I solved the problem by copying the entire rule block right after
the old one and commenting out the old one.
New:
pass in on egress inet proto tcp to (egress) port $mail_ports \
keep state (max-src-conn 20, \
max-src-conn-rate 35/300, overload <bad_ips> \
flush global) \
rdr-to $mail_server
Old:
pass in on egress inet proto tcp to (egress) \
port $mail_ports \
keep state (max-src-conn 20, \
max-src-conn-rate 35/300, overload <bad_ips> \
flush global) rdr-to $mail_server
I only split one line and merged two other lines into one
but I think I did it correctly and I do not see any logical
changes in the block.
I still cannot understand what happened because there were no
uncommented excess lines within the old block.
Before copying the entire rule block I even occasionally made
a typo in the old rule and checked it with pfctl -nf /etc/pf.conf.
PF still did as if there were no block with the typo at all:
pass in on egress inet proto tcp to (egress) \
pppport $mail_ports \
keep state (max-src-conn 20, \
max-src-conn-rate 35/300, overload <bad_ips> \
flush global) rdr-to $mail_server
On Mon May 20 11:43:21 2024, Maksim Rodin wrote:
> Hello,
> I use OpenBSD 7.5 stable amd64.
> I uncommented an old rule and the corresponding macro in pf.conf
> which definitely worked when the
> machine was on version 7.3 and possibly 7.4.
>
> After that:
> pfctl -nf /etc/pf.conf shows nothing
> pfctl -f /etc/pf.conf shows nothing
> So Packet Filter seems to be happy with the config as a whole.
>
> pfctl -vvsr shows the old rules WITHOUT the uncommented one.
> pfctl -vvnf /etc/pf.conf warns that the uncommented macro
> used in the uncommented rule is NOT used.
>
> The output of pfctl -vvnf /etc/pf.conf is appended as
> pfctl_vvnf file
> The output of pfctl -vvsr is appended as
> pfctl_vvsr file
>
>
> Did I miss something when changing the configuration?
>
> The uncommented section 1 is:
> mail_ports = "{ submission imaps }"
>
> The uncommented section 2 is:
> pass in on egress inet proto tcp to (egress) \
> port $mail_ports \
> keep state (max-src-conn 20, \
> max-src-conn-rate 35/300, overload <bad_ips> \
> flush global) rdr-to $mail_server
>
>
> My whole pf.conf (all uncommented lines):
> int_if = "{ vether1 em1 em2 em3 }"
> table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 \
> 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 \
> 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
> }
> table <spamd-white> persist
> table <nospamd> persist file "/etc/mail/nospamd"
> table <bad_ips> persist file "/etc/pf/bad_ips"
>
> transmission_server = "192.168.1.65"
> mail_server = "192.168.1.171"
>
> mail_ports = "{ submission imaps }"
>
> block log all
> set limit table-entries 1000000
> set block-policy drop
> set syncookies adaptive (start 29%, end 15%)
> set skip on lo
>
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from (vether1:network) \
> to any nat-to (egress:0)
>
> block in quick on egress from <martians> to any
> block return out quick on egress from any to <martians>
> block quick from <bad_ips>
>
> pass out quick inet
> pass in on $int_if inet
>
> pass in on egress inet proto tcp \
> to (egress) port 22 keep state \
> (max-src-conn 2, max-src-conn-rate 2/300, \
> overload <bad_ips> flush global)
>
> pass in on egress inet proto { tcp udp } \
> to (egress) port domain keep state \
> (max-src-states 10) \
> rdr-to 127.0.0.1 port 8053
>
> pass in on $int_if inet proto { tcp udp } from \
> (vether1:network) to (egress) port domain
>
> pass in on egress inet proto { tcp udp } \
> to (egress) port 50000 \
> rdr-to $transmission_server
>
> pass in on egress inet proto tcp to (egress) \
> port $mail_ports \
> keep state (max-src-conn 20, \
> max-src-conn-rate 35/300, overload <bad_ips> \
> flush global) rdr-to $mail_server
>
> pass in on egress proto tcp to (egress) \
> port smtp divert-to 127.0.0.1 port spamd
> pass in on egress proto tcp from <nospamd> to (egress) \
> port smtp rdr-to $mail_server
> pass in log on egress proto tcp from <spamd-white> \
> to (egress) port smtp \
> rdr-to $mail_server
