On 10 March 2012, at 13:34, Doug Sampson wrote:
>> On 2/15/12 2:22 AM, Doug Sampson wrote:
>>> I got bitten by PF when upgrading from 8.2 to 9.0. It refused to allow
>>> any incoming mail. I'm using spamd in conjunction with pf. I use a
>>> combination of natting along with redirections in conjunction with the
>>> normal pass/block rules.
>>>
>>
>> Toggle logging on both your default drop rule and your allow mail ones.
>>
>> Then tcpdump -nei pflog0 ip and port 465 (or 25, whichever)
>> See what rule number matches your packets, then find out what rule that
>> is with pfctl -vvvsr
>>
>>
>
> I'm now getting back to this issue after being diverted to other projects.
> Spam has been noticed by our staff and they're not happy. :)
>
> Here's what the tcp dump show:
>
> mailfilter-root@~# tcpdump -nei pflog0 port 8025
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535
> bytes
> 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win 5840,
> options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win 5840,
> options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> ...
>
>
> The pflog0 shows that all incoming packets are blocked by rule #0 which is:
>
> @0 scrub in all fragment reassemble
> @0 block drop in log all
>
>
> And
>
> mailfilter-root@~# spamdb | g GREY
> mailfilter-root@~#
>
> No greytrapping is occurring. Is the 'scrub' rule screwing up our packets?
> Our pf.conf worked fine in version 8.2 prior to the upgrade to 9.0.
>
> Also why am I being warned that there isn't an IPv4 address assigned to
> pflog0?
>
> Pertinent pf.conf section related to spamd:
>
> # spamd-setup puts addresses to be redirected into table <spamd>.
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
> table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
> #no rdr on { lo0, lo1 } from any to any
> # redirect to spamd
> rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> rdr inet proto tcp from <spamd-spf> to $external_addr port smtp -> 127.0.0.1
> port smtp
> rdr inet proto tcp from <spamd-white> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.1 port
> spamd
> rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port spamd
>
> # block all incoming packets but allow ssh, pass all outgoing tcp and udp
> # connections and keep state, logging blocked packets.
> block in log all
>
> # allow inbound/outbound mail! also to log to pflog
> pass in log inet proto tcp from any to $external_addr port smtp flags S/SA
> synproxy state
> pass out log inet proto tcp from $external_addr to any port smtp flags S/SA
> synproxy state
> pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/SA
> synproxy state
> pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA
> synproxy state
I wouldn't claim to be an expert on pf, but no one else has replied. Here is
my understanding - The redirect rules (rdr) change the destination first to
127.0.0.1 port spamd (which appears to be 8025 from the dump). Then pf applies
the filter rules (block pass) to the new addresses. The only filter rule which
references port 8025 is the first one: block in log all. I believe you need a
rule to permit mail in on the 8025 port.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
