From owner-freebsd-pf@FreeBSD.ORG Fri Apr 27 18:27:10 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0CC5216A400 for ; Fri, 27 Apr 2007 18:27:10 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.250]) by mx1.freebsd.org (Postfix) with ESMTP id BEFFB13C45A for ; Fri, 27 Apr 2007 18:27:09 +0000 (UTC) (envelope-from jsimola@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so723793ana for ; Fri, 27 Apr 2007 11:27:08 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=B/ptQMfDnmuE63izpUT3y1rFzKznH6Be1niXv6rwXWO9JR8o0QmXp1dwc7lnAI+NLwR2Kpti9u6yJWfjJLXKi2ZZoIU0DcEqvUXtWRVOHgdjM4YaNl26Hqox4zqT0c9fpDRkVe7rejH5klKjDgm0S4nHjF0iaeXJdkG85CfLVjE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L/CCkihtnl4DwSZrRp8WS9qssBMlX7/qIo2rCMfPavf4q7CIlXYjd6T48OOFvKLbIPopzXKdX24Y3HD/BmVrkGIYw2s9ZXWPKVL7fGN/vCg7IGDWItIJ1sk5a5zlNr/alIGUvTWVB94ajq55yQmcofltwIJxjyQV/sFMj5ktEqM= Received: by 10.100.173.19 with SMTP id v19mr2269831ane.1177698427711; Fri, 27 Apr 2007 11:27:07 -0700 (PDT) Received: by 10.100.38.4 with HTTP; Fri, 27 Apr 2007 11:27:07 -0700 (PDT) Message-ID: <8eea04080704271127g70d910bfg82ec652a0c6889bf@mail.gmail.com> Date: Fri, 27 Apr 2007 11:27:07 -0700 From: "Jon Simola" To: freebsd-pf@freebsd.org In-Reply-To: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com> Subject: Re: why are pf-blocked ips 'leaking' thru to spamd? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 18:27:10 -0000 On 4/27/07, snowcrash wrote: > rdr pass on $ext_if proto tcp from { , ! } \ > to ($ext_if) > port 25 -> 127.0.0.1 port 8025 > rdr pass on $ext_if proto tcp from { !, ! } \ > to ($ext_if) > port 25 -> 127.0.0.1 port 8025 > so, iiuc, anything in should NEVER be redirected to spamd, > AND would be blocked anyway by the subsequent default filter ... Look at what the rules are being evaluated as with pfctl -vvnf : @0 rdr pass on em2 inet proto tcp from to x.x.x.x port = smtp -> 127.0.0.1 port 8025 @1 rdr pass on em2 inet proto tcp from ! to x.x.x.x port = smtp -> 127.0.0.1 port 8025 @2 rdr pass on em2 inet proto tcp from ! to x.x.x.x port = smtp -> 127.0.0.1 port 8025 @3 rdr pass on em2 inet proto tcp from ! to x.x.x.x port = smtp -> 127.0.0.1 port 8025 > but, in my spamd log i'm seeing, > > Apr 27 10:40:47 router spamd[984]: (GREY) 86.105.76.208: > -> > Apr 27 10:40:47 router spamd[984]: 86.105.76.208: disconnected after > 1 seconds. > > > checking, > > % pfctl -t ip-black -T show | grep 86.104.0.0/14 > 86.104.0.0/14 > > where, > > % whatmask 86.104.0.0/14 | grep "t Usable" > First Usable IP Address = .....: 86.104.0.1 > Last Usable IP Address = ......: 86.107.255.254 > > so, why is the addr in question, 86.105.76.208, even getting to spamd? Because that block probably isn't in the spamd-white table, hence will be redirected and passed by rule @2 in the verbose output above. Multiple tables in rules are tricky because they are not treated as "sets" that can be arbitrarily compared (ie, IPs in table A that are not in table B). -- Jon