> pass out on egress proto tcp to (egress) port smtp
>
>
> --
> Best regards
> Maksim Rodin
> warning: macro 'mail_ports' not used
> Loaded 714 passive OS fingerprints
> int_if = "{ vether1 em1 em2 em3 }"
> table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16
> 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 }
> table <spamd-white> persist
> table <nospamd> persist file "/etc/mail/nospamd"
> table <bad_ips> persist file "/etc/pf/bad_ips"
> transmission_server = "192.168.1.65"
> mail_server = "192.168.1.171"
> mail_ports = "{ submission imaps }"
> set limit table-entries 1000000
> set block-policy drop
> set syncookies adaptive (start 29%, end 15%)
> set skip on { lo }
> @0 block drop log all
> @1 match in all scrub (no-df random-id max-mss 1440)
> @2 match out on egress inet from (vether1:network:*) to any nat-to
> (egress:0:*) round-robin
> @3 block drop in quick on egress from <martians:0> to any
> @4 block return out quick on egress from any to <martians:0>
> @5 block drop quick from <bad_ips:0> to any
> @6 pass out quick inet all flags S/SA
> @7 pass in on vether1 inet all flags S/SA
> @8 pass in on em1 inet all flags S/SA
> @9 pass in on em2 inet all flags S/SA
> @10 pass in on em3 inet all flags S/SA
> @11 pass in on egress inet proto tcp from any to (egress:*) port = 22 flags
> S/SA keep state (source-track rule, max-src-conn 2, max-src-conn-rate 2/300,
> overload <bad_ips> flush global, src.track 300)
> @12 pass in on egress inet proto tcp from any to (egress:*) port = 53 flags
> S/SA keep state (source-track global, max-src-states 10) rdr-to 127.0.0.1
> port 8053
> @13 pass in on egress inet proto udp from any to (egress:*) port = 53 keep
> state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port 8053
> @14 pass in on vether1 inet proto tcp from (vether1:network:*) to (egress:*)
> port = 53 flags S/SA
> @15 pass in on em1 inet proto tcp from (vether1:network:*) to (egress:*) port
> = 53 flags S/SA
> @16 pass in on em2 inet proto tcp from (vether1:network:*) to (egress:*) port
> = 53 flags S/SA
> @17 pass in on em3 inet proto tcp from (vether1:network:*) to (egress:*) port
> = 53 flags S/SA
> @18 pass in on vether1 inet proto udp from (vether1:network:*) to (egress:*)
> port = 53
> @19 pass in on em1 inet proto udp from (vether1:network:*) to (egress:*) port
> = 53
> @20 pass in on em2 inet proto udp from (vether1:network:*) to (egress:*) port
> = 53
> @21 pass in on em3 inet proto udp from (vether1:network:*) to (egress:*) port
> = 53
> @22 pass in on egress inet proto tcp from any to (egress:*) port = 50000
> flags S/SA rdr-to 192.168.1.65
> @23 pass in on egress inet proto udp from any to (egress:*) port = 50000
> rdr-to 192.168.1.65
> @24 pass in on egress inet proto tcp from any to (egress:*) port = 25 flags
> S/SA divert-to 127.0.0.1 port 8025
> @25 pass in on egress inet proto tcp from <nospamd:0> to (egress:*) port = 25
> flags S/SA rdr-to 192.168.1.171
> @26 pass in log on egress inet proto tcp from <spamd-white:0> to (egress:*)
> port = 25 flags S/SA rdr-to 192.168.1.171
> @27 pass out on egress proto tcp from any to (egress:*) port = 25 flags S/SA
> @0 block drop log all
> [ Evaluations: 1331 Packets: 746 Bytes: 35871 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @1 match in all scrub (no-df random-id max-mss 1440)
> [ Evaluations: 1331 Packets: 21182 Bytes: 12745032 States: 19
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @2 match out on egress inet from (vether1:network:1) to any nat-to
> (egress:0:1) round-robin
> [ Evaluations: 1331 Packets: 20878 Bytes: 12693160 States: 14
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @3 block drop in quick on egress from <martians:9> to any
> [ Evaluations: 973 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @4 block return out quick on egress from any to <martians:9>
> [ Evaluations: 973 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @5 block drop quick from <bad_ips:8018> to any
> [ Evaluations: 1331 Packets: 157 Bytes: 9756 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @6 pass out quick inet all flags S/SA
