All,
I am confused on a point; hoping someone here can clear this up for me. The rules
below are in use on my mail server & appear to be working OK. However, they did not
work until I added the rule shown just below the comment line:
"# Allow the spamd connections"
If I have a redirect as I do, why do I need a rule that allows the redirect to
actually take place?
Put another way: do I need the redirect with the pass rule for spamd?
Thanks,
Jay Moore
=============== begin pf.conf ===============
# These rules for a mail server
ExtIF="rl0"
LoopBk="lo0"
AllowTcpIn="{ 22, 25, 113 }"
AllowUdpIn="{ }"
AllowIcmpIn="echoreq"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
table <spamd> persist
# options
set block-policy return
set loginterface $ExtIF
# scrub
scrub in all
# redirection rule for spamd; send scum to tarpit :)
# make sure spamd is started in rc & setup w/ spamd-setup
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# filter rules - default deny everything
block all
# Allow loopback packets
pass quick on $LoopBk all
# Allow the spamd connections -->> ?? WHY ?? <<--
pass in on $ExtIF inet proto tcp from <spamd> to 127.0.0.1 port 8025 \
flags S/SA keep state
# block RFC 1918 addresses from entering or exiting ext_if
# "block drop" -> don't respond w/ TCP RST or ICMP Unreachable packet
# block drop in quick on $ExtIF from $NoRouteIPs to any
# block drop out quick on $ExtIF from any to $NoRouteIPs
# open ports we want accessible from Internet
pass in on $ExtIF inet proto tcp from any to $ExtIF port $AllowTcpIn \
flags S/SA keep state
# pass required ICMP traffic
pass in inet proto icmp all icmp-type $AllowIcmpIn keep state
# pass traffic out on the interface
pass out on $ExtIF proto tcp all modulate state flags S/SA
pass out on $ExtIF proto { udp, icmp } all keep state
================ end pf.conf ================
