Am Mittwoch, den 13.06.2018, 22:05 +0200 schrieb Hasse Hansson: > Hello and thank you for your answer. > I've adjusted my settings according to your advice, but now it looks > like > it just directly whitelist every connection without greylisting. > > smtp$ sudo spamdb | sort > WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0 > WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0 > WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3 > WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0 > WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0 > WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0 > WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0 > WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0 > WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0 > WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0 > WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0 > > This is how my files look like now. spamd.conf is the original one. > > smtp$ sudo cat /etc/rc.conf.local > httpd_flags= > pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon > messagebus mysqld php70_fpm > smtpd_flags=NO > unbound_flags= > spamd_flags="-v -G 2:4:864" > spamd_grey=YES > spamlogd_flags="-I" > ----------------------------- > smtp$ sudo cat /etc/pf.conf > ext_if = "em0" > int_if = "fxp0" > localnet = $int_if:network > tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }" > mail_services = "{ smtp, smtps, submission }" > udp_services = "{ domain, ntp }" > icmp_types = "echoreq" > > table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 > 169.254.0.0/16 \ > 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 > 224.0.0.0/3 \ > 192.168.0.0/16 198.18.0.0/15 > 198.51.100.0/24 \ > 203.0.113.0/24 } > > table <bruteforce> persist > table <abusers> persist file "/etc/abusers" > table <spamd-white> persist > table <nospamd> persist file "/etc/mail/nospamd" > > set block-policy drop > set loginterface egress > set skip on lo0 > > match in all scrub (no-df random-id max-mss 1440) > match out on egress inet from !(egress:network) to any nat-to > (egress:0) > > antispoof quick for { egress $ext_if int_if } > > block in quick on egress from <martians> to any > block return out quick on egress from any to <martians> > > block in quick log on egress from <abusers> to any label "abusers" > > block all > pass out quick inet > > pass in on egress inet proto tcp from any to any port smtp \ > divert-to 127.0.0.1 port spamd > pass in on egress proto tcp from <nospamd> to any port smtp > pass in log on egress proto tcp from <spamd-white> to any port smtp > pass out log on egress proto tcp to any port smtp > > pass in on { $ext_if } inet > > pass log quick proto tcp from any to (egress) port ssh flags S/SA > keep state \ > (max-src-conn 15, max-src-conn-rate 5/3, overload > <bruteforce> flush global) > > pass log quick proto tcp from any to (egress) port $tcp_services > flags S/SA keep state \ > (max-src-conn 50, max-src-conn-rate 15/5, overload > <bruteforce> flush global) > > pass log quick proto tcp from any to (egress) port $mail_services > flags S/SA keep state \ > (max-src-conn 50, max-src-conn-rate 25/5, overload > <bruteforce> flush global) > > pass in on egress inet proto tcp from any to (egress) port { 80 443 } > > pass inet proto tcp from { self, $localnet } > > pass quick inet proto tcp to port $tcp_services keep state > pass quick inet proto tcp to port $mail_services keep state > > pass quick inet proto udp to port $udp_services keep state > pass out on $ext_if inet proto udp to port 33433 >< 33626 > pass inet proto icmp all icmp-type $icmp_types > As far as my knowledge goes, since you say 'pass out quick inet' early on in the ruleset, the other 'pass out rules' don't get a chance to be triggered. Also, quick only makes sense if you put them at first, not somewhere at the end of your ruleset.
-- Tony GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 Threema: DN8PJX4Z XMPP: tb@bsd.services