spamd-mywhite

Doug Sampson dougs at dawnsign.com
Mon Sep 10 13:07:49 PDT 2007 

> Hi all,
> 
> I've been running pf+obspamd on FBSD 6.2-RELEASE.
> 
> I appear to be blocking some addresses that appear in my 
> spamd-mywhite file
> and I don't understand why that would be the case here. I'm 
> guessing I've
> screwed up my pf.conf file.
> 
> Here's my config file:
> 
> # pfctl -vvnf /etc/pf.conf
> ext_if = "rl0"
> int_if = "xl0"
> internal_net = "192.168.1.1/24"
> external_addr = "216.70.250.4"
> vpn_net = "10.8.0.0/24"
> NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
> webserver1 = "192.168.1.4"
> set skip on { lo0 }
> set skip on { gif0 }
> @0 scrub in all fragment reassemble
> @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
> @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
> @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http ->
> 192.168.1.4 port 80
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-mywhite> persist file 
> "/usr/local/etc/spamd/spamd-mywhite"
> table <spamd-alloweddomains> persist file
> "/usr/local/etc/spamd/spamd.alloweddomains"
> @4 rdr pass inet proto tcp from <spamd-white:0> to 
> 216.70.250.4 port = smtp
> -> 127.0.0.1 port 25
> @5 rdr pass inet proto tcp from <spamd:0> to 216.70.250.4 
> port = smtp ->
> 127.0.0.1 port 8025
> @6 rdr pass inet proto tcp from ! <spamd-mywhite:0> to 
> 216.70.250.4 port =
> smtp -> 127.0.0.1 port 8025
> @7 pass in log inet proto tcp from any to 216.70.250.4 port = 
> smtp flags
> S/SA synproxy state
> @8 pass out log inet proto tcp from 216.70.250.4 to any port 
> = smtp flags
> S/SA synproxy state
> @9 pass in log inet proto tcp from 192.168.1.0/24 to 
> 192.168.1.25 port =
> smtp flags S/SA synproxy state
> @10 block drop in log all
> @11 pass in log quick on xl0 inet proto tcp from any to 
> 192.168.1.25 port =
> ssh flags S/SA synproxy state
> @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
> @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
> @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
> @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
> @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8
> @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16
> @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12
> @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8
> @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
> @21 block drop in log quick inet from 192.168.1.25 to any
> @22 pass in on xl0 inet from 192.168.1.0/24 to any
> @23 pass out log on xl0 inet from any to 192.168.1.0/24
> @24 pass out log quick on xl0 inet from any to 10.8.0.0/24
> @25 pass out on rl0 proto tcp all flags S/SA modulate state
> @26 pass out on rl0 proto udp all keep state
> @27 pass out on rl0 proto icmp all keep state
> @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 
> port = http flags
> S/SA synproxy state
> @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 
> port = ssh keep
> state
> 
> /var/log/pflog0 shows the following:
> 
> 141748 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> 0,nop>
> 2. 049208 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> 0,nop>
> 3. 068169 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> 0,nop>
> 5. 594277 rule 3/0(match): block in on rl0: 205.188.139.137.61419 >
> 216.70.250.4.25: S 2510359871:2510359871(0) win 24820 
> <nop,nop,sackOK,mss
> 1460>
> 525916 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> 0,nop>
> 
> # pfctl -t spamd-mywhite -T show | grep 205.188.
> No ALTQ support in kernel
> ALTQ related functions disabled
>    205.188.139.0/24
>    205.188.144.0/24
>    205.188.156.0/23
>    205.188.157.0/24
>    205.188.159.0/24
> 
> Thus 205.188.159.7 shouldn't be blocked.
> 
> # spamdb | grep 205\.188\.
> WHITE|205.188.249.132|||1187218293|1187220082|1190330485|13|0
> WHITE|205.188.249.67|||1187823652|1187824708|1190935126|12|0
> WHITE|66.179.205.188|||1186759482|1186761981|1189872409|9|0
> #
> 
> spamdb doesn't show any entries for 205.188.159.7.
> 
> These entries are for AOL mail. I've received complaints from 
> AOL users of
> mail bouncing back to them.
> 
> What am I doing wrong? Are CIDR records accepted by 
> pf+obspamd? I can't
> trace the block back to the proper rules- i.e. rule 3/0 as 
> shown in pflog0
> matches up with which rule in pf.conf?
> 
> Any suggestions are appreciated!
> 
> ~Doug

Hi,

I'm resending this as I have not received any replies. Can someone help me
out here?

Oh, and I'm running obspamd 4.1.1.

~Doug

More information about the freebsd-pf mailing list