Hello,
I'm using the following redirection and filter rules in my pf.conf:
# redirection
rdr pass on $wan_if inet proto tcp from <spamd-mywhite> \
to ($wan_if) port smtp -> 127.0.0.1 port smtp
rdr pass on $wan_if inet proto tcp from <spamd> \
to ($wan_if) port smtp -> 127.0.0.1 port spamd
rdr pass on $wan_if inet proto tcp from !<spamd-white> \
to ($wan_if) port smtp -> 127.0.0.1 port spamd
# filter rules
pass in log on $wan_if inet proto tcp from any \
to ($wan_if) port smtp flags S/SA synproxy state
In my understanding the use of a pass statement in a translation rule
means that the redirected packets will pass statefully right through the
filtering engine; ergo the filter rules won't be evaluated against these
packets.
As a true nihilist I presumed that I could remove the above filter rule
because of the used pass statements in the translation rules. A simple
portscan learned that the smtp-port was closed. After returning to my
original setup (above rules) the portscan showed that the smtp-port was
open again.
Why is it necessary to use a filter rule in order to receive a positive
portscan? Am I missing something?
Kind regards,
Björn
