Date: Wed, 19 Feb 2014 17:51:01 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43992 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402191751.s1JHp1xn086751@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Feb 19 17:51:00 2014 New Revision: 43992 URL: http://svnweb.freebsd.org/changeset/doc/43992 Log: Editorial pass through greylisting section. At some point, expanding on how to use spamdb would be useful. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 17:45:12 2014 (r43991) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 17:51:00 2014 (r43992) @@ -1336,117 +1336,60 @@ rdr pass on $ext_if inet proto tcp from hosts will soon start getting trapped within a few seconds to several minutes.</para> - <sect4 xml:id="pftut-spamd-greylist"> - <title>Adding Greylisting to the Setup</title> - - <para><application>spamd</application> also supports - <firstterm>greylisting</firstterm>, which works by - rejecting messages from unknown hosts temporarily with - <replaceable>45n</replaceable> codes, letting messages - from hosts which try again within a reasonable time - through. Traffic from well behaved hosts, that is, + <para><application>PF</application> also supports + <firstterm>greylisting</firstterm>, which temporarily + rejects messages from unknown hosts with + <replaceable>45n</replaceable> codes. Messages + from greylisted hosts which try again within a reasonable time + are let through. Traffic from senders which are set up to behave within the limits set - up in the relevant RFCs - <footnote><para>The relevant RFCs are mainly RFC1123 - and RFC2821.</para></footnote>, will be let + by RFC 1123 + and RFC 2821 are immediately let through.</para> - <para>Greylisting as a technique was presented in a 2003 - paper by Evan Harris - <footnote><para>The original - Harris paper and a number of other useful articles - and resources can be found at the <link + <para>More information about greylisting as a technique + can be found at the <link xlink:href="http://www.greylisting.org/">greylisting.org</link>; - web site.</para></footnote>, and a number of - implementations followed over the next few months. - OpenBSD's <application>spamd</application> acquired its - ability to greylist in OpenBSD 3.5, which was released - in May 2004.</para> - - <para>The most amazing thing about greylisting, apart + web site. The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers - and malware writers have been very slow to adapt.</para> + and malware writers have been very slow to adapt in order + to bypass this technique.</para> - <para>The basic procedure for adding greylisting to your - setup follows below.</para> + <para>The basic procedure for configuring greylisting is as + follows:</para> <procedure> + <title>Configuring Greylisting</title> <step> - <para>If not done already, make sure the - file descriptor file system (see &man.fdescfs.5;) is - mounted at <filename>/dev/fd/</filename>. Do this - by adding the following line to - <filename>/etc/fstab</filename>:</para> - - <programlisting>fdescfs /dev/fd fdescfs rw 0 0</programlisting> - - <para>and make sure the &man.fdescfs.5; code is in the - kernel, either compiled in or by loading the module - with &man.kldload.8;.</para> + <para>Make sure that &man.fdescfs.5; is + mounted as described in Step 1 of the previous Procedure.</para> </step> <step> <para>To run <application>spamd</application> in - greylisting mode, <filename>/etc/rc.conf</filename> - must be changed slightly by adding</para> + greylisting mode, add this line to <filename>/etc/rc.conf</filename>:</para> <programlisting>spamd_grey="YES" # use spamd greylisting if YES</programlisting> - <para>Several greylisting related parameters can be - fine-tuned with <command>spamd</command>'s command - line parameters and the corresponding - <filename>/etc/rc.conf</filename> settings. Check - the <application>spamd</application> man page to see - what the parameters mean.</para> + <para>Refer to the <application>spamd</application> man page + for descriptions of additional related parameters.</para> </step> <step> - <para>To complete the greylisting setup, restart - <application>spamd</application> using the - <filename>/usr/local/etc/rc.d/obspamd</filename> - script.</para> + <para>To complete the greylisting setup:</para> + + <programlisting>&prompt.root; <command>service restart obspamd</command> +&prompt.root; <command>service start spamlogd</command></programlisting> </step> </procedure> - <para>Behind the scenes, rarely mentioned and barely - documented are two of <application>spamd</application>'s - helpers, the <application>spamdb</application> database + <para>Behind the scenes, the <application>spamdb</application> database tool and the <application>spamlogd</application> - whitelist updater, which both perform essential - functions for the greylisting feature. Of the two - <application>spamlogd</application> works quietly in the - background, while <application>spamdb</application> has - been developed to offer some interesting - features.</para> - - <note> - <title>Restart <application>spamd</application> to - Enable Greylisting</title> - - <para>After following all steps in the tutorial - exactly up to this point, - <application>spamlogd</application> has been started - automatically already. However, if the initial - <application>spamd</application> configuration did not - include greylisting, - <application>spamlogd</application> may not have been - started, and there may be strange symptoms, such as - greylists and whitelists not getting updated - properly.</para> - - <para>Under normal circumstances, it should not be - necessary to start <application>spamlogd</application> - by hand. Restarting <application>spamd</application> - after enabling greylisting ensures - <application>spamlogd</application> is loaded and - available too.</para> - </note> - - <para><application>spamdb</application> is the + whitelist updater perform essential + functions for the greylisting feature. <application>spamdb</application> is the administrator's main interface to managing the black, - grey and white lists via the contents of the + grey, and white lists via the contents of the <filename>/var/db/spamdb</filename> database.</para> - </sect4> </sect3> <sect3 xml:id="pftut-hygiene">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402191751.s1JHp1xn086751>