[pf4freebsd] pf and spamd

Jett Tayer jett at sycorax.ath.cx
Wed Sep 15 21:12:51 PDT 2004


hello,

Im using FreeBSD 5.2.1 and im having problems making pf work with spamd 
(mail/spamd)
when i try load one of my ip addresses in <spamd> table and try to 
telnet
to it at port 25 from another server whose ip is added in spamd table, 
i can't see the usual:

Escape character is '^]'.
220 mybox.myhostname.mydomain ESMTP spamd IP-based SPAM blocker; Sat 
Aug 21 11:27:57 2004

it just say Trying mybox.myhostname.mydomain... and thats it.

below is my pf.conf


# pf.conf

# Macros
# ext_if -- the interface to the outside world
ext_if="em0"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

icmp_types= "echoreq"

# Tables:
table <spamd> persist

# Options
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set require-order yes
set block-policy drop
set optimization normal
set loginterface none
set fingerprints "/usr/local/etc/pf.os"

# Normalize packets
scrub in all
scrub out all

no rdr on { lo0 } from any to any
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
pass in quick inet proto tcp from <spamd> to 127.0.0.1 port 8025 keep 
state

# Filter packets
# block all incoming connections sent from the outside
# log all blocked packets
block in log all
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# block all inbound connections to port 113 (auth)
# and return ICMP destination-unreachable
block return-rst in quick on $ext_if proto tcp \
         from any to $ext_if port auth

pass out keep state

pass in quick on lo0 all

# pass all connections originating from external hosts to
# port 22 (SSH) on the bastion host
pass in quick on $ext_if proto tcp \
         from any to $ext_if port 22 \
         flags S/SA keep state

# pass all connections originating from external hosts to
# port 25 (SMTP) on the bastion host
pass in quick on $ext_if inet proto tcp \
         from any to $ext_if port 25 \
         flags S/SA keep state

# pass all connections originating from external hosts to
# port 53 (DNS) on the bastion host
pass in quick on $ext_if inet proto tcp \
         from any to $ext_if port 53 \
         flags S/SA keep state

# pass all connections originating from external hosts to
# port 53 (DNS) on the bastion host
pass in quick on $ext_if inet proto udp \
         from any to $ext_if port 53 \
         keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass out quick on $ext_if proto { tcp,udp } \
         from $ext_if to any keep state

# antispoof rule on the external interface
antispoof for $ext_if





More information about the freebsd-pf mailing list