--bryan
Jay Moore wrote:
All,
I am confused on a point; hoping someone here can clear this up for me. The rules below are in use on my mail server & appear to be working OK. However, they did not work until I added the rule shown just below the comment line: "# Allow the spamd connections"
If I have a redirect as I do, why do I need a rule that allows the redirect to actually take place?
Put another way: do I need the redirect with the pass rule for spamd?
Thanks, Jay Moore
=============== begin pf.conf =============== # These rules for a mail server ExtIF="rl0" LoopBk="lo0"
AllowTcpIn="{ 22, 25, 113 }" AllowUdpIn="{ }" AllowIcmpIn="echoreq"
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
table <spamd> persist
# options set block-policy return set loginterface $ExtIF
# scrub scrub in all
# redirection rule for spamd; send scum to tarpit :) # make sure spamd is started in rc & setup w/ spamd-setup rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# filter rules - default deny everything block all
# Allow loopback packets pass quick on $LoopBk all
# Allow the spamd connections -->> ?? WHY ?? <<-- pass in on $ExtIF inet proto tcp from <spamd> to 127.0.0.1 port 8025 \ flags S/SA keep state
# block RFC 1918 addresses from entering or exiting ext_if # "block drop" -> don't respond w/ TCP RST or ICMP Unreachable packet # block drop in quick on $ExtIF from $NoRouteIPs to any # block drop out quick on $ExtIF from any to $NoRouteIPs
# open ports we want accessible from Internet pass in on $ExtIF inet proto tcp from any to $ExtIF port $AllowTcpIn \ flags S/SA keep state
# pass required ICMP traffic pass in inet proto icmp all icmp-type $AllowIcmpIn keep state
# pass traffic out on the interface pass out on $ExtIF proto tcp all modulate state flags S/SA pass out on $ExtIF proto { udp, icmp } all keep state ================ end pf.conf ================