Re: PF Tables Issue
You don't set a state-policy so, by default it's floating. You're setting up
a state with your 'pass in quick on $int_if' rule. So, with those 2 things,
you've created a pass out quick rule implicitly on your $ext_if.
Read the section of the PF FAQ about 'state-policy'. It will make it far
more clear than my explanation above.
-James
On 11/15/05, Jon Hart [EMAIL PROTECTED] wrote:
On Tue, Nov 15, 2005 at 02:39:59PM -0800, Christian Petro wrote:
OpenBSD 3.6
/etc/pf.conf
When a table, and corresponding rule is defined using:
table LimitedAccess persist { 192.168.1.16 http://192.168.1.16,
192.168.1.17 http://192.168.1.17 }
block out quick on $ExtIf inet proto { tcp, udp } from LimitedAccess
to any port $OutIm
OR EVEN
block out quick on $ExtIf inet proto { icmp, udp, tcp } from
LimitedAccess to any
The result is both IP addresses are allowed to pass through the
firewall.
Can anyone comment?
Yes.
There can be many reasons that either of your rules will result in those
two hosts being allowed through the firewall.
What is the rest of the pf.conf? Without that, I can only guess.
-jon
--
What would Bilano do?
Re: spamd extension
Chad, I appreciate the insight. I do realize it's a difficult problem but, I think that there's a solution (albeit possibly from someone smarter than I). I do have variables that are known (the sender email address and the recipient email address). The problem is tying them to the IP Address of the MTA when it's seen @ spamd. It may be that there isn't a solution without direct modification of spamd. If that's the case, then I hope the developer(s) will consider this suggestion. I definitely won't be disabling spamd ;). I would have a minor revolution on my hands if my users suddenly had spam again...heh. OpenBSD greylisting has been very effective for us thus far. --James On 10/26/05, Chad M Stewart [EMAIL PROTECTED] wrote: James, The more I think about this one, the more I think there is no solution to your issue. Well okay there are two choices, either use spamd or not. :) You would have to have ESP to know from which IP address a particular sender would be sending. If I'm sitting in a hotel and using their WiFi then it is very probable that my message will be coming from their SMTP server, not that which I use normally. Given only my mail address you have no way of determining for sure, which server I use to send mail. The server I submit a message to does not have to be the server that eventually connects to the recipients server in DNS. You can't provide an email address to spamd as the redirection happens before spamd, rather with PF. The default is to send the packets to spamd. Once the connection gets rdr to spamd, I'm not aware of anyway to say, redirect again to your real MTA. That brings us back to knowing the connecting servers IP address. You could disable spamd protection and see how long it takes for your users to complain about the amount of spam they are getting. :) -Chad On Oct 25, 2005, at 9:57 PM, James Harless wrote: I appreciate the suggestions, but, not quite what I'm looking for yet. Either of these would allow me to whitelist someone AFTER they had been greylisting. What I'm looking for is a way to whitelist them based on user input.. before their initial email has been sent. In this somewhat typical scenario, the user has contacted me and said I don't want mail from [EMAIL PROTECTED] to be delayed... whitelist them, please. --James -- What would Bilano do?
Re: spamd extension
On 10/26/05, Frank Bax [EMAIL PROTECTED] wrote: At 09:57 PM 10/25/05, James Harless wrote: I appreciate the suggestions, but, not quite what I'm looking for yet. Either of these would allow me to whitelist someone AFTER they had been greylisting. What I'm looking for is a way to whitelist them based on user input.. before their initial email has been sent. In this somewhat typical scenario, the user has contacted me and said I don't want mail from [EMAIL PROTECTED] to be delayed... whitelist them, please. spamd only delays the *first* message between the two parties. After that there is no delay - as long as sender continues to use the same SMTP server. My experience is that greylisting requires at least 2 failed attempts. Maybe my pf.conf isn't setup properly. But, there's always 1 'extra' failure that seems to me should pass through. Have you tried whitelisting these servers: http://greylisting.org/whitelisting.shtml Is there an underlying assumption in your question that spamd is the actual problem? During the initial weeks of using spamd on my server, half of the complaints about undelivered email were not the fault of spamd. I do whitelist the servers on greylisting.org http://greylisting.org. There's no real doubt that greylisting is part of my 'issue'. It's not unmanageable, by any means, but, I'm just wondering if there isn't a way to correct the problem. Greylisting is 99% of the time not a problem. But, sometimes, the client is on the phone with a customer or in some other situation where they need to receive the email quickly. With my current greylisting setups, I can't guarantee any time when they'll receive the first email from a contact other than 'will take at least 5 mins and can take much longer depending on how their mail server is configured'. In any case, it's not unmanageable. I just set expectations with customers and they're not wanting to move away from greylisting. But, it does *feel* like a 'solvable problem'. --James -- What would Bilano do?
