Bryan Irvine said:
> Absolutely you need a pass. the block/pass is part of the firwalling
> section of pf, the rdr is part of the nat functionality. So using rdr
> in conjuction with block all won't work unless you explicitly pass that
> traffic as well. Clear as mud? :-)
OK - I see that firewalling must support the NAT/rdr's. But why won't this rule work
without benefit of the redirect? It appears all the required info is there - the
spamd table tells the rule which IPs are affected, and where they go in event of a
match.
pass in on $ExtIF inet proto tcp from <spamd> to 127.0.0.1 port 8025 \
flags S/SA keep state
Thanks,
Jay
> Jay Moore wrote:
>
>>All,
>>
>>I am confused on a point; hoping someone here can clear this up for me. The rules
>>below are in use on my mail server & appear to be working OK. However, they did not
>>work until I added the rule shown just below the comment line:
>>"# Allow the spamd connections"
>>
>>If I have a redirect as I do, why do I need a rule that allows the redirect to
>>actually take place?
>>
>>Put another way: do I need the redirect with the pass rule for spamd?
>>
>>Thanks,
>>Jay Moore
>>
>>=============== begin pf.conf ===============
>># These rules for a mail server
>>ExtIF="rl0"
>>LoopBk="lo0"
>>
>>AllowTcpIn="{ 22, 25, 113 }"
>>AllowUdpIn="{ }"
>>AllowIcmpIn="echoreq"
>>
>>NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>>
>>table <spamd> persist
>>
>># options
>>set block-policy return
>>set loginterface $ExtIF
>>
>># scrub
>>scrub in all
>>
>># redirection rule for spamd; send scum to tarpit :)
>># make sure spamd is started in rc & setup w/ spamd-setup
>>rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>>
>># filter rules - default deny everything
>>block all
>>
>># Allow loopback packets
>>pass quick on $LoopBk all
>>
>># Allow the spamd connections -->> ?? WHY ?? <<--
>>pass in on $ExtIF inet proto tcp from <spamd> to 127.0.0.1 port 8025 \
>> flags S/SA keep state
>>
>># block RFC 1918 addresses from entering or exiting ext_if
>># "block drop" -> don't respond w/ TCP RST or ICMP Unreachable packet
>># block drop in quick on $ExtIF from $NoRouteIPs to any
>># block drop out quick on $ExtIF from any to $NoRouteIPs
>>
>># open ports we want accessible from Internet
>>pass in on $ExtIF inet proto tcp from any to $ExtIF port $AllowTcpIn \
>> flags S/SA keep state
>>
>># pass required ICMP traffic
>>pass in inet proto icmp all icmp-type $AllowIcmpIn keep state
>>
>># pass traffic out on the interface
>>pass out on $ExtIF proto tcp all modulate state flags S/SA
>>pass out on $ExtIF proto { udp, icmp } all keep state
>>================ end pf.conf ================
>>
>>
>>
>>
>
>
>
>
>
--
mis·cel·la·ne·ous adjective
Abbr. misc.
1.Made up of a variety of parts or ingredients.
2.Having a variety of characteristics, abilities, or appearances.
3.Concerned with diverse subjects or aspects.
[From Latin miscellaneus, from miscellus, mixed, from miscere, to mix.]
