On 4/27/07, snowcrash <[EMAIL PROTECTED]> wrote:
rdr pass on $ext_if proto tcp from { <spamd>, !<ip-black> } \
to ($ext_if)
port 25 -> 127.0.0.1 port 8025
rdr pass on $ext_if proto tcp from { !<spamd-white>, !<ip-black> } \
to ($ext_if)
port 25 -> 127.0.0.1 port 8025
so, iiuc, anything in <ip-black> should NEVER be redirected to spamd,
AND would be blocked anyway by the subsequent default filter ...
Look at what the rules are being evaluated as with pfctl -vvnf :
@0 rdr pass on em2 inet proto tcp from <spamd:0> to x.x.x.x port =
smtp -> 127.0.0.1 port 8025
@1 rdr pass on em2 inet proto tcp from ! <ip-black:0> to x.x.x.x port
= smtp -> 127.0.0.1 port 8025
@2 rdr pass on em2 inet proto tcp from ! <spamd-white:0> to x.x.x.x
port = smtp -> 127.0.0.1 port 8025
@3 rdr pass on em2 inet proto tcp from ! <ip-black:0> to x.x.x.x port
= smtp -> 127.0.0.1 port 8025
but, in my spamd log i'm seeing,
Apr 27 10:40:47 router spamd[984]: (GREY) 86.105.76.208:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Apr 27 10:40:47 router spamd[984]: 86.105.76.208: disconnected after
1 seconds.
checking,
% pfctl -t ip-black -T show | grep 86.104.0.0/14
86.104.0.0/14
where,
% whatmask 86.104.0.0/14 | grep "t Usable"
First Usable IP Address = .....: 86.104.0.1
Last Usable IP Address = ......: 86.107.255.254
so, why is the addr in question, 86.105.76.208, even getting to spamd?
Because that block probably isn't in the spamd-white table, hence will
be redirected and passed by rule @2 in the verbose output above.
Multiple tables in rules are tricky because they are not treated as
"sets" that can be arbitrarily compared (ie, IPs in table A that are
not in table B).
--
Jon
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
