Hi Can,
Thank you for your reply. I have tried it one whole day but it did not
work per expectation so right now this is how it is setup
Internet --> PF --> Load Balancer --> Mail Servers
This PF box has 4 interfaces (ext_if(fxp0), int_if(fxp1), state_if(fxp2)
and mgmt_if(fxp3)
ext_if and int_if is a bridge and ext_if is facing the internet where as
int_if is connected to the internal vlan.
state_if is connected to another pf box using cross over cable.
mgmt_if is connected to a mgmt vlan. In that vlan we also have the load
balancer connected to it.
$mgmt_if has an IP address of 192.168.1.36 and default gateway is
pointing to the load balancer vlan IP address which is 192.168.1.1
In order to route the traffic, I have to tell the PF to RDR the
"unknown" SMTP traffic to Load Balancer VIP on port 8025.
In the load balancer virtual server we have 2 members. These members are
the mgmt_if IP address for the two PF box.
I guess now the limiation is, I cant have a single rule says that if the
requested destination is x, rdr to x
The following is my PF rules
#SPAMD config
spamvip = "192.168.1.254/32"
solmail = "103.81.46.73/32"
aromail174 = "103.81.46.74/32"
aromail180 = "103.81.46.80/32"
## Spamd Stuff
# Table that spamd updates
# grey host list
table <spamd> persist
# white host lists
table <spamd-white> persist
# This whitelist we are manually maintaining.
table <whitelist> persist file "/etc/whitelist.txt"
rdr pass on $ext_if proto tcp from <spamd-white> to $solmail port smtp
-> $solmail port smtp
rdr pass on $ext_if proto tcp from <whitelist> to $solmail port smtp ->
$solmail port smtp
rdr pass on $ext_if proto tcp from <spamd-white> to $aromail174 port
smtp -> $aromail174 port smtp
rdr pass on $ext_if proto tcp from <whitelist> to $aromail174 port smtp
-> $aromail174 port smtp
rdr pass on $ext_if proto tcp from <spamd-white> to $aromail180 port
smtp -> $aromail180 port smtp
rdr pass on $ext_if proto tcp from <whitelist> to $aromail180 port smtp
-> $aromail180 port smtp
rdr pass on $ext_if proto tcp from !<whitelist> to any port smtp ->
$spamvip port 8025
rdr pass on $ext_if proto tcp from <spamd> to any port smtp -> $spamvip
port 8025
rdr pass on $ext_if proto tcp from !<spamd-white> to any port smtp ->
$spamvip port 8025
Thanks,
Edy
Can Erkin Acar wrote:
Edy <[EMAIL PROTECTED]> wrote:
Hi,
I am trying to configure spamd on the current bridge PF firewall which
is running on OpenBSD 4.0
fxp0 and fxp1 both are setup as bridge interfaces
the following is the rdr rule for spamd
## Spamd Stuff
# Table that spamd updates
table <spamd> persist
table <spamd-white> persist file "/etc/whitelist.txt"
# If not on whitelist, redirect to spamd
rdr pass on $ext_if inet proto tcp from !<spamd-white> to any \
port smtp -> 127.0.0.1 port spamd
# Because this is a bridge, explicit route to this machine
pass out route-to lo0 proto tcp from any to 127.0.0.1 port spamd
try this fragment instead, note that there is no pass in rdr
and the route-to is applied to an incoming packet. Using
tags to match nat/rdr rules to filter rules is much easier.
# If not on whitelist, redirect to spamd
rdr on $ext_if inet proto tcp from !<spamd-white> to any \
port smtp tag SPAMD -> 127.0.0.1 port spamd
pass in route-to lo0 tagged SPAMD keep state
Can
