PF/spamd oddity

Jason Dixon Wed, 17 Mar 2004 23:23:46 -0800

Perhaps I simply need some sleep, but I'm confused as to why my test isn't working as expected. I'm trying to test a connection from a <spamd> entry (my other box, 192.168.0.58) to my new mailserver (192.168.0.53). I have the requisite spamd table, rdr to localhost, and pass on loopback entries in pf.conf. I've rebooted to make _absolutely_ certain that everything is kosher. Nevertheless, the connection is simply being blocked/reset by my generic block rule, rather than being allowed to pass through to spamd on 127.0.0.1:8025.

The connection:

-bash-2.05b# telnet 192.168.0.53 25
Trying 192.168.0.53...
telnet: connect to address 192.168.0.53: Connection refused

The mailserver's pflogd output:

-bash-2.05b# tcpdump -nettti pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0 Mar 17 22:55:07.085464 rule 1/0(match): block in on fxp0: 192.168.0.58.9877 > 127.0.0.1.8025: S 1441947101:1441947101(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]> (DF) [tos 0x10]

The PF ruleset:

# OpenBSD: pf.rules 2004/03/16 dixon

# Variables
ext_if="fxp0"
dingle="192.168.0.53"
tcp_in="{ ssh, pop3s, imaps, smtp, http, https, hatchet }"
#udp_in="{ }"
tcp_out="{ ssh, smtp }"
udp_out="{ domain, ntp }"
table <spamd> persist

### Set Options ###
set limit { frags 32000, states 65000 }
set loginterface $ext_if
set optimization aggressive
set block-policy return

### Packet Normalization ###
scrub in all
scrub out all random-id no-df

### Translation ### rdr on $ext_if inet proto tcp from <spamd> to ($ext_if) port smtp -> 127.0.0.1 port 8025

### Start Filter Rules

# basic block-all with return and logging
block log on $ext_if
block log on $ext_if proto tcp
block log on $ext_if proto udp
block log on $ext_if proto icmp

# block various noisy traffic without logging block in quick on $ext_if proto igmp all block in quick proto udp from any to any port snmp-trap block in quick on $ext_if from 255.255.255.255/32 to any block in quick on $ext_if from any to 255.255.255.255/32 block quick on $ext_if proto { tcp, udp } from any to any port { 135, 137, 138, 139, 445 } block in quick on $ext_if from any to 224.0.0.1 # IGMP noise

# allow localhost pass on lo0 all keep state pass in log on lo0 inet proto tcp from <spamd> to 127.0.0.1 port 8025 # testing

# allow certain icmp connections
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

# allow certain udp connections pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_out keep state #pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_in keep state

# allow certain tcp connections pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_out keep state pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_in flags S/SA synproxy state

# END of pf.rules

Thanks,

--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

PF/spamd oddity

Reply via email to