Differences in PF between FBSD 8.2 & 9.0?

Doug Sampson dougs at dawnsign.com
Sat Mar 10 21:43:28 UTC 2012 

> On 2/15/12 2:22 AM, Doug Sampson wrote:
> > I got bitten by PF when upgrading from 8.2 to 9.0. It refused to allow
> > any incoming mail. I'm using spamd in conjunction with pf. I use a
> > combination of natting along with redirections in conjunction with the
> > normal pass/block rules.
> >
> 
> Toggle logging on both your default drop rule and your allow mail ones.
> 
> Then tcpdump -nei pflog0 ip and port 465 (or 25, whichever)
> See what rule number matches your packets, then find out what rule that
> is with pfctl -vvvsr
> 
> 

I'm now getting back to this issue after being diverted to other projects. Spam has been noticed by our staff and they're not happy. :)

Here's what the tcp dump show:

mailfilter-root@~# tcpdump -nei pflog0 port 8025
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
13:12:14.948935 rule 0..16777216/0(match): block in on fxp0: 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale 0,nop,nop,sackOK], length 0
13:12:18.324854 rule 0..16777216/0(match): block in on fxp0: 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale 0,nop,nop,sackOK], length 0
...


The pflog0 shows that all incoming packets are blocked by rule #0 which is:

@0 scrub in all fragment reassemble
@0 block drop in log all


And

mailfilter-root@~# spamdb | g GREY
mailfilter-root@~#

No greytrapping is occurring. Is the 'scrub' rule screwing up our packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to 9.0.

Also why am I being warned that there isn't an IPv4 address assigned to pflog0?

Pertinent pf.conf section related to spamd:

# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
#no rdr on { lo0, lo1 } from any to any
# redirect to spamd
rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp -> 127.0.0.1 port smtp
rdr inet proto tcp from <spamd-spf> to $external_addr port smtp -> 127.0.0.1 port smtp
rdr inet proto tcp from <spamd-white> to $external_addr port smtp -> 127.0.0.1 port smtp
rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.1 port spamd
rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp -> 127.0.0.1 port spamd

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all

# allow inbound/outbound mail! also to log to pflog
pass in log inet proto tcp from any to $external_addr port smtp flags S/SA synproxy state
pass out log inet proto tcp from $external_addr to any port smtp flags S/SA synproxy state
pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/SA synproxy state
pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA synproxy state


~Doug

More information about the freebsd-pf mailing list