Bryan Irvine said: > Absolutely you need a pass. the block/pass is part of the firwalling > section of pf, the rdr is part of the nat functionality. So using rdr > in conjuction with block all won't work unless you explicitly pass that > traffic as well. Clear as mud? :-)
OK - I see that firewalling must support the NAT/rdr's. But why won't this rule work without benefit of the redirect? It appears all the required info is there - the spamd table tells the rule which IPs are affected, and where they go in event of a match. pass in on $ExtIF inet proto tcp from <spamd> to 127.0.0.1 port 8025 \ flags S/SA keep state Thanks, Jay > Jay Moore wrote: > >>All, >> >>I am confused on a point; hoping someone here can clear this up for me. The rules >>below are in use on my mail server & appear to be working OK. However, they did not >>work until I added the rule shown just below the comment line: >>"# Allow the spamd connections" >> >>If I have a redirect as I do, why do I need a rule that allows the redirect to >>actually take place? >> >>Put another way: do I need the redirect with the pass rule for spamd? >> >>Thanks, >>Jay Moore >> >>=============== begin pf.conf =============== >># These rules for a mail server >>ExtIF="rl0" >>LoopBk="lo0" >> >>AllowTcpIn="{ 22, 25, 113 }" >>AllowUdpIn="{ }" >>AllowIcmpIn="echoreq" >> >>NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" >> >>table <spamd> persist >> >># options >>set block-policy return >>set loginterface $ExtIF >> >># scrub >>scrub in all >> >># redirection rule for spamd; send scum to tarpit :) >># make sure spamd is started in rc & setup w/ spamd-setup >>rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 >> >># filter rules - default deny everything >>block all >> >># Allow loopback packets >>pass quick on $LoopBk all >> >># Allow the spamd connections -->> ?? WHY ?? <<-- >>pass in on $ExtIF inet proto tcp from <spamd> to 127.0.0.1 port 8025 \ >> flags S/SA keep state >> >># block RFC 1918 addresses from entering or exiting ext_if >># "block drop" -> don't respond w/ TCP RST or ICMP Unreachable packet >># block drop in quick on $ExtIF from $NoRouteIPs to any >># block drop out quick on $ExtIF from any to $NoRouteIPs >> >># open ports we want accessible from Internet >>pass in on $ExtIF inet proto tcp from any to $ExtIF port $AllowTcpIn \ >> flags S/SA keep state >> >># pass required ICMP traffic >>pass in inet proto icmp all icmp-type $AllowIcmpIn keep state >> >># pass traffic out on the interface >>pass out on $ExtIF proto tcp all modulate state flags S/SA >>pass out on $ExtIF proto { udp, icmp } all keep state >>================ end pf.conf ================ >> >> >> >> > > > > > -- mis·cel·la·ne·ous adjective Abbr. misc. 1.Made up of a variety of parts or ingredients. 2.Having a variety of characteristics, abilities, or appearances. 3.Concerned with diverse subjects or aspects. [From Latin miscellaneus, from miscellus, mixed, from miscere, to mix.]