[pf4freebsd] Re: pf and spamd

sam samwun at hgdbroadband.com
Wed Sep 15 21:12:56 PDT 2004 

Jett Tayer wrote:

> hello,
>
> Im using FreeBSD 5.2.1 and im having problems making pf work with 
> spamd (mail/spamd)
> when i try load one of my ip addresses in <spamd> table and try to telnet
> to it at port 25 from another server whose ip is added in spamd table, 
> i can't see the usual:
>
> Escape character is '^]'.
> 220 mybox.myhostname.mydomain ESMTP spamd IP-based SPAM blocker; Sat 
> Aug 21 11:27:57 2004
>
> it just say Trying mybox.myhostname.mydomain... and thats it.
>
I haven't test it in FreeBSD, but when I tried it in OpenBSD, it does 
intentionally making all black-listed email send to thru PF firewall 
with spamd enabled will be redirected to 127.0.0.1 spamd port 25 which 
has spamd listening to it and making reply to each of this spamd email 
very very slow, as a result the sender gets time-out.

 From the man page of spamd:
....

     pf(4) packet filter is configured to redirect port 25 (SMTP) to 
this dae-
     mon, it will attempt to waste the time and resources of the spam 
sender.
...

sam

> below is my pf.conf
>
>
> # pf.conf  o
>
> # Macros
> # ext_if -- the interface to the outside world
> ext_if="em0"
>
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>
> icmp_types= "echoreq"
>
> # Tables:
> table <spamd> persist
>
> # Options
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set require-order yes
> set block-policy drop
> set optimization normal
> set loginterface none
> set fingerprints "/usr/local/etc/pf.os"
>
> # Normalize packets
> scrub in all
> scrub out all
>
> no rdr on { lo0 } from any to any
> rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
> pass in quick inet proto tcp from <spamd> to 127.0.0.1 port 8025 keep 
> state
>
> # Filter packets
> # block all incoming connections sent from the outside
> # log all blocked packets
> block in log all
> block drop in  quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> # block all inbound connections to port 113 (auth)
> # and return ICMP destination-unreachable
> block return-rst in quick on $ext_if proto tcp \
>         from any to $ext_if port auth
>
> pass out keep state
>
> pass in quick on lo0 all
>
> # pass all connections originating from external hosts to
> # port 22 (SSH) on the bastion host
> pass in quick on $ext_if proto tcp \
>         from any to $ext_if port 22 \
>         flags S/SA keep state
>
> # pass all connections originating from external hosts to
> # port 25 (SMTP) on the bastion host
> pass in quick on $ext_if inet proto tcp \
>         from any to $ext_if port 25 \
>         flags S/SA keep state
>
> # pass all connections originating from external hosts to
> # port 53 (DNS) on the bastion host
> pass in quick on $ext_if inet proto tcp \
>         from any to $ext_if port 53 \
>         flags S/SA keep state
>
> # pass all connections originating from external hosts to
> # port 53 (DNS) on the bastion host
> pass in quick on $ext_if inet proto udp \
>         from any to $ext_if port 53 \
>         keep state
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
> pass out quick on $ext_if proto { tcp,udp } \
>         from $ext_if to any keep state
>
> # antispoof rule on the external interface
> antispoof for $ext_if
>
>
>
>

More information about the freebsd-pf mailing list