net [216.106.12.14]) by mf5.socket.net (Postfix) with ESMTP id 6FE68639EA for ; Mon, 27 Jul 2009 16:27:22 -0500 (CDT) Message-Id: <0E15E941-3CC2-4C9B-BAF2-C8910F7592ED@socket.net> From: Jay Hall To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Mon, 27 Jul 2009 16:27:21 -0500 X-Mailer: Apple Mail (2.935.3) Subject: ipf rules question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jul 2009 21:27:24 -0000 Ladies and Gentlemen, I think I am missing something. I am running a FreeBSD 6. server with ipf compiled into the kernel. Following are the headers from an email. From: oeajqs@brantbenun.com Subject: ****SUSPECTED SPAM**** REAL Doctors, REAL Science, REAL Results! Date: July 27, 2009 2:33:25 PM CDT To: xxxxxxxxx@mnea.org Reply-To: oeajqs@brantbenun.com Received: from mail.mnea.org ([10.129.10.45]) by mo-hq-s1.mo.loc with Microsoft SMTPSVC(6.0.3790.1830); Mon, 27 Jul 2009 14:33:29 -0500 Received: by mail.mnea.org (Postfix, from userid 10071) id 572563F661; Mon, 27 Jul 2009 14:33:29 -0500 (CDT) Received: from speedtouch.lan (213-84-78-162.adsl.xs4all.nl [82.95.130.154]) by mail.mnea.org (Postfix) with ESMTP id DD9233F659 for ; Mon, 27 Jul 2009 14:33:24 -0500 (CDT) Received: from 82.95.130.154 by smtp.secureserver.net; Mon, 27 Jul 2009 20:33:25 +0100 Following are the relevant entries from /var/log/maillog Jul 27 14:33:22 mail postfix/smtpd[8557]: connect from 213-84-78-162.adsl.xs4all.nl[82.95.130.154] Jul 27 14:33:24 mail postfix/smtpd[8557]: DD9233F659: client=213-84-78-162.adsl.xs4all.nl[82.95.130.154] Jul 27 14:33:26 mail postfix/cleanup[7974]: DD9233F659: message-id=<824460019.99376997845866@brantbenun.com > Jul 27 14:33:26 mail postfix/qmgr[52904]: DD9233F659: from=, size=1245, nrcpt=1 (queue active) And, following is the output from ipfstat showing the relevant rule(s). @140 block in quick proto tcp from 82.0.0.0/8 to any port = smtp If I am looking at everything correctly all traffic coming into the system from the 82.0.0.0/8 network to port 25 on the mail server should be blocked. What am I missing? Thanks for your help. Jay