Forrest Aldrich wrote:
I've a few geoip orientated tables for which I want to block certain
traffic.
I'm able to match the addresses via pfctl, though the connections from
these IP spaces are still getting through, and I'm puzzled.
I rdr inbound connections to an RFC addressed server. All mail and
web are working fine, but these tables are not blocking. I confirm
this by watching the logs for rejected messages (I augment the filter
with an MTA access list).
[...]
tcp_services = "imap, imaps, smtp, smtps"
[...]
# REDIRECTION
rdr pass on $ext_if inet proto tcp from any to ($ext_if) \
port { $tcp_services } -> $server
Here, in the "nat step", by using "rdr PASS ..." you tell PF that there
is no
need to evaluate further the packet in the following "filter step". Packet
matching the rdr condition here will just PASS.
[...]
# HERE ARE THE TABLE/BLOCK RULES I MENTIONED
block in quick on $ext_if proto { tcp, udp } from { <geoip-apnic>,
<geoip-lacnic>, <geoip-afrinic>, <geoip-ripe> } \
to $ext_ad port 25
block in quick on $ext_if from <abuse>
block in quick on $ext_if proto { tcp, udp } from <spammers> to
$ext_ad port 25
So these rules are never evaluated for packets matching the early RDR.
You should remove the "pass" on the RDR rule, this "pass" attribute is
very convenient for small rulesets or quick-n-dirty tests, but in more
complex rulesets like this one, they are usually not used.
Cedric
