From owner-freebsd-pf@FreeBSD.ORG Sun Mar 11 17:41:27 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 24487106566B for ; Sun, 11 Mar 2012 17:41:27 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id C31258FC1B for ; Sun, 11 Mar 2012 17:41:26 +0000 (UTC) Received: from [10.0.1.2] (pool-96-229-186-65.lsanca.fios.verizon.net [96.229.186.65]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id q2BHV9Aj079790; Sun, 11 Mar 2012 10:31:09 -0700 (PDT) (envelope-from bc979@lafn.org) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: text/plain; charset=us-ascii From: Doug Hardie In-Reply-To: Date: Sun, 11 Mar 2012 10:31:09 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org> References: <4F3B76DB.1040301@my.gd> To: Doug Sampson X-Mailer: Apple Mail (2.1257) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Differences in PF between FBSD 8.2 & 9.0? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2012 17:41:27 -0000 On 10 March 2012, at 13:34, Doug Sampson wrote: >> On 2/15/12 2:22 AM, Doug Sampson wrote: >>> I got bitten by PF when upgrading from 8.2 to 9.0. It refused to = allow >>> any incoming mail. I'm using spamd in conjunction with pf. I use a >>> combination of natting along with redirections in conjunction with = the >>> normal pass/block rules. >>>=20 >>=20 >> Toggle logging on both your default drop rule and your allow mail = ones. >>=20 >> Then tcpdump -nei pflog0 ip and port 465 (or 25, whichever) >> See what rule number matches your packets, then find out what rule = that >> is with pfctl -vvvsr >>=20 >>=20 >=20 > I'm now getting back to this issue after being diverted to other = projects. Spam has been noticed by our staff and they're not happy. :) >=20 > Here's what the tcp dump show: >=20 > mailfilter-root@~# tcpdump -nei pflog0 port 8025 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture = size 65535 bytes > 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: = 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win = 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale = 0,nop,nop,sackOK], length 0 > 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: = 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win = 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale = 0,nop,nop,sackOK], length 0 > ... >=20 >=20 > The pflog0 shows that all incoming packets are blocked by rule #0 = which is: >=20 > @0 scrub in all fragment reassemble > @0 block drop in log all >=20 >=20 > And >=20 > mailfilter-root@~# spamdb | g GREY > mailfilter-root@~# >=20 > No greytrapping is occurring. Is the 'scrub' rule screwing up our = packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to = 9.0. >=20 > Also why am I being warned that there isn't an IPv4 address assigned = to pflog0? >=20 > Pertinent pf.conf section related to spamd: >=20 > # spamd-setup puts addresses to be redirected into table . > table persist > table persist > table persist file = "/usr/local/etc/spamd/spamd-mywhite" > table persist file "/usr/local/etc/spamd/spamd-spf.txt" > #no rdr on { lo0, lo1 } from any to any > # redirect to spamd > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port smtp > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port smtp > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port smtp > rdr inet proto tcp from to $external_addr port smtp -> = 127.0.0.1 port spamd > rdr inet proto tcp from ! to $external_addr port smtp = -> 127.0.0.1 port spamd >=20 > # block all incoming packets but allow ssh, pass all outgoing tcp and = udp > # connections and keep state, logging blocked packets. > block in log all >=20 > # allow inbound/outbound mail! also to log to pflog > pass in log inet proto tcp from any to $external_addr port smtp flags = S/SA synproxy state > pass out log inet proto tcp from $external_addr to any port smtp flags = S/SA synproxy state > pass in log inet proto tcp from $internal_net to $int_if port smtp = flags S/SA synproxy state > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags = S/SA synproxy state I wouldn't claim to be an expert on pf, but no one else has replied. = Here is my understanding - The redirect rules (rdr) change the = destination first to 127.0.0.1 port spamd (which appears to be 8025 from = the dump). Then pf applies the filter rules (block pass) to the new = addresses. The only filter rule which references port 8025 is the first = one: block in log all. I believe you need a rule to permit mail in on = the 8025 port. =20