[Greylist-users] spamd config question
gtoal at gtoal.com
Fri Oct 7 17:17:25 PDT 2005
Hello again folks,
you may remember much earlier in the year I struggled with and finally
succeeded in implementing spamd in the configuration where the greylist
box has a real IP. I'm now re-building that server as a transparent
bridge, and things are mostly going well except that I'm unable to
forward connections to spamd when they come in.
After a lot of head-scratching, what I finally discovered was that
the destination address was correctly being rewritten along with
the destination port. However the rewritten packet is being sent
out the $int_if interface rather than the loopback interface.
Here's my pf.conf. Can anyone see an obvious problem with it?
Do I need some nat commands as well?
Note the transparent bridge is *not* a firewall. All other packets in
and out should be allowed through untouched.
table <spamd> persist file "/etc/spammers.txt"
table <spamd-white> persist
table <whitelist> persist file "/etc/whitelist.txt"
# allow whitelisted sites to pass straight through (WORKS, DON'T TWEAK!)
rdr on $ext_if proto tcp from <whitelist> to port smtp -> $in_mx port smtp
# specifically redirect sites in spamd list to tarpit
rdr on $ext_if proto tcp from <spamd> to port smtp -> 127.0.0.1 port spamd
# - it is the redirection to 127.0.0.1 which is broken. If we
# redirect -> $in_mx port smtp, that works OK.
# finally, anyone *not* in spamd-white also goes to tarpit. (I'm a little
# surprised that the defaults are handled this way around.)
# (interesting to note that telnet localhost 25 works OK via this rule
# - definitely makes me suspect a NAT problem...)
# AHA! Uing tcpdump, it seems that the incoming call *is* converted to
# a request for port 'spamd' on server 'localhost', *HOWEVER* it is
# sending that request through $int_if rather than lo0!
# rdr - should this be rdr pass ?
rdr on $ext_if inet proto tcp from !<spamd-white> to any port smtp \
-> 127.0.0.1 port spamd
# default rules should pass anyone else (i.e. people in spamd-white)
# through to the real server... just to be safe, we'll make it explicit...
# This rule does work correctly when the caller is in the white list. (TESTED)
rdr on $ext_if inet proto tcp from any to any port smtp -> $in_mx
# all packets go through both interfaces, so we want to ignore one
# interface completely and do all our filtering on the other. It's
# fairly arbitrary which interface you filter on but for the sake of
# clarity, we will always filter on the external interface and allow
# everything on the internal interface to pass untouched:
pass in quick on $int_if all
pass out quick on $int_if all
More information about the Greylist-users