[Greylist-users] spamd config question

Graham Toal gtoal at gtoal.com
Fri Oct 7 17:17:25 PDT 2005


Hello again folks,
  you may remember much earlier in the year I struggled with and finally
succeeded in implementing spamd in the configuration where the greylist
box has a real IP.  I'm now re-building that server as a transparent
bridge, and things are mostly going well except that I'm unable to
forward connections to spamd when they come in.

After a lot of head-scratching, what I finally discovered was that
the destination address was correctly being rewritten along with
the destination port.  However the rewritten packet is being sent
out the $int_if interface rather than the loopback interface.

Here's my pf.conf.  Can anyone see an obvious problem with it?
Do I need some nat commands as well?

Note the transparent bridge is *not* a firewall.  All other packets in
and out should be allowed through untouched.


thanks

Graham



# pf.conf

ext_if="xl0"
int_if="fxp1"
in_mx="129.113.1.6"

table <spamd> persist file "/etc/spammers.txt"
table <spamd-white> persist
table <whitelist> persist file "/etc/whitelist.txt"

scrub in

# allow whitelisted sites to pass straight through (WORKS, DON'T TWEAK!)
rdr on $ext_if proto tcp from <whitelist> to port smtp -> $in_mx port smtp

# specifically redirect sites in spamd list to tarpit
rdr on $ext_if proto tcp from <spamd> to port smtp -> 127.0.0.1 port spamd
# - it is the redirection to 127.0.0.1 which is broken.  If we
# redirect -> $in_mx port smtp, that works OK.


# finally, anyone *not* in spamd-white also goes to tarpit.  (I'm a little
# surprised that the defaults are handled this way around.)

# (interesting to note that telnet localhost 25 works OK via this rule
# - definitely makes me suspect a NAT problem...)

# AHA!  Uing tcpdump, it seems that the incoming call *is* converted to
# a request for port 'spamd' on server 'localhost', *HOWEVER* it is
# sending that request through $int_if rather than lo0!

# rdr - should this be rdr pass ?
rdr on $ext_if inet proto tcp from !<spamd-white> to any port smtp \
	-> 127.0.0.1 port spamd


# default rules should pass anyone else (i.e. people in spamd-white)
# through to the real server...  just to be safe, we'll make it explicit...
# This rule does work correctly when the caller is in the white list. (TESTED)
rdr on $ext_if inet proto tcp from any to any port smtp -> $in_mx

# all packets go through both interfaces, so we want to ignore one
# interface completely and do all our filtering on the other.  It's
# fairly arbitrary which interface you filter on but for the sake of
# clarity, we will always filter on the external interface and allow
# everything on the internal interface to pass untouched:
pass in quick on $int_if all
pass out quick on $int_if all


More information about the Greylist-users mailing list