From owner-svn-doc-head@FreeBSD.ORG Wed Feb 19 17:51:01 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 89E52844; Wed, 19 Feb 2014 17:51:01 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 75A0E11B5; Wed, 19 Feb 2014 17:51:01 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1JHp1WZ086752; Wed, 19 Feb 2014 17:51:01 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1JHp1xn086751; Wed, 19 Feb 2014 17:51:01 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402191751.s1JHp1xn086751@svn.freebsd.org> From: Dru Lavigne Date: Wed, 19 Feb 2014 17:51:01 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43992 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 17:51:01 -0000 Author: dru Date: Wed Feb 19 17:51:00 2014 New Revision: 43992 URL: http://svnweb.freebsd.org/changeset/doc/43992 Log: Editorial pass through greylisting section. At some point, expanding on how to use spamdb would be useful. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 17:45:12 2014 (r43991) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 17:51:00 2014 (r43992) @@ -1336,117 +1336,60 @@ rdr pass on $ext_if inet proto tcp from hosts will soon start getting trapped within a few seconds to several minutes. - - Adding Greylisting to the Setup - - spamd also supports - greylisting, which works by - rejecting messages from unknown hosts temporarily with - 45n codes, letting messages - from hosts which try again within a reasonable time - through. Traffic from well behaved hosts, that is, + PF also supports + greylisting, which temporarily + rejects messages from unknown hosts with + 45n codes. Messages + from greylisted hosts which try again within a reasonable time + are let through. Traffic from senders which are set up to behave within the limits set - up in the relevant RFCs - The relevant RFCs are mainly RFC1123 - and RFC2821., will be let + by RFC 1123 + and RFC 2821 are immediately let through. - Greylisting as a technique was presented in a 2003 - paper by Evan Harris - The original - Harris paper and a number of other useful articles - and resources can be found at the More information about greylisting as a technique + can be found at the greylisting.org - web site., and a number of - implementations followed over the next few months. - OpenBSD's spamd acquired its - ability to greylist in OpenBSD 3.5, which was released - in May 2004. - - The most amazing thing about greylisting, apart + web site. The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers - and malware writers have been very slow to adapt. + and malware writers have been very slow to adapt in order + to bypass this technique. - The basic procedure for adding greylisting to your - setup follows below. + The basic procedure for configuring greylisting is as + follows: + Configuring Greylisting - If not done already, make sure the - file descriptor file system (see &man.fdescfs.5;) is - mounted at /dev/fd/. Do this - by adding the following line to - /etc/fstab: - - fdescfs /dev/fd fdescfs rw 0 0 - - and make sure the &man.fdescfs.5; code is in the - kernel, either compiled in or by loading the module - with &man.kldload.8;. + Make sure that &man.fdescfs.5; is + mounted as described in Step 1 of the previous Procedure. To run spamd in - greylisting mode, /etc/rc.conf - must be changed slightly by adding + greylisting mode, add this line to /etc/rc.conf: spamd_grey="YES" # use spamd greylisting if YES - Several greylisting related parameters can be - fine-tuned with spamd's command - line parameters and the corresponding - /etc/rc.conf settings. Check - the spamd man page to see - what the parameters mean. + Refer to the spamd man page + for descriptions of additional related parameters. - To complete the greylisting setup, restart - spamd using the - /usr/local/etc/rc.d/obspamd - script. + To complete the greylisting setup: + + &prompt.root; service restart obspamd +&prompt.root; service start spamlogd - Behind the scenes, rarely mentioned and barely - documented are two of spamd's - helpers, the spamdb database + Behind the scenes, the spamdb database tool and the spamlogd - whitelist updater, which both perform essential - functions for the greylisting feature. Of the two - spamlogd works quietly in the - background, while spamdb has - been developed to offer some interesting - features. - - - Restart <application>spamd</application> to - Enable Greylisting - - After following all steps in the tutorial - exactly up to this point, - spamlogd has been started - automatically already. However, if the initial - spamd configuration did not - include greylisting, - spamlogd may not have been - started, and there may be strange symptoms, such as - greylists and whitelists not getting updated - properly. - - Under normal circumstances, it should not be - necessary to start spamlogd - by hand. Restarting spamd - after enabling greylisting ensures - spamlogd is loaded and - available too. - - - spamdb is the + whitelist updater perform essential + functions for the greylisting feature. spamdb is the administrator's main interface to managing the black, - grey and white lists via the contents of the + grey, and white lists via the contents of the /var/db/spamdb database. -