On Mon, 2007-09-10 at 13:07 -0700, Doug Sampson wrote:
> > Hi all,
> >
> > I've been running pf+obspamd on FBSD 6.2-RELEASE.
> >
> > I appear to be blocking some addresses that appear
in my
> > spamd-mywhite file
> > and I don't understand why that would be the case
here. I'm
> > guessing I've
> > screwed up my pf.conf file.
> >
> > Here's my config file:
> >
> > # pfctl -vvnf /etc/pf.conf
> > ext_if = "rl0"
> > int_if = "xl0"
> > internal_net = "192.168.1.1/24"
> > external_addr = "216.70.250.4"
> > vpn_net = "10.8.0.0/24"
> > NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16
172.16.0.0/12 10.0.0.0/8 }"
> > webserver1 = "192.168.1.4"
> > set skip on
> > set skip on
> >  0 scrub in all fragment reassemble
> > 1 nat on rl0 inet from 192.168.1.0/24 to any ->
(rl0) round-robin
> > 2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0)
round-robin
> > 3 rdr on rl0 inet proto tcp from any to 216.70.250.4
port = http ->
> > 192.168.1.4 port 80
> > table <spamd> persist
> > table <spamd-white> persist
I will try to comment the changes to get your setup
working.
(I removed the trailing >> for the corrected rules)
# -- OK, your own whitelist to pass spamd
table <spamd-mywhite> persist file
"/usr/local/etc/spamd/spamd-mywhite"
# -- silly dont't do this !
# -- !! This file is no table, it is even not for usage in
pf ruleset !!
# remove this! table <spamd-alloweddomains> persist
# remove this! file
"/usr/local/etc/spamd/spamd.alloweddomains"
>From man (8) spamd:
The file /usr/local/etc/spamd/spamd.alloweddomains can be
used to
specify a list of domainname suffixes, one per line, one of
which must
match each destination email address in the greylist.
Any destination address which does not match one of the
suffixes listed
in spamd.alloweddomains will be trapped, exactly as if it
were sent to a
spamtrap address.
this
is only a FreeBSD thing, do not use # or whitespaces in
OpenBSD!
Comment lines beginning with # are ignored.
Maybe this example is better to understand the
spamd.alloweddomains
# all mail to example.org is good
example.org
# all mail to example.com even foo.barsub.example.com is OK
example.com
# mail to this RFC only is OK all others will be
blacklisted
abuseexample.net
postmasterexample.net
hostmasterexample.net
OK, back to the ruleset.
# -- Let all smtp traffic from the <spamd-mywhite>
table pass before
# -- any other rules since we trust them (if you like to log
this
# -- traffic with spamlogd remove the pass keyword)
rdr (pass) inet proto tcp from <spamd-mywhite> to
216.70.250.4
port = smtp -> 127.0.0.1 port 25
# -- remove also the *pass* keyword if you use spamlogd so
the entry
# -- can be refreshed with every mail during passtime
rdr (pass) inet proto tcp from <spamd-white:0> to
216.70.250.4
port = smtp -> 127.0.0.1 port 25
# -- OK, this rule *with pass*
rdr pass inet proto tcp from <spamd:0> to 216.70.250.4
port = smtp -> 127.0.0.1 port 8025
# -- change this table from <spamd-mywhite> to
<spamd-white>,
# -- since <spamd-mywhite> processed two rules before
rdr pass inet proto tcp from ! <spamd-white:0> to
216.70.250.4
port = smtp -> 127.0.0.1 port 8025
# -- Now traffic from the tables <spamd-mywhite> and
<spamd-white>
# -- flows in with logging (good with spamlogd)
pass in log inet proto tcp from any to 216.70.250.4
port = smtp flags S/SA synproxy state
> > 8 pass out log inet proto tcp from 216.70.250.4 to
any port = smtp flags S/SA synproxy state
> > 9 pass in log inet proto tcp from 192.168.1.0/24 to
192.168.1.25 port = smtp flags S/SA synproxy state
> > 10 block drop in log all
> > 11 pass in log quick on xl0 inet proto tcp from any
to 192.168.1.25 port = ssh flags S/SA synproxy state
> > 12 block drop in log quick on rl0 inet from
