I've installed pf/spamd on FreeBSD 6.0 with the idea of using it to check a
blacklist <spamd> table to send any IPs that match to spamd running on 8025 for
tarpit fun. Everything is installed and configured, but I don't get any traffic
from the blacklist directed to my fake spamd. I'm not sure if I'm not loading
the blacklist into the table right, if I don't have pf configured right, or
what. I've read online HOWTOs and tried to figure it all out, but after a week
have come up short. Does anyone see anything lacking in my config or
environment that I have setup incorrectly? Here are the specifics...
I have /etc/rc.conf setup like this:
[15:28:17] [EMAIL PROTECTED] /usr/local/www/data]# cat /etc/rc.conf | grep pf
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
gateway_enable="YES" # Enable as LAN gateway for pf
I've confirmed it's all running/listening as they should:
[15:28:19] [EMAIL PROTECTED] /usr/local/www/data]# sockstat | grep spamd
nobody spamd 68820 3 dgram -> /var/run/logpriv
nobody spamd 68820 4 tcp4 *:8025 *:*
nobody spamd 68820 5 tcp4 127.0.0.1:8026 *:*
[15:31:41] [EMAIL PROTECTED] /usr/local/www/data]# sockstat | grep pf
_pflogd pflogd 262 5 stream -> ??
root pflogd 253 4 stream -> ??
I can:
telnet localhost 25
and connect to my mailserver normally
I can:
telnet localhost 8025
and connect with o-n-e--p-a-c-k-e-t--a-t--a--t-i-m-e as it should (nice and
slow!)
Have /etc/pf.conf setup like this:
[15:34:49] [EMAIL PROTECTED] /usr/local/www/data]# cat /etc/pf.conf | grep -v
"#"
scrub in all
table <spamd> persist file "/usr/local/etc/spamd.list"
rdr on $ext_if inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port
8025
pass in all
pass out all
pass out on $ext_if proto { tcp, udp } all keep state
My IPs are in a flat text file that look like this (but have over 2000 lines in
it):
[15:34:58] [EMAIL PROTECTED] /usr/local/www/data]# head
/usr/local/etc/spamd.list
62.51.162.46
83.27.218.133
222.134.147.154
200.105.130.182
61.41.29.102
221.190.238.209
218.50.126.7
59.56.14.170
217.113.228.10
81.66.54.230
I load the rules like this:
pfctl -t spamd -T replace -f /usr/local/etc/spamd.list
(NOTE: I'm using policyd to maintain my blacklist in MySQL, but pf never has to
deal with this, as I have scripts that scrape the IPs from the DB and dump them
to that flat file. Also, when I edit the flatfile, and reload the file as
above, pf tells me that it's added/deleted records from the table -- so I know
it's reading it right.)
Enable pf with that list like this:
pfctl -e -f /etc/pf.conf
I'll watch the logs like this:
tcpdump -l -n -e -vv -i pflog0 -q -t port 25
Then I'll blacklist the IP address of my work email server, and load it into pf
as above and send email from it -- but don't see anyting in the logs! No
match, no fail to match nothing, just mail that comes through. I've left it
like this for hours, and watched emails come in and get denied by policyd (so
they are IPs that are on my blacklist) that never hit pf. policyd is inside of
pf, so pf should intercept these. Any help is greatly appreciated, I'm really
close, and want to use policyd to maintain the blacklist, since it does this
without any input from me, and I want pf to redirect the spammers to spamd.
Thanks
P
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
