Mark Pecaut wrote:
> On 6/6/07, Christoph Schneeberger <[EMAIL PROTECTED]> wrote:
>> >> case 1: src host is whitelisted, connection is allowed to 1.1.1.35,
>> >> everything works fine.
>> >> case 2: src host is grey-/blacklisted and therefor redirected to
>> >> 127.0.0.1, in this case i get just a timeout when i try to telnet to
>> >> port 25 of 1.1.1.35 which as I understand is caused by many reasons,
>> >> among them that the src hosts expects tcp packets only from
>> 1.1.1.35 and
>> >> not from 1.1.1.5 which is the only ip from which the bridges spamd
>> could
>> >> use to talk to the src host (sender mta).
>
> Try some tcpdump'ing to see where it is failing, for example on lo0 or
> $ext_if. Add some 'log' to your rules.
>
> can the bridge talk to other internet hosts? Does it have a default
> gateway? Is spamd actually running? spamlogd? Is that the complete
> pf.conf? Give more complete information, including the obvious stuff.
>
> -Mark
The setup is as follows (real, non-RFC1918 network is replaced by
1.1.1.X, the last octet is the one I actually use):
| Mailsrv | | Bridge | | src mta |
| |-----| |-----| |
| 1.1.1.35 | | 1.1.1.5 | | 1.1.1.9 |
The bridges IP is attached to if facing "src mta".
The complete pf.conf looks like:
--
ext_if="fxp0"
int_if="xl0"
table <spamd> persist
table <spamd-white> persist
table <whitelist> persist file "/etc/whitelist.txt"
rdr pass on $ext_if inet proto tcp from <spamd> to any port smtp ->
127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from !<spamd-white> to any port smtp
-> 127.0.0.1 port 8025
pass in log on $ext_if route-to lo0 inet proto tcp from any to 127.0.0.1
port 8025 keep state
--
The bridge has a default gate of 1.1.1.1 and is able to ping i.e.
www.openbsd.org. The bridge can also ping ips of either side of it and
the bridge can be pinged from both sides and ssh'd into from both sides.
When I telnet to 1.1.1.35 25 i get a timeout and nothing is captured
wiht "tcpdump -i lo0".
When I dump with "tcpdump -i fxp0 host 1.1.1.9" I only see the Syn
Packet, repeated for a handful of times (I stopped it after 5).
When I dump with "tcpdump -i xl0" I see the same Syn Packet, but this
time from 1.1.1.9 to 127.0.0.1 port 8025.
I then checked on the bridge if spamd is listening with "telnet
127.0.0.1 8025" which gave me the stuttering 250 msg, so spamd seems to
be running.
The part I am still completely missing is that even spamd talks to
1.1.1.9, it would have to talk to it from its ip 1.1.1.5 but 1.1.1.9
expects a Sack from 1.1.1.35 and I believe it would just discard a Sack
from 1.1.1.5. So is the spamd/pf supposed to answer with the mailsrvs ip
back when spamd talks ?
Sorry for my confusion and thanks for the helping hands offered.
Christoph
--
"Quis custodiet ipsos custodes?"
