Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Mar 2012 10:31:09 -0700
From:      Doug Hardie <bc979@lafn.org>
To:        Doug Sampson <dougs@dawnsign.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Differences in PF between FBSD 8.2 & 9.0?
Message-ID:  <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org>
In-Reply-To: <E6B2517F8D6DBF4CABB8F38ACA367E780708CB@Draco.dawnsign.com>
References:  <D358EEF1F9124D44B25B0ED225C8FDE6356CF7@hydra.dawnsign.com> <4F3B76DB.1040301@my.gd> <E6B2517F8D6DBF4CABB8F38ACA367E780708CB@Draco.dawnsign.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On 10 March 2012, at 13:34, Doug Sampson wrote:

>> On 2/15/12 2:22 AM, Doug Sampson wrote:
>>> I got bitten by PF when upgrading from 8.2 to 9.0. It refused to =
allow
>>> any incoming mail. I'm using spamd in conjunction with pf. I use a
>>> combination of natting along with redirections in conjunction with =
the
>>> normal pass/block rules.
>>>=20
>>=20
>> Toggle logging on both your default drop rule and your allow mail =
ones.
>>=20
>> Then tcpdump -nei pflog0 ip and port 465 (or 25, whichever)
>> See what rule number matches your packets, then find out what rule =
that
>> is with pfctl -vvvsr
>>=20
>>=20
>=20
> I'm now getting back to this issue after being diverted to other =
projects. Spam has been noticed by our staff and they're not happy. :)
>=20
> Here's what the tcp dump show:
>=20
> mailfilter-root@~# tcpdump -nei pflog0 port 8025
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol =
decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture =
size 65535 bytes
> 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: =
75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win =
5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale =
0,nop,nop,sackOK], length 0
> 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: =
75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win =
5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale =
0,nop,nop,sackOK], length 0
> ...
>=20
>=20
> The pflog0 shows that all incoming packets are blocked by rule #0 =
which is:
>=20
> @0 scrub in all fragment reassemble
> @0 block drop in log all
>=20
>=20
> And
>=20
> mailfilter-root@~# spamdb | g GREY
> mailfilter-root@~#
>=20
> No greytrapping is occurring. Is the 'scrub' rule screwing up our =
packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to =
9.0.
>=20
> Also why am I being warned that there isn't an IPv4 address assigned =
to pflog0?
>=20
> Pertinent pf.conf section related to spamd:
>=20
> # spamd-setup puts addresses to be redirected into table <spamd>.
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-mywhite> persist file =
"/usr/local/etc/spamd/spamd-mywhite"
> table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
> #no rdr on { lo0, lo1 } from any to any
> # redirect to spamd
> rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp -> =
127.0.0.1 port smtp
> rdr inet proto tcp from <spamd-spf> to $external_addr port smtp -> =
127.0.0.1 port smtp
> rdr inet proto tcp from <spamd-white> to $external_addr port smtp -> =
127.0.0.1 port smtp
> rdr inet proto tcp from <spamd> to $external_addr port smtp -> =
127.0.0.1 port spamd
> rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp =
-> 127.0.0.1 port spamd
>=20
> # block all incoming packets but allow ssh, pass all outgoing tcp and =
udp
> # connections and keep state, logging blocked packets.
> block in log all
>=20
> # allow inbound/outbound mail! also to log to pflog
> pass in log inet proto tcp from any to $external_addr port smtp flags =
S/SA synproxy state
> pass out log inet proto tcp from $external_addr to any port smtp flags =
S/SA synproxy state
> pass in log inet proto tcp from $internal_net to $int_if port smtp =
flags S/SA synproxy state
> pass in log inet proto tcp from $dmz_net to $int_if port smtp flags =
S/SA synproxy state

I wouldn't claim to be an expert on pf, but no one else has replied.  =
Here is my understanding - The redirect rules (rdr) change the =
destination first to 127.0.0.1 port spamd (which appears to be 8025 from =
the dump).  Then pf applies the filter rules (block pass) to the new =
addresses.  The only filter rule which references port 8025 is the first =
one: block in log all.  I believe you need a rule to permit mail in on =
the 8025 port. =20





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A>