Hi list,
The spamd(8) man page has the following example:
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
pass in on egress proto tcp from any to any port smtp \
rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from <nospamd> to any port smtp
pass in log on egress proto tcp from <spamd-white> to any port smtp
pass out log on egress proto tcp to any port smtp
Here, spamd is listening on 127.0.0.1, and smtpd is (presumably) listening on
any interface. Is there a problem with only allowing smtpd to listen on
127.0.0.1 as well, and change the pass in rule to:
pass in on egress proto tcp from <nospamd> to port smtp \
rdr-to 127.0.0.1 port smtp
This configuration is working, but I want to be sure I'm not doing something
stupid w/out realizing it.
pf.conf and smtpd.conf files below.
Thanks,
gabe.
==pf.conf==
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
# cat pf.conf
cat: pf.conf: No such file or directory
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
tcp_services="{ 53, 80, 113, 143, 443, 465 }"
udp_services="{ 53 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface egress
set skip on lo
#scrub incoming packets
match in all scrub (no-df)
#setup a default deny policy
block all
#activate spoofing protection for all interfaces
block in quick from urpf-failed
#allow l2tp tunnels
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any \
port {500, 4500, 1701} keep state
pass on enc0 from any to any keep state (if-bound)
#allow tcp_services
pass in on egress proto tcp to port $tcp_services keep state
#allow udp_services
pass in on egress proto udp to port $udp_services keep state
# pass in icmp traffic
pass in inet proto icmp all icmp-type $icmp_types
#let this machine pass anything out
pass out quick
# rules for sshd(8)
block quick from <bad_hosts>
pass in on egress proto tcp to port ssh keep state \
(max-src-conn-rate 5/30, overload <bad_hosts> flush global)
# rules for spamd(8)
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
pass in on egress proto tcp to port smtp \
rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from <nospamd> to port smtp \
rdr-to 127.0.0.1 port smtp
pass in log on egress proto tcp from <spamd-white> to port smtp \
rdr-to 127.0.0.1 port smtp
pass out log on egress proto tcp to port smtp
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
==smtpd.conf==
# $OpenBSD: smtpd.conf,v 1.6 2013/01/26 09:38:25 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
listen on lo0 tls
listen on egress smtps auth
table aliases db:/etc/mail/aliases.db
accept for local alias <aliases> deliver to mbox
accept from any for domain dojocho.org deliver to mbox
accept from any for domain lifewaza.com deliver to mbox
accept for any relay
