I'm trying to set up spamd on my firewall system. The configuration is tricky because my upstream provider (Verizon) only gives me 5 IPs, all on the same subnet.
The firewall system is acting as a bridge and as a router. Two interfaces (sk0 and vr0) are in a bridge: bridge0: flags=3041<UP,RUNNING,LINK0,LINK1> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp sk0 flags=7<LEARNING,DISCOVER,BLOCKNONIP> port 1 ifpriority 0 ifcost 0 vr0 flags=3<LEARNING,DISCOVER> port 3 ifpriority 0 ifcost 0 Addresses (max cache: 100, timeout: 240): 00:1b:2f:b9:6c:c5 vr0 0 flags=0<> 00:90:1a:a2:0a:ba sk0 1 flags=0<> 6c:f0:49:0c:07:79 vr0 0 flags=0<> 00:30:18:a8:10:76 vr0 1 flags=0<> 00:24:1d:19:01:0d vr0 1 flags=0<> sk0 connects to my fiber connection - it is in group wan vr0 connects to a switch - my local hub - it is in group lan they are not assigned any addresses re0 is the interface for this host's traffic It is connected to the local hub and has multiple addresses in order to act as a router. It is in group int. The system is configured this way in order to have separate sets of filter & nat rules on the bridge and the local interface, as well as letting the lan hosts with routable addresses talk directly to the upstream link. I know that the documentation recommends assigning an address to one interface on the bridge. I tried to assign the routable address of the firewall machine to an interface on the bridge and the pf rules became a nightmare of complexity and never worked right. There is no way I can get an additional IP from the provider to talk to the upstream link (without paying many $$$). The system is sometimes multi-homed, talks via tunnels to other networks, supports routing to test networks, etc., etc., so keeping the rule sets simple and without unexpected interactions is essential. Table locals contains my assigned subnet and 192.168.0.0/16 Table mail_servers contains my mail servers' external addresses If I put a nat rule into pf: rdr pass in on wan proto tcp from !<locals> to <mail_servers> \ port smtp -> 127.0.0.1 port spamd and a filter rule pass quick in on wan from any to any port smtp flags any Then packets pass through the bridge to the switch with 1) the mail server link level address 2) IP 127.0.0.1 This doesn't work, of course, because the switch delivers the packet to the original destination. I haven't found any way to alter the link level address or force pf to put the packets on either lo0 or re0's input queue. I've tried "fastroute" in the filter rule. I've tried a "route-to" and "reply-to" pair. I've tried "divert-to". In all cases the packets disappear - they aren't seen by tcpdump on any interface. Is there anything I haven't tried? I've searched for any examples of something like this. I am thinking of creating a virtual interface "virt" which is the lo code modified: delete the call to enqueue output packets on the input queue add an Ethernet header with a fabricated Ethernet address and confguring an instance of this to the bridge. I -think- that would do what I want. Maybe. The bridge might still force the packets out the lan branch because of the ethernet address on the packet. Any suggestions? I'd be willing to rearrange the bridge code to respect routing by pf, if there is no other way to make this work. thanks Geoff Steckel