Jay Moore said:
> Bryan Irvine said:
>
> > Absolutely you need a pass. the block/pass is part of the firwalling
> > section of pf, the rdr is part of the nat functionality. So using rdr
> > in conjuction with block all won't work unless you explicitly pass that
> > traffic as well. Clear as mud? :-)
>
> OK - I see that firewalling must support the NAT/rdr's. But why won't
> this rule work without benefit of the redirect? It appears all the
> required info is there - the spamd table tells the rule which IPs are
> affected, and where they go in event of a match.
>
> pass in on $ExtIF inet proto tcp from <spamd> to 127.0.0.1 port 8025 \
> flags S/SA keep state
Remember that "rdr" rules do packet rewriting and run before "pass" or
"block" rules.
Now, let's see what happens when packets towards your mail server
arrive:
The packets are aimed at the IP address of the ExtIF interface, on port
25.
The "rdr" rule changes those packets, so that they are aimed at
127.0.0.1, port 8025.
The "pass" rule matches, and allows the packets to go through.
Now, if you remove the rdr rule, your "pass" rule will never match! The
target address specified in the rule ("to 127.0.0.1 port 8025") will be the
culprit: the packets will be aimed at the IP address of $ExtIF port 25, and
the pass rule will never execute.
I hope this helped,
-n
