On 23 January 2010, at 04:18, Erik Norgaard wrote:
> Doug Hardie wrote:
>
>> This is quite interesting. I can't figure out the rules on my system.
>
> Maybe try to simplify, clean up and structure your rules :)
>
>> Here is the pf.conf file with all comments removed:
>> table <blackhole> persist file "/etc/blackhole"
>> table <spamd> persist
>> table <spamd-white> persist
>> table <spamd-white-local> persist file "/etc/mail/whitelist"
>> MAILHOSTS = "{zool.lafn.org}"
>> no rdr on { lo0, lo1 } from any to any
>> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>> no rdr inet proto tcp from <spamd-white> to any port smtp
>> rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
>> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
>> pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any
>> port 75 keep state
>> block in quick log on $ext_if from <blackhole> to any
>
> 1. pf allows short cuts, but these also makes it more difficult to debug. I'd
> separate NAT from filtering,
Ok. I guess you want some white space between them? Here it is with the white
space and comments:
ext_if="dc0"
table <blackhole> persist file "/etc/blackhole"
table <spamd> persist
table <spamd-white> persist
table <spamd-white-local> persist file "/etc/mail/whitelist"
MAILHOSTS = "{zool.lafn.org}"
# NAT/RDR Rules
no rdr on { lo0, lo1 } from any to any
no rdr inet proto tcp from <spamd-white-local> to any port smtp
no rdr inet proto tcp from <spamd-white> to any port smtp
rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
# Filter Rules
pass in log inet proto tcp to $MAILHOSTS port smtp keep state
pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port
75 keep state
block in quick log on $ext_if from <blackhole> to any
Other than the comments I don't see the difference.
> that is never use "rdr pass" even though pf allows it. You also need to
> understand when rdr takes place to write your filtering rules.
That would be really helpful if that information were available somewhere it
could be found. I have not been able to find that anywhere.
>
> 2. you can deploy one of two policies: Default block with a whitelist or
> default pass with a black list. Mixing these is a bad idea.
>
> 3. $ext_if = dc0?
I added that back in above. Somehow it got deleted with the comments.
> 4. rdr needs an interface, I'm surprised that pf will parse the above, and
> have no idea what it does with it. pfctl -sn should show you the nat rules.
zool# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
no rdr on lo0 all
no rdr on lo1 all
no rdr inet proto tcp from <spamd-white-local> to any port = smtp
no rdr inet proto tcp from <spamd-white> to any port = smtp
rdr pass log inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025
It seems to understand it just fine and it works properly. See man spamd:
The following pf.conf(5) example is suggested:
table <spamd-white> persist
rdr pass inet proto tcp from !<spamd-white> to any \
port smtp -> 127.0.0.1 port spamd
> 5. Organize your rules as scetched in last mail, grouping rules for each
> interface, it really helps locating where things go wrong.
Other than the whitespace and comments they are.
>
> I have log statements and catch all rules to ensure that if these are
> triggered there is something in my ruleset I haven't taken into account. I
> avoid using "any" except in default rules.
>
>> Note: the blackhole file is empty as is the whitelist file. There is an
>> entry for 216.54.240.150 in spamd database. This is a test system.
>> Here is the output of tcpdump where I have only taken one entry for each
>> rule. I have listed the rule number at the front of each line:
>> Rule 0: 14:01:27.133320 rule 0/0(match): pass in on dc0:
>> 216.54.240.150.55782 > 206.117.18.7.25: S 2501333595:2501333595(0) win 65535
>> <mss 1460,nop,nop,sackOK>
>> Rule 1: 02:26:44.755650 rule 1/0(match): pass in on sis0:
>> 71.109.144.133.40864 > 192.168.25.7.75: S 3941268770:3941268770(0) win 65535
>> <mss 1460,nop,wscale 3,nop,nop,timestamp[|tcp]>
>> Rule 2: 10:44:45.037918 rule 2/0(match): block in on dc0:
>> 71.109.162.173.39529 > 206.117.18.7.75: . ack 145 win 65535
>> <nop,nop,timestamp 705571170 1951648775>
>> Rule 4: 13:51:16.022700 rule 4/0(match): rdr in on dc0:
>> 216.54.240.150.49821 > 127.0.0.1.8025: S 2371633783:2371633783(0) win 65535
>> <mss 1460,nop,nop,sackOK>
>>
>> I found no entries for rule 3. There is virtually no traffic on this system
>> other than from me.
>> As I look at pf.conf and tie the rules to the entries I get (rule number at
>> beginning of line):
>> no rdr on { lo0, lo1 } from any to any
>> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>> 0 - no rdr inet proto tcp from <spamd-white> to any port smtp
>> 4 - rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port
>> spamd
>> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
>> 1 - pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to
>> any port 75 keep state
>> block in quick log on $ext_if from <blackhole> to any
>> I have no clue which one is rule 2. The only block is the last entry but
>> that should never be used because the blackhole file is empty. pfctl shows
>> the table is empty also.
>> The ordering seems to make no sense either. I also note that the man page
>> for pf.conf indicates in the BNF grammar for pf.conf that log is a valid
>> entry for no rdr. However, that always generates a syntax error.
>> Apparently there is no way to log the use of no rdr rules.
>
> see, things seems to have been swapped around somehow, that rule 4 rdr is
> really rule 0 again only now matches for the rdr action, in rule 0 it matches
> pass action. or so it appears.
>
> anyway, to interpret the output of pflog, you need the output from pfctl -sr
> and pfctl -sn rather than your config file.
zool# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
pass in log inet proto tcp from any to 206.117.18.7 port = smtp flags S/SA keep
state
pass in log on sis0 reply-to (sis0 192.168.25.1) inet proto tcp from any to any
port = 75 flags S/SA keep state
block drop in log quick on dc0 from <blackhole> to any
zool# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
no rdr on lo0 all
no rdr on lo1 all
no rdr inet proto tcp from <spamd-white-local> to any port = smtp
no rdr inet proto tcp from <spamd-white> to any port = smtp
rdr pass log inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025
>
> So, to solve your problem, separate first NAT and filtering. Things becomes
> so much more clear.
>
> Regards, Erik
>
> --
> Erik Nørgaard
> Ph: +34.666334818/+34.915211157 http://www.locolomo.org
>
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
