Darrin Chandler wrote:
> On Wed, Jun 06, 2007 at 09:44:30PM +0200, Christoph Schneeberger wrote:
>> I have found the article
>> http://undeadly.org/cgi?action=article&sid=20061108134508 and tried to
>> setup such a bridge with OpenBSD 4.1.
>
> I also used that article to do this setup, and it worked fine...
>
>> case 1: src host is whitelisted, connection is allowed to 1.1.1.35,
>> everything works fine.
>> case 2: src host is grey-/blacklisted and therefor redirected to
>> 127.0.0.1, in this case i get just a timeout when i try to telnet to
>> port 25 of 1.1.1.35 which as I understand is caused by many reasons,
>> among them that the src hosts expects tcp packets only from 1.1.1.35 and
>> not from 1.1.1.5 which is the only ip from which the bridges spamd could
>> use to talk to the src host (sender mta).
>
> I don't think case 2 is for the reason you point out. At least I never
> had that problem.
>
> Do you have the absolutely essential "pass ... route-to ..." rule correct?
Thanks for following up.
Yes, I think at least, thats what my pf.conf looks like:
ext_if="fxp0"
int_if="xl0"
table <spamd> persist
table <spamd-white> persist
table <whitelist> persist file "/etc/whitelist.txt"
rdr pass on $ext_if inet proto tcp from <spamd> to any port smtp ->
127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from !<spamd-white> to any port smtp
-> 127.0.0.1 port 8025
pass in log on $ext_if route-to lo0 inet proto tcp from any to 127.0.0.1
port 8025 keep state
--
---------------------------------------------------+
/ Christoph Schneeberger / SCS TeleMedia AG |
/ GIAC GSEC / Liestalerstrasse 47 |
/ [EMAIL PROTECTED] / [EMAIL PROTECTED] |
/ 4419 Lupsingen / http://www.telemedia.ch |
/ tel +41 61 915 9155 / fax +41 61 911 0714 |
--------------------------------------------------------+
This e-mail is confidential and may be privileged. It may
be read, copied and used only by the addressee. If you
have received it in error, please contact us immediately.
"Quis custodiet ipsos custodes?"