Re: spamd extension
How would you find an unknown ip of an unknown machine? About the only *chance* you have is doing MX lookup's and hoping that email comes from that same server. If their organization uses various relays and proxies to send, you are out of luck. There's no way to get that information without a previously harvested email and looking at the message headers. Well, that's exactly the point... you don't find the ip. You put in a temporal entry that says 'whitelist the next ip address that connects attempting to send mail from $sender to $rcpt'. After that, the entry expires. It's been pointed out here that it just isn't possible, currently. I'm ok with that. The issue is smaller than the problem that it solves (removing most of the spam from my networks). Thanks for all the input. --James
spamd extension
I would like some advice on extending spamd functionality. I'm not sure the best approach to this problem. Problem: I administer several independent mail gateway / firewall devices that greylist for their networks. I've done a fair job of educating users about how greylisting will affect their email but, inevitably a user will contact me to request that an incoming email be whitelisted. The only information they have is 1) sending email address and 2) receiving email address. Of course, spamd only deals in IP addresses and it may be difficult to find the ip address of the sending mail server. Additionally, I'd like to provide some method to the users where they could whitelist someone themselves without requesting directly from me. What I envision: A script or extension to spamd that would allow me to input a 'from' and 'rcpt to' address. Then, the next time that combo is seen, from any IP address...it gets whitelisted automatically. I envision this only happening one time and then returning to greylisting as normal. I understand that there's a chance of someone sending spam through in that window with the proper from/to combo .. but, it's small enough to accept. Thoughts? Does this sound feasible? Is this a reasonable solution? If so, what direction would you recommend for implementation? (I'm no programmer.. but, not afraid of diving in, nonetheless.) --James
Re: Clamav problem
One thing to check, make sure the timeout you have specified for the milter is long enough for it to actually scan the attachment. What this magic number is depends a lot on your hardware configuration but, I'd try setting it unreasonably large at first to make sure that isn't the problem. --James On 9/23/05, Cristian Del Carlo [EMAIL PROTECTED] wrote: Hi list, I have a odd problem with clamav. I am following the openbsd 3.7 (release + fix) and i have clamav-0.86.2p0, smtp-vilter and sendmail. When a mail with a zip attachment arrives sometime i have the following message in /var/log/maillog : Milter: data, reject=451 4.3.2 Please try again later I have this problem ONLY with some zip attachments. Does anyone know how to solve this problem? I have tried to install clamav ( and his dependences ) from packages but the problem isn't fix. Thanks, Cristian Del Carlo -- What would Bilano do?
Re: Load Balance net connections w/ redirect
Well, my objective is to have fail-over on the outbound connections,
primarily. The load-balancing comes about because of that.
Load-balancing is definitely not a requirement for this site and I
probably should have worded my email a bit differently. One
connection is a cable modem and the other ADSL.
I really want the connections to fail-over when the other isn't
available. I achieved this through the current configuration but,
maybe not in an optimal fashion. I don't need to balance the incoming
connections (and don't want to) but, I'm having issues getting the
gateway to reply w/o balancing issues.
I've attached my newest pf.conf in the hopes that you might be able to
see my error. This is (obviously) the first time I've worked with
this type of setup so, I'm uncertain where the issue lies. It seems
like I need to get rdr and reply-to to work together but, maybe there
is a different method.
Thanks,
James
--
## pf.conf ##
ext_if1=fxp1
ext_gw1=2.2.2.2
ext_if2=fxp2
ext_gw2=3.3.3.3
int_if=fxp0
lan_net=192.168.1.1/24
exch_svr=192.168.1.150
exch_svc={ 80, 443 }
table spamd persist
table spamd-white persist
table mywhite persist file /root/goodips
table myblack persist file /root/badips
scrub in
# nat all outbound traffic on each interface
nat on $ext_if1 from $lan_net to any - ($ext_if1)
nat on $ext_if2 from $lan_net to any - ($ext_if2)
rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
rdr pass on $int_if proto tcp from $exch_svr to port smtp \
- 127.0.0.1 port smtp
rdr pass on $ext_if1 proto tcp from spamd to port smtp \
- 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from spamd to port smtp \
- 127.0.0.1 port spamd
rdr pass on $ext_if1 proto tcp from mywhite to port smtp \
- 127.0.0.1 port smtp
rdr pass on $ext_if2 proto tcp from mywhite to port smtp \
- 127.0.0.1 port smtp
rdr pass on $ext_if1 proto tcp from !spamd-white to port smtp \
- 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from !spamd-white to port smtp \
- 127.0.0.1 port spamd
**rdr on $ext_if1 proto tcp from any to port $exch_svc - 192.168.1.150
**rdr on $ext_if1 proto tcp from any to port 407 - 192.168.1.21
# Default block all traffic incoming outgoing
block all
# pass all outgoing packets on internal interface
pass out quick on $int_if from any to $int_if:network
# pass in quick any packets destined for the gateway itself from the lan
pass in quick on $int_if from $int_if:network to $int_if
# load balance outgoing tcp traffic from internal network
pass in quick on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
# load balance outgoing udp icmp traffic from internal network
pass in quick on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any keep state
# pass out rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# ext_if2 $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any \
flags S/SA modulate state
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any \
flags S/SA modulate state
pass quick on { lo }
antispoof quick for { lo }
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
$ext_if1 port ssh keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
$ext_if2 port ssh keep state
#pass in on $ext_if proto tcp to $ext_gw1 port 49151 user proxy keep state
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
$ext_if1 port smtp keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
$ext_if2 port smtp keep state
**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
** $exch_svr port $exch_svc keep state
**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
** any port 407 keep state
On 7/18/05, Will H. Backman [EMAIL PROTECTED] wrote:
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
James Harless
Sent: Saturday, July 16, 2005 4:27 AM
Cc: OpenBSD-misc list
Subject: Re: Load Balance net connections w/ redirect
I'm not sure I understand the suggestion. Feel free to enlighten
me... I'm completely open to ideas.