127.0.0.0/8 to any
> > 13 block drop in log quick on rl0 inet from
192.168.0.0/16 to any
> > 14 block drop in log quick on rl0 inet from
172.16.0.0/12 to any
> > 15 block drop in log quick on rl0 inet from
10.0.0.0/8 to any
> > 16 block drop out log quick on rl0 inet from any to
127.0.0.0/8
> > 17 block drop out log quick on rl0 inet from any to
192.168.0.0/16
> > 18 block drop out log quick on rl0 inet from any to
172.16.0.0/12
> > 19 block drop out log quick on rl0 inet from any to
10.0.0.0/8
> > 20 block drop in log quick on ! xl0 inet from
192.168.1.0/24 to any
> > 21 block drop in log quick inet from 192.168.1.25 to
any
> > 22 pass in on xl0 inet from 192.168.1.0/24 to any
> > 23 pass out log on xl0 inet from any to
192.168.1.0/24
> > 24 pass out log quick on xl0 inet from any to
10.8.0.0/24
> > 25 pass out on rl0 proto tcp all flags S/SA modulate
state
> > 26 pass out on rl0 proto udp all keep state
> > 27 pass out on rl0 proto icmp all keep state
> > 28 pass in on rl0 inet proto tcp from any to
192.168.1.4 port = http flags S/SA synproxy state
> > 29 pass in on xl0 inet proto tcp from any to
192.168.1.25 port = ssh keep state
> >
> > /var/log/pflog0 shows the following:
> >
> > 141748 rule 3/0(match): block in on rl0:
205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win
32768 <mss 1460,wscale
> > 0,nop>
> > 2. 049208 rule 3/0(match): block in on rl0:
205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win
32768 <mss 1460,wscale
> > 0,nop>
> > 3. 068169 rule 3/0(match): block in on rl0:
205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win
32768 <mss 1460,wscale
> > 0,nop>
> > 5. 594277 rule 3/0(match): block in on rl0:
205.188.139.137.61419 >
> > 216.70.250.4.25: S 2510359871:2510359871(0) win
24820
> > <nop,nop,sackOK,mss
> > 1460>
> > 525916 rule 3/0(match): block in on rl0:
205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win
32768 <mss 1460,wscale
> > 0,nop>
If my count is the same as pfctl -sr then this was the
dropping rule
(count only arguments from pfctl -sr not the 'rdr pass'
rules)
> > 10 block drop in log all
> > # pfctl -t spamd-mywhite -T show | grep 205.188.
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> > 205.188.139.0/24
> > 205.188.144.0/24
> > 205.188.156.0/23
> > 205.188.157.0/24
> > 205.188.159.0/24
This list is fine, with the changed rules it will work
> > Thus 205.188.159.7 shouldn't be blocked.
It was possible to block this IP with the old ruleset
> > # spamdb | grep 205.188.
> >
WHITE|205.188.249.132|||1187218293|1187220082|1190330485|13|
0
> >
WHITE|205.188.249.67|||1187823652|1187824708|1190935126|12|0
> >
WHITE|66.179.205.188|||1186759482|1186761981|1189872409|9|0
> > #
> >
> > spamdb doesn't show any entries for
205.188.159.7.
Since the traffic was blocked before spamd can't see it.
If my count is the same as pfctl -sr then this was the
dropping rule
(count only arguments from pfctl -sr not the 'rdr pass'
rules)
10
block drop in log all
> > These entries are for AOL mail. I've received
complaints from
> > AOL users of
> > mail bouncing back to them.
> >
> > What am I doing wrong? Are CIDR records accepted
by
> > pf+obspamd?
CIDR is OK and supported with pf.
(Ranges like spamd-setup are just committed from Daniel
Hartmeier to
OpenBSD 4.2 two weeks ago and don't know if they find the
way into
FreeBSD 7.0)
> I can't trace the block back to the proper rules- i.e.
rule 3/0 as
> > shown in pflog0 matches up with which rule in
pf.conf?
10
block drop in log all
> I'm resending this as I have not received any replies.
Can someone help me
> out here?
> Oh, and I'm running obspamd 4.1.1.
>
> ~Doug
olli
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
