spamd-mywhite

Olli Hauer ohauer at gmx.de
Tue Sep 11 13:01:45 PDT 2007 

On Mon, 2007-09-10 at 13:07 -0700, Doug Sampson wrote:
> > Hi all,
> > 
> > I've been running pf+obspamd on FBSD 6.2-RELEASE.
> > 
> > I appear to be blocking some addresses that appear in my 
> > spamd-mywhite file
> > and I don't understand why that would be the case here. I'm 
> > guessing I've
> > screwed up my pf.conf file.
> > 
> > Here's my config file:
> > 
> > # pfctl -vvnf /etc/pf.conf
> > ext_if = "rl0"
> > int_if = "xl0"
> > internal_net = "192.168.1.1/24"
> > external_addr = "216.70.250.4"
> > vpn_net = "10.8.0.0/24"
> > NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
> > webserver1 = "192.168.1.4"
> > set skip on { lo0 }
> > set skip on { gif0 }
> > @0 scrub in all fragment reassemble
> > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
> > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
> > @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http ->
> > 192.168.1.4 port 80
> > table <spamd> persist
> > table <spamd-white> persist


I will try to comment the changes to get your setup working.
(I removed the trailing >> for the corrected rules)

# -- OK, your own whitelist to pass spamd
table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"


# --  silly dont't do this !
# -- !! This file is no table, it is even not for usage in pf ruleset !!
# remove this! table <spamd-alloweddomains> persist \
# remove this!  file "/usr/local/etc/spamd/spamd.alloweddomains"

>From man (8) spamd:

The file /usr/local/etc/spamd/spamd.alloweddomains can be used to
specify a list of domainname suffixes, one per line, one of which must
match each destination email address in the greylist.  
Any destination address which does not match one of the suffixes listed
in spamd.alloweddomains will be trapped, exactly as if it were sent to a
spamtrap address.  

@this is only a FreeBSD thing, do not use # or whitespaces in OpenBSD!
  Comment lines beginning with # are ignored.

Maybe this example is better to understand the spamd.alloweddomains
# all mail to @example.org is good
@example.org
# all mail to example.com even foo.bar at sub.example.com is OK
example.com
# mail to this RFC only is OK all others will be blacklisted
abuse at example.net
postmaster at example.net
hostmaster at example.net



OK, back to the ruleset.

# -- Let all smtp traffic from the <spamd-mywhite> table pass before 
# -- any other rules since we trust them (if you like to log this 
# -- traffic with spamlogd remove the pass keyword)
rdr (pass) inet proto tcp from <spamd-mywhite> to 216.70.250.4 \
 port = smtp -> 127.0.0.1 port 25



# -- remove also the *pass* keyword if you use spamlogd so the entry
# -- can be refreshed with every mail during passtime 
rdr (pass) inet proto tcp from <spamd-white:0> to 216.70.250.4 \
 port = smtp -> 127.0.0.1 port 25

# -- OK, this rule *with pass* 
rdr pass inet proto tcp from <spamd:0> to 216.70.250.4 \
 port = smtp -> 127.0.0.1 port 8025

# -- change this table from <spamd-mywhite> to <spamd-white>, 
# -- since <spamd-mywhite> processed two rules before 
rdr pass inet proto tcp from ! <spamd-white:0> to 216.70.250.4 \
 port = smtp -> 127.0.0.1 port 8025


# -- Now traffic from the tables <spamd-mywhite> and <spamd-white> 
# -- flows in with logging (good with spamlogd)
pass in log inet proto tcp from any to 216.70.250.4 \
 port = smtp flags S/SA synproxy state


> > @8 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state
> > @9 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state
> > @10 block drop in log all
> > @11 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state
> > @12 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
> > @13 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
> > @14 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
> > @15 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
> > @16 block drop out log quick on rl0 inet from any to 127.0.0.0/8
> > @17 block drop out log quick on rl0 inet from any to 192.168.0.0/16
> > @18 block drop out log quick on rl0 inet from any to 172.16.0.0/12
> > @19 block drop out log quick on rl0 inet from any to 10.0.0.0/8
> > @20 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
> > @21 block drop in log quick inet from 192.168.1.25 to any
> > @22 pass in on xl0 inet from 192.168.1.0/24 to any
> > @23 pass out log on xl0 inet from any to 192.168.1.0/24
> > @24 pass out log quick on xl0 inet from any to 10.8.0.0/24
> > @25 pass out on rl0 proto tcp all flags S/SA modulate state
> > @26 pass out on rl0 proto udp all keep state
> > @27 pass out on rl0 proto icmp all keep state
> > @28 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state
> > @29 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state
> > 
> > /var/log/pflog0 shows the following:
> > 
> > 141748 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> > 0,nop>
> > 2. 049208 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> > 0,nop>
> > 3. 068169 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> > 0,nop>
> > 5. 594277 rule 3/0(match): block in on rl0: 205.188.139.137.61419 >
> > 216.70.250.4.25: S 2510359871:2510359871(0) win 24820 
> > <nop,nop,sackOK,mss
> > 1460>
> > 525916 rule 3/0(match): block in on rl0: 205.188.159.7.50805 >
> > 216.70.250.4.25: S 1250664467:1250664467(0) win 32768 <mss 1460,wscale
> > 0,nop>

If my count is the same as pfctl -sr then this was the dropping rule 
(count only arguments from pfctl -sr not the 'rdr pass' rules)
> > @10 block drop in log all


> > # pfctl -t spamd-mywhite -T show | grep 205.188.
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> >    205.188.139.0/24
> >    205.188.144.0/24
> >    205.188.156.0/23
> >    205.188.157.0/24
> >    205.188.159.0/24

This list is fine, with the changed rules it will work

 
> > Thus 205.188.159.7 shouldn't be blocked.
It was possible to block this IP with the old ruleset

 
> > # spamdb | grep 205\.188\.
> > WHITE|205.188.249.132|||1187218293|1187220082|1190330485|13|0
> > WHITE|205.188.249.67|||1187823652|1187824708|1190935126|12|0
> > WHITE|66.179.205.188|||1186759482|1186761981|1189872409|9|0
> > #
> > 
> > spamdb doesn't show any entries for 205.188.159.7.
Since the traffic was blocked before spamd can't see it.

If my count is the same as pfctl -sr then this was the dropping rule 
(count only arguments from pfctl -sr not the 'rdr pass' rules)
@10 block drop in log all

> > These entries are for AOL mail. I've received complaints from 
> > AOL users of
> > mail bouncing back to them.
> > 
> > What am I doing wrong? Are CIDR records accepted by 
> > pf+obspamd? 

CIDR is OK and supported with pf.
(Ranges like spamd-setup are just committed from Daniel Hartmeier to 
OpenBSD 4.2 two weeks ago and don't know if they find the way into 
FreeBSD 7.0)


> I can't trace the block back to the proper rules- i.e. rule 3/0 as 
> > shown in pflog0 matches up with which rule in pf.conf?
@10 block drop in log all


> I'm resending this as I have not received any replies. Can someone help me
> out here?
> Oh, and I'm running obspamd 4.1.1.
> 
> ~Doug


olli

More information about the freebsd-pf mailing list