From owner-freebsd-pf@FreeBSD.ORG Thu Sep 6 23:54:56 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB2AB16A417 for ; Thu, 6 Sep 2007 23:54:55 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from mailfilter.dawnsign.com (216-70-250-4.static-ip.telepacific.net [216.70.250.4]) by mx1.freebsd.org (Postfix) with ESMTP id 8C25413C48D for ; Thu, 6 Sep 2007 23:54:55 +0000 (UTC) (envelope-from dougs@dawnsign.com) Received: from cetus.dawnsign.com (cetus.dawnsign.com [192.168.1.5]) by mailfilter.dawnsign.com (Postfix) with ESMTP id 4DF4895824 for ; Thu, 6 Sep 2007 16:29:04 -0700 (PDT) Received: by cetus.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Thu, 6 Sep 2007 16:29:04 -0700 Message-ID: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0099@cetus.dawnsign.com> From: Doug Sampson To: "'freebsd-pf@freebsd.org'" Date: Thu, 6 Sep 2007 16:29:03 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: spamd-mywhite X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 23:54:56 -0000 Hi all, I've been running pf+obspamd on FBSD 6.2-RELEASE. I appear to be blocking some addresses that appear in my spamd-mywhite file and I don't understand why that would be the case here. I'm guessing I've screwed up my pf.conf file. Here's my config file: # pfctl -vvnf /etc/pf.conf ext_if = "rl0" int_if = "xl0" internal_net = "192.168.1.1/24" external_addr = "216.70.250.4" vpn_net = "10.8.0.0/24" NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }" webserver1 = "192.168.1.4" set skip on { lo0 } set skip on { gif0 } @0 scrub in all fragment reassemble @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http -> 192.168.1.4 port 80 table persist table persist table persist file "/usr/local/etc/spamd/spamd-mywhite" table persist file "/usr/local/etc/spamd/spamd.alloweddomains" @4 rdr pass inet proto tcp from to 216.70.250.4 port = smtp -> 127.0.0.1 port 25 @5 rdr pass inet proto tcp from to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025 @6 rdr pass inet proto tcp from ! to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025 @7 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state @8 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state @9 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state @10 block drop in log all @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8 @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16 @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12 @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8 @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any @21 block drop in log quick inet from 192.168.1.25 to any @22 pass in on xl0 inet from 192.168.1.0/24 to any @23 pass out log on xl0 inet from any to 192.168.1.0/24 @24 pass out log quick on xl0 inet from any to 10.8.0.0/24 @25 pass out on rl0 proto tcp all flags S/SA modulate state @26 pass out on rl0 proto udp all keep state @27 pass out on rl0 proto icmp all keep state @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state /var/log/pflog0 shows the following: 141748 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 2. 049208 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 3. 068169 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 5. 594277 rule 3/0(match): block in on rl0: 205.188.139.137.61419 > 216.70.250.4.25: S 2510359871:2510359871(0) win 24820 525916 rule 3/0(match): block in on rl0: 205.188.159.7.50805 > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 # pfctl -t spamd-mywhite -T show | grep 205.188. No ALTQ support in kernel ALTQ related functions disabled 205.188.139.0/24 205.188.144.0/24 205.188.156.0/23 205.188.157.0/24 205.188.159.0/24 Thus 205.188.159.7 shouldn't be blocked. # spamdb | grep 205\.188\. WHITE|205.188.249.132|||1187218293|1187220082|1190330485|13|0 WHITE|205.188.249.67|||1187823652|1187824708|1190935126|12|0 WHITE|66.179.205.188|||1186759482|1186761981|1189872409|9|0 # spamdb doesn't show any entries for 205.188.159.7. These entries are for AOL mail. I've received complaints from AOL users of mail bouncing back to them. What am I doing wrong? Are CIDR records accepted by pf+obspamd? I can't trace the block back to the proper rules- i.e. rule 3/0 as shown in pflog0 matches up with which rule in pf.conf? Any suggestions are appreciated! ~Doug