From owner-freebsd-pf@FreeBSD.ORG  Fri Apr 27 18:05:02 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id DD0FB16A409
	for <freebsd-pf@freebsd.org>; Fri, 27 Apr 2007 18:05:02 +0000 (UTC)
	(envelope-from schneecrash@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172])
	by mx1.freebsd.org (Postfix) with ESMTP id 7604E13C46A
	for <freebsd-pf@freebsd.org>; Fri, 27 Apr 2007 18:05:02 +0000 (UTC)
	(envelope-from schneecrash@gmail.com)
Received: by ug-out-1314.google.com with SMTP id 71so748377ugh
	for <freebsd-pf@freebsd.org>; Fri, 27 Apr 2007 11:05:01 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth;
	b=JkeibjOLK+IesrEugCHk0LpmO5Irb75V2X51BXdQyO6fbDn4izqnxHgPSUOj5Btw+6I5kQKwON4eNnm5eGvN6pyURXktnjqFKAwLrbNhBgxAmWA1eO7fkeUB66ICjgFhDJANYBH73sHyOn5O2xeh+qjDaD1ppfA44SCOY3ZSUeg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:reply-to:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth;
	b=eHEcy/klvjuVH6L7pindaiMvCjWfAAFG6vHFQP/xniSxr/SqCuHGzOn8xGu/liBRC+80rrxCcJ8H17fYuctoKduBTZi7B7yLvAPNZtua2T0S0rT9NLOmHnVg55HscLRzIpqES3JUm1QtCtpTDdGbRe1DKHTI0MJ6Zek4xMNXpG8=
Received: by 10.82.100.1 with SMTP id x1mr6253465bub.1177697101151;
	Fri, 27 Apr 2007 11:05:01 -0700 (PDT)
Received: by 10.82.162.19 with HTTP; Fri, 27 Apr 2007 11:05:01 -0700 (PDT)
Message-ID: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com>
Date: Fri, 27 Apr 2007 11:05:01 -0700
From: snowcrash <schneecrash+pf@gmail.com>
Sender: schneecrash@gmail.com
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Google-Sender-Auth: 7b4ade0791f39b01
Subject: why are pf-blocked ips 'leaking' thru to spamd?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: freebsd-pf@freebsd.org
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Apr 2007 18:05:02 -0000

hi,

i've set up pf+spamd on FreeBSD 6.2-RELEASE.

IPs that i've blocked seem to be sneaking through to spamd ... not
always, apparently :-/

i'm guessing i've borked config, or there's an overflow of something
... dunno, yet.

i've config'd pf as follows,

  pf.conf
  --------------------------
  ...
  # OPTIONS
  set block-policy drop
  set optimization aggressive
  set state-policy if-bound
  ...
  # NORMALIZE
  scrub in all
  ...
  # TRANSLATE/REDIRECT
  nat       on $ext_if           from $int_if:network  to any
      -> ($ext_if)
  ...
  rdr       on $ext_if proto tcp from <mail-white>     to $SMTP_WAN
port 25 -> $SMTP_LAN port 25
  rdr pass  on $ext_if proto tcp from { <spamd>, !<ip-black> } \
                                                       to ($ext_if)
port 25 -> 127.0.0.1 port 8025
  rdr pass  on $ext_if proto tcp from { !<spamd-white>, !<ip-black> } \
                                                       to ($ext_if)
port 25 -> 127.0.0.1 port 8025
  rdr       on $ext_if proto tcp from <spamd-white>    to $SMTP_WAN
port 25 -> $SMTP_LAN port 25
  ...
  # FILTER
  block    log quick                      from { <ip-black> } to any
  block    log       all
  pass in  log quick on $ext_if proto tcp from { <mail-white>, <spamd-white> } \
                                                              to
$SMTP_LAN port 25 flags S/SFRA keep state
  pass out log quick on $ext_if proto tcp from any            to
    port 25 flags S/SFRA keep state
  ...
  --------------------------


so, iiuc, anything in <ip-black> should NEVER be redirected to spamd,
AND would be blocked anyway by the subsequent default filter ...

but, in my spamd log i'm seeing,

  Apr 27 10:40:47 router spamd[984]: (GREY) 86.105.76.208:
<euguntersville@mit.midco.net> -> <snowcrash@mydomain.com>
  Apr 27 10:40:47 router spamd[984]: 86.105.76.208: disconnected after
1 seconds.


checking,

	% pfctl -t ip-black -T show | grep 86.104.0.0/14
		86.104.0.0/14

where,

	% whatmask 86.104.0.0/14 | grep "t Usable"
		First Usable IP Address = .....: 86.104.0.1
		Last Usable IP Address = ......: 86.107.255.254

so, why is the addr in question, 86.105.76.208, even getting to spamd?

any suggestions are appreciated!

thanks.