> [ Evaluations: 1174 Packets: 21152 Bytes: 12742195 States: 19
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 215 ]
> @7 pass in on vether1 inet all flags S/SA
> [ Evaluations: 959 Packets: 21031 Bytes: 12722634 States: 17
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 170 ]
> @8 pass in on em1 inet all flags S/SA
> [ Evaluations: 959 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @9 pass in on em2 inet all flags S/SA
> [ Evaluations: 959 Packets: 54 Bytes: 8100 States: 1
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 18 ]
> @10 pass in on em3 inet all flags S/SA
> [ Evaluations: 959 Packets: 54 Bytes: 8910 States: 1
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 18 ]
> @11 pass in on egress inet proto tcp from any to (egress:1) port = 22 flags
> S/SA keep state (source-track rule, max-src-conn 2, max-src-conn-rate 2/300,
> overload <bad_ips> flush global, src.track 300)
> [ Evaluations: 959 Packets: 19 Bytes: 3983 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 1 ]
> @12 pass in on egress inet proto tcp from any to (egress:1) port = 53 flags
> S/SA keep state (source-track global, max-src-states 10) rdr-to 127.0.0.1
> port 8053
> [ Evaluations: 599 Packets: 15 Bytes: 862 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 2 ]
> @13 pass in on egress inet proto udp from any to (egress:1) port = 53 keep
> state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port 8053
> [ Evaluations: 22 Packets: 3 Bytes: 194 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 1 ]
> @14 pass in on vether1 inet proto tcp from (vether1:network:1) to (egress:1)
> port = 53 flags S/SA
> [ Evaluations: 325 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @15 pass in on em1 inet proto tcp from (vether1:network:1) to (egress:1) port
> = 53 flags S/SA
> [ Evaluations: 149 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @16 pass in on em2 inet proto tcp from (vether1:network:1) to (egress:1) port
> = 53 flags S/SA
> [ Evaluations: 149 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @17 pass in on em3 inet proto tcp from (vether1:network:1) to (egress:1) port
> = 53 flags S/SA
> [ Evaluations: 131 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @18 pass in on vether1 inet proto udp from (vether1:network:1) to (egress:1)
> port = 53
> [ Evaluations: 240 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @19 pass in on em1 inet proto udp from (vether1:network:1) to (egress:1) port
> = 53
> [ Evaluations: 149 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @20 pass in on em2 inet proto udp from (vether1:network:1) to (egress:1) port
> = 53
> [ Evaluations: 149 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @21 pass in on em3 inet proto udp from (vether1:network:1) to (egress:1) port
> = 53
> [ Evaluations: 131 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @22 pass in on egress inet proto tcp from any to (egress:1) port = 50000
> flags S/SA rdr-to 192.168.1.65
> [ Evaluations: 727 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @23 pass in on egress inet proto udp from any to (egress:1) port = 50000
> rdr-to 192.168.1.65
> [ Evaluations: 20 Packets: 2 Bytes: 185 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 2 ]
> @24 pass in on egress inet proto tcp from any to (egress:1) port = 25 flags
> S/SA divert-to 127.0.0.1 port 8025
> [ Evaluations: 619 Packets: 4 Bytes: 164 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 1 ]
> @25 pass in on egress inet proto tcp from <nospamd:20> to (egress:1) port =
> 25 flags S/SA rdr-to 192.168.1.171
> [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @26 pass in log on egress inet proto tcp from <spamd-white:1> to (egress:1)
> port = 25 flags S/SA rdr-to 192.168.1.171
> [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> @27 pass out on egress proto tcp from any to (egress:1) port = 25 flags S/SA
> [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0
> ]
> [ Inserted: uid 0 pid 13268 State Creations: 0 ]
--
Best regards
Maksim Rodin
С уважением,
Родин Максим
