Re: pf sanity check

Wed, 25 May 2016 08:31:11 -0700 

On 25.05.2016 15:01, Jeff Ross wrote:
> Hi all,
> 
> I am incrementally bringing my server up to date.  I was on 5.5-current so
> following the instructions I upgraded to 5.6 stable.
> 
> I re-wrote  my pf.conf to remove the oldqueue rules and to simplify the
> rule set.
> 
> Checks okay for syntax but it doesn't seem to be redirecting mail to
> spamd.  If I telnet to my server on port 25 I do not see the stutter of the
> banner at all.
> 
> Here's my current pf.conf for other eyes--maybe I've made a thinko in these
> new ruless
> 
> # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
> # See pf.conf(5) for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
> ext_if="re0"  # External Public Interface
> tcp_services = "{ 22,53,113,25,993,465,80,443 }"
> udp_services = "{ domain, ntp, 1194 }"
> icmp_types = "{ echoreq, unreach }"
> table <spamd> persist
> table <zombies> persist
> set block-policy return
> set loginterface $ext_if
> set skip on { lo, tun }
> match on $ext_if inet all scrub (no-df max-mss 1398)
> 
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> 
> # anchor for relayd(8)
> block log all
> block in log quick proto tcp from <zombies> to any
> # rules for spamd(8)
> table <spamd-white> persist
> table <nospamd> persist file "/etc/mail/nospamd"
> pass in log on egress proto tcp from any to any port smtp \
>     rdr-to 127.0.0.1 port spamd
> pass in log on egress proto tcp from <nospamd> to any port smtp
> pass in log on egress proto tcp from <spamd-white> to any port smtp
> pass out log on egress proto tcp to any port smtp
> 
> pass in log quick on egress proto tcp to port $tcp_services
> pass in log quick on egress proto udp to port $udp_services
> pass out log quick on egress from any to any
> 
> Thanks!
> 
> Jeff Ross
> 

Hi

Your tcp_services variable includes port 25, which is smtp, and you have
a rule to pass in quick all tcp_services.

That one will precede your spamd rules if I got that right.

So, by removing port 25 from tcp_services, your setup should work.

-- 
Unix _IS_ user friendly - it's just
selective about who its friends are!

Reply via email to