Differences in PF between FBSD 8.2 & 9.0?

Doug Hardie bc979 at lafn.org
Tue Mar 13 22:52:41 UTC 2012 

On 12 March 2012, at 16:43, Doug Sampson wrote:

>>> I'm now getting back to this issue after being diverted to other
>> projects. Spam has been noticed by our staff and they're not happy. :)
>>> 
>>> Here's what the tcp dump show:
>>> 
>>> mailfilter-root@~# tcpdump -nei pflog0 port 8025
>>> tcpdump: WARNING: pflog0: no IPv4 address assigned
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>>> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
>> 65535 bytes
>>> 13:12:14.948935 rule 0..16777216/0(match): block in on fxp0:
>> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
>> 5840, options [mss 1460,nop,nop,TS val 1845169225 ecr 0,nop,wscale
>> 0,nop,nop,sackOK], length 0
>>> 13:12:18.324854 rule 0..16777216/0(match): block in on fxp0:
>> 75.180.132.120.33308 > 127.0.0.1.8025: Flags [S], seq 4117619766, win
>> 5840, options [mss 1460,nop,nop,TS val 1845169563 ecr 0,nop,wscale
>> 0,nop,nop,sackOK], length 0
>>> ...
>>> 
>>> 
>>> The pflog0 shows that all incoming packets are blocked by rule #0 which
>> is:
>>> 
>>> @0 scrub in all fragment reassemble
>>> @0 block drop in log all
>>> 
>>> 
>>> And
>>> 
>>> mailfilter-root@~# spamdb | g GREY
>>> mailfilter-root@~#
>>> 
>>> No greytrapping is occurring. Is the 'scrub' rule screwing up our
>> packets? Our pf.conf worked fine in version 8.2 prior to the upgrade to
>> 9.0.
>>> 
>>> Also why am I being warned that there isn't an IPv4 address assigned to
>> pflog0?
>>> 
>>> Pertinent pf.conf section related to spamd:
>>> 
>>> # spamd-setup puts addresses to be redirected into table <spamd>.
>>> table <spamd> persist
>>> table <spamd-white> persist
>>> table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
>>> table <spamd-spf> persist file "/usr/local/etc/spamd/spamd-spf.txt"
>>> #no rdr on { lo0, lo1 } from any to any
>>> # redirect to spamd
>>> rdr inet proto tcp from <spamd-mywhite> to $external_addr port smtp ->
>> 127.0.0.1 port smtp
>>> rdr inet proto tcp from <spamd-spf> to $external_addr port smtp ->
>> 127.0.0.1 port smtp
>>> rdr inet proto tcp from <spamd-white> to $external_addr port smtp ->
>> 127.0.0.1 port smtp
>>> rdr inet proto tcp from <spamd> to $external_addr port smtp -> 127.0.0.1
>> port spamd
>>> rdr inet proto tcp from !<spamd-mywhite> to $external_addr port smtp ->
>> 127.0.0.1 port spamd
>>> 
>>> # block all incoming packets but allow ssh, pass all outgoing tcp and
>> udp
>>> # connections and keep state, logging blocked packets.
>>> block in log all
>>> 
>>> # allow inbound/outbound mail! also to log to pflog
>>> pass in log inet proto tcp from any to $external_addr port smtp flags
>> S/SA synproxy state
>>> pass out log inet proto tcp from $external_addr to any port smtp flags
>> S/SA synproxy state
>>> pass in log inet proto tcp from $internal_net to $int_if port smtp flags
>> S/SA synproxy state
>>> pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA
>> synproxy state
>> 
>> I wouldn't claim to be an expert on pf, but no one else has replied.  Here
>> is my understanding - The redirect rules (rdr) change the destination
>> first to 127.0.0.1 port spamd (which appears to be 8025 from the dump).
>> Then pf applies the filter rules (block pass) to the new addresses.  The
>> only filter rule which references port 8025 is the first one: block in log
>> all.  I believe you need a rule to permit mail in on the 8025 port.
>> 
> 
> I modified the following rules:
> # allow inbound/outbound mail! also to log to pflog
> pass in log inet proto tcp from any to $external_addr port smtp flags S/SA synproxy state
> pass in log inet proto tcp from any to 127.0.0.1 port smtp flags S/SA synproxy state
> pass in log inet proto tcp from any to 127.0.0.1 port spamd flags S/SA synproxy state
> pass out log inet proto tcp from $external_addr to any port smtp flags S/SA synproxy state 
> pass in log inet proto tcp from $internal_net to $int_if port smtp flags S/SA synproxy state
> pass in log inet proto tcp from $dmz_net to $int_if port smtp flags S/SA synproxy state
> 
> I now am seeing packets to port 25 on the external interface being passed to lo0 port 25. Packets destined for port 8025 on the lo0 interface are being passed. So far so good. The trouble is I am not seeing GREYTRAP entries in the spamdb like I used to see previously. Netstat -an reports connections between various smtp servers and our smtp server.
> 
> I am at loss. Should I rebuild the spamd port considering that our greytrapping mechanism broke down when I upgraded from 8.3 to 9.0?

I am in the process of converting my development machine to 9.0 and ran tests on pf.  Here is the pf.conf file that works with 9.0 for spam:

ext_if="bge0"

# Tables: similar to macros, but more flexible for many addresses.

# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
table <spamd-white> persist
table <spamd-white-local> persist file "/etc/mail/whitelist"

rdr pass on $ext_if inet proto tcp from <spamd-white-local> to any port smtp -> 127.0.0.1 port smtp
rdr pass on $ext_if inet proto tcp from <spamd-white> to any port smtp -> 127.0.0.1  port smtp
rdr pass on $ext_if inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd


I am not using any separate pass rules which means there is no way to log any of this.  You could add some pass rules for loggin purposes though and remove the pass flags from the rdr's.

More information about the freebsd-pf mailing list