Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 27 Apr 2007 11:05:01 -0700
From:      snowcrash <schneecrash+pf@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   why are pf-blocked ips 'leaking' thru to spamd?
Message-ID:  <70f41ba20704271105m11fa5315kc7c3d715f2d63f61@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
hi,

i've set up pf+spamd on FreeBSD 6.2-RELEASE.

IPs that i've blocked seem to be sneaking through to spamd ... not
always, apparently :-/

i'm guessing i've borked config, or there's an overflow of something
... dunno, yet.

i've config'd pf as follows,

  pf.conf
  --------------------------
  ...
  # OPTIONS
  set block-policy drop
  set optimization aggressive
  set state-policy if-bound
  ...
  # NORMALIZE
  scrub in all
  ...
  # TRANSLATE/REDIRECT
  nat       on $ext_if           from $int_if:network  to any
      -> ($ext_if)
  ...
  rdr       on $ext_if proto tcp from <mail-white>     to $SMTP_WAN
port 25 -> $SMTP_LAN port 25
  rdr pass  on $ext_if proto tcp from { <spamd>, !<ip-black> } \
                                                       to ($ext_if)
port 25 -> 127.0.0.1 port 8025
  rdr pass  on $ext_if proto tcp from { !<spamd-white>, !<ip-black> } \
                                                       to ($ext_if)
port 25 -> 127.0.0.1 port 8025
  rdr       on $ext_if proto tcp from <spamd-white>    to $SMTP_WAN
port 25 -> $SMTP_LAN port 25
  ...
  # FILTER
  block    log quick                      from { <ip-black> } to any
  block    log       all
  pass in  log quick on $ext_if proto tcp from { <mail-white>, <spamd-white> } \
                                                              to
$SMTP_LAN port 25 flags S/SFRA keep state
  pass out log quick on $ext_if proto tcp from any            to
    port 25 flags S/SFRA keep state
  ...
  --------------------------


so, iiuc, anything in <ip-black> should NEVER be redirected to spamd,
AND would be blocked anyway by the subsequent default filter ...

but, in my spamd log i'm seeing,

  Apr 27 10:40:47 router spamd[984]: (GREY) 86.105.76.208:
<euguntersville@mit.midco.net> -> <snowcrash@mydomain.com>
  Apr 27 10:40:47 router spamd[984]: 86.105.76.208: disconnected after
1 seconds.


checking,

	% pfctl -t ip-black -T show | grep 86.104.0.0/14
		86.104.0.0/14

where,

	% whatmask 86.104.0.0/14 | grep "t Usable"
		First Usable IP Address = .....: 86.104.0.1
		Last Usable IP Address = ......: 86.107.255.254

so, why is the addr in question, 86.105.76.208, even getting to spamd?

any suggestions are appreciated!

thanks.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70f41ba20704271105m11fa5315kc7c3d715f2d63f61>