Date: Mon, 12 Mar 2012 23:43:53 +0000 From: Doug Sampson <dougs@dawnsign.com> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: Differences in PF between FBSD 8.2 & 9.0? Message-ID: <E6B2517F8D6DBF4CABB8F38ACA367E78071AE8@Draco.dawnsign.com> In-Reply-To: <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org> References: <D358EEF1F9124D44B25B0ED225C8FDE6356CF7@hydra.dawnsign.com> <4F3B76DB.1040301@my.gd> <E6B2517F8D6DBF4CABB8F38ACA367E780708CB@Draco.dawnsign.com> <183ABE4C-9BBB-4B2E-A9B9-CA9F139C827A@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I'm now getting back to this issue after being diverted to other > projects. Spam has been noticed by our staff and they're not happy. :) > > > > Here's what the tcp dump show: > > > > mailfilter-root@~# tcpdump -nei pflog0 port 8025 > > tcpdump: WARNING: pflog0: no IPv4 address assigned > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 65535 bytes > > 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: > 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win > 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale > 0,nop,nop,sackOK], length 0 > > 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: > 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win > 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale > 0,nop,nop,sackOK], length 0 > > ... > > > > > > The pflog0 shows that all incoming packets are blocked by rule #0 which > is: > > > > @0 scrub in all fragment reassemble > > @0 block drop in log all > > > > > > And > > > > mailfilter-root@~# spamdb | g GREY > > mailfilter-root@~# > > > > No greytrapping is occurring. Is the 'scrub' rule screwing up our > packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to > 9.0. > > > > Also why am I being warned that there isn't an IPv4 address assigned to > pflog0? > > > > Pertinent pf.conf section related to spamd: > > > > # spamd-setup puts addresses to be redirected into table <spamd>. > > table <spamd> persist > > table <spamd-white> persist > > table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite" > > table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt" > > #no rdr on { lo0, lo1 } from any to any > > # redirect to spamd > > rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp -> > 127.0.0.1 port smtp > > rdr inet proto tcp from <spamd-spf> to $external_addr port smtp -> > 127.0.0.1 port smtp > > rdr inet proto tcp from <spamd-white> to $external_addr port smtp -> > 127.0.0.1 port smtp > > rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.= 1 > port spamd > > rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp -> > 127.0.0.1 port spamd > > > > # block all incoming packets but allow ssh, pass all outgoing tcp and > udp > > # connections and keep state, logging blocked packets. > > block in log all > > > > # allow inbound/outbound mail! also to log to pflog > > pass in log inet proto tcp from any to $external_addr port smtp flags > S/SA synproxy state > > pass out log inet proto tcp from $external_addr to any port smtp flags > S/SA synproxy state > > pass in log inet proto tcp from $internal_net to $int_if port smtp flag= s > S/SA synproxy state > > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/S= A > synproxy state >=20 > I wouldn't claim to be an expert on pf, but no one else has replied. Her= e > is my understanding - The redirect rules (rdr) change the destination > first to 127.0.0.1 port spamd (which appears to be 8025 from the dump). > Then pf applies the filter rules (block pass) to the new addresses. The > only filter rule which references port 8025 is the first one: block in lo= g > all. I believe you need a rule to permit mail in on the 8025 port. >=20 I modified the following rules: # allow inbound/outbound mail! also to log to pflog pass in log inet proto tcp from any to $external_addr port smtp flags S/SA = synproxy state pass in log inet proto tcp from any to 127.0.0.1 port smtp flags S/SA synpr= oxy state pass in log inet proto tcp from any to 127.0.0.1 port spamd flags S/SA synp= roxy state pass out log inet proto tcp from $external_addr to any port smtp flags S/SA= synproxy state=20 pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/= SA synproxy state pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA sy= nproxy state I now am seeing packets to port 25 on the external interface being passed t= o lo0 port 25. Packets destined for port 8025 on the lo0 interface are bein= g passed. So far so good. The trouble is I am not seeing GREYTRAP entries i= n the spamdb like I used to see previously. Netstat -an reports connections= between various smtp servers and our smtp server. I am at loss. Should I rebuild the spamd port considering that our greytrap= ping mechanism broke down when I upgraded from 8.3 to 9.0? ~Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E6B2517F8D6DBF4CABB8F38ACA367E78071AE8>