Differences in PF between FBSD 8.2 & 9.0?

Doug Sampson dougs at dawnsign.com
Mon Mar 12 23:44:12 UTC 2012 

> > I'm now getting back to this issue after being diverted to other
> projects. Spam has been noticed by our staff and they're not happy. :)
> >
> > Here's what the tcp dump show:
> >
> > mailfilter-root@~# tcpdump -nei pflog0 port 8025
> > tcpdump: WARNING: pflog0: no IPv4 address assigned
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
> 65535 bytes
> > 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
> 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> > 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0:
> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
> 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale
> 0,nop,nop,sackOK], length 0
> > ...
> >
> >
> > The pflog0 shows that all incoming packets are blocked by rule #0 which
> is:
> >
> > @0 scrub in all fragment reassemble
> > @0 block drop in log all
> >
> >
> > And
> >
> > mailfilter-root@~# spamdb | g GREY
> > mailfilter-root@~#
> >
> > No greytrapping is occurring. Is the 'scrub' rule screwing up our
> packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to
> 9.0.
> >
> > Also why am I being warned that there isn't an IPv4 address assigned to
> pflog0?
> >
> > Pertinent pf.conf section related to spamd:
> >
> > # spamd-setup puts addresses to be redirected into table <spamd>.
> > table <spamd> persist
> > table <spamd-white> persist
> > table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
> > table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
> > #no rdr on { lo0, lo1 } from any to any
> > # redirect to spamd
> > rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd-spf> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd-white> to $external_addr port smtp ->
> 127.0.0.1 port smtp
> > rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.1
> port spamd
> > rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp ->
> 127.0.0.1 port spamd
> >
> > # block all incoming packets but allow ssh, pass all outgoing tcp and
> udp
> > # connections and keep state, logging blocked packets.
> > block in log all
> >
> > # allow inbound/outbound mail! also to log to pflog
> > pass in log inet proto tcp from any to $external_addr port smtp flags
> S/SA synproxy state
> > pass out log inet proto tcp from $external_addr to any port smtp flags
> S/SA synproxy state
> > pass in log inet proto tcp from $internal_net to $int_if port smtp flags
> S/SA synproxy state
> > pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA
> synproxy state
> 
> I wouldn't claim to be an expert on pf, but no one else has replied.  Here
> is my understanding - The redirect rules (rdr) change the destination
> first to 127.0.0.1 port spamd (which appears to be 8025 from the dump).
> Then pf applies the filter rules (block pass) to the new addresses.  The
> only filter rule which references port 8025 is the first one: block in log
> all.  I believe you need a rule to permit mail in on the 8025 port.
> 

I modified the following rules:
# allow inbound/outbound mail! also to log to pflog
pass in log inet proto tcp from any to $external_addr port smtp flags S/SA synproxy state
pass in log inet proto tcp from any to 127.0.0.1 port smtp flags S/SA synproxy state
pass in log inet proto tcp from any to 127.0.0.1 port spamd flags S/SA synproxy state
pass out log inet proto tcp from $external_addr to any port smtp flags S/SA synproxy state 
pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/SA synproxy state
pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA synproxy state

I now am seeing packets to port 25 on the external interface being passed to lo0 port 25. Packets destined for port 8025 on the lo0 interface are being passed. So far so good. The trouble is I am not seeing GREYTRAP entries in the spamdb like I used to see previously. Netstat -an reports connections between various smtp servers and our smtp server.

I am at loss. Should I rebuild the spamd port considering that our greytrapping mechanism broke down when I upgraded from 8.3 to 9.0?

~Doug

More information about the freebsd-pf mailing list