James
On 7/15/05, Will H. Backman [EMAIL PROTECTED] wrote:
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf
Of
James Harless
Sent: Friday, July
Re: Load Balance net connections w/ redirect
I'm not sure I understand the suggestion. Feel free to enlighten me... I'm completely open to ideas. James On 7/15/05, Will H. Backman [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Harless Sent: Friday, July 15, 2005 2:33 PM To: misc@openbsd.org Subject: Load Balance net connections w/ redirect Hello all, I'm trying to redirect specific ports through a pf firewall that loadbalances 2 outgoing net connections and having some problems. This firewall connects to 2 different ISPs. It also performs greylisting and pre-filtering of mail for viruses(virii?). I know that I need to work in the 'reply-to' option somehow but, I can't see to get it working. Why not use an exterior routing protocol, which is designed to do this? -- What would Bilano do?
Load Balance net connections w/ redirect
Hello all,
I'm trying to redirect specific ports through a pf firewall that
loadbalances 2 outgoing net connections and having some problems.
This firewall connects to 2 different ISPs. It also performs
greylisting and pre-filtering of mail for viruses(virii?). I know
that I need to work in the 'reply-to' option somehow but, I can't see
to get it working.
I've put ** in front of the lines that I've added to try and redirect
the traffic, that don't seem to be working. Any help you could lend
would be greatly appreciated. If the problem is covered elsewhere, I
could just use a hint where to find it (have looked around quite a
bit).
--
## pf.conf ##
ext_if1=fxp1
ext_gw1=2.2.2.2
ext_if2=fxp2
ext_gw2=3.3.3.3
int_if=fxp0
lan_net=192.168.1.1/24
exch_svr=192.168.1.150
exch_svc={ 80, 443 }
table spamd persist
table spamd-white persist
table mywhite persist file /root/goodips
table myblack persist file /root/badips
scrub in
# nat all outbound traffic on each interface
nat on $ext_if1 from $lan_net to any - ($ext_if1)
nat on $ext_if2 from $lan_net to any - ($ext_if2)
rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
rdr pass on $int_if proto tcp from $exch_svr to port smtp \
- 127.0.0.1 port smtp
rdr pass on $ext_if1 proto tcp from spamd to port smtp \
- 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from spamd to port smtp \
- 127.0.0.1 port spamd
rdr pass on $ext_if1 proto tcp from mywhite to port smtp \
- 127.0.0.1 port smtp
rdr pass on $ext_if2 proto tcp from mywhite to port smtp \
- 127.0.0.1 port smtp
rdr pass on $ext_if1 proto tcp from !spamd-white to port smtp \
- 127.0.0.1 port spamd
rdr pass on $ext_if2 proto tcp from !spamd-white to port smtp \
- 127.0.0.1 port spamd
**rdr on $ext_if1 proto tcp from any to port $exch_svc - 192.168.1.150
**rdr on $ext_if1 proto tcp from any to port 407 - 192.168.1.21
# Default block all traffic incoming outgoing
block all
# pass all outgoing packets on internal interface
pass out quick on $int_if from any to $int_if:network
# pass in quick any packets destined for the gateway itself from the lan
pass in quick on $int_if from $int_if:network to $int_if
# load balance outgoing tcp traffic from internal network
pass in quick on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto tcp from $lan_net to any flags S/SA modulate state
# load balance outgoing udp icmp traffic from internal network
pass in quick on $int_if route-to \
{ ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
proto { udp, icmp } from $lan_net to any keep state
# pass out rules for external interfaces
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if2 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# ext_if2 $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any \
flags S/SA modulate state
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any \
flags S/SA modulate state
pass quick on { lo }
antispoof quick for { lo }
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
$ext_if1 port ssh keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
$ext_if2 port ssh keep state
#pass in on $ext_if proto tcp to $ext_gw1 port 49151 user proxy keep state
pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
$ext_if1 port smtp keep state
pass in on $ext_if2 reply-to ($ext_if2 $ext_gw2) proto tcp from any to \
$ext_if2 port smtp keep state
**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
** $exch_svr port $exch_svc keep state
**pass in on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp from any to \
** any port 407 keep state
Thanks!
James Harless
--
What would Bilano do?
OpenBSD in commercial firewalls?
I know that several firewall vendors use various flavors of Linux as the basis for their devices. Are there any that use OpenBSD similarly? If so, which? Any comments on the devices? Links would be appreciated. -James -- What would Bilano do?
