Hi Group,
I have a server with two lan cards both with valid ips . One interface
(fxp1) is patched behind a CISCO PIX Firewall & Other outside firewall
(fxp0)
I want that there should be no greylisting/filtering on fxp1 (I have
the related ports opened in the PIX) & it should be enabled only for
fx0.
The server will be used as Mail server.
Please help. I want to check if the below rules are correct.
My Pf rules are as follows:
----
# PF Conf
# ###########
# Macros
#############
# internal and external network interfaces
int_if = "fxp0"
ext_if = "fxp1"
# Internal servers
mail_host = "a.b.c.d"
icmp_types = "{ echoreq, unreach }"
tcp_services = "{110,143,80 }"
# We should never see these coming from the Internet .
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# options
set block-policy return
set loginterface $ext_if
# Scrub
scrub in all
#################
# Spamd
#################
# grey host list
table <spamd> persist
# White host list
table <spam-white> persist
# This whitelist we are maintaining
table <whitelist> persist file "/etc/whitelist.txt"
# Send whitelisted hosts to the actual mail server
rdr on $ext_if proto tcp from <whitelist> to \
$ext_if port smtp -> $mail_host port smtp
# send all suspects to the spamd daemon
rdr pass on $ext_if inet proto tcp from <spamd> to \
$ext_if port smtp -> 127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from !<spamd-white> to \
$ext_if port smtp -> 127.0.0.1 port 8025
# Send whitelisted hosts to the actual mail server
rdr on $ext_if proto tcp from <spamd-white> to \
$ext_if port smtp -> $mail_host port smtp
# #############
# Filter Rules
# #############
block all
set skip on lo0
antispoof for $ext_if
antispoof for $int_if
# Martians
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
# Allow ping and path MTU discovery
pass in inet proto icmp all icmp-type $icmp_types keep state
# Allow incoming Smtp & Pop connection
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
# For spamdlog to update the whitelists
# don't need to log static whitelist
pass in quick on $ext_if inet proto tcp from <whitelist> \
to port smtp flags S/SA keep state
pass in log quick on $ext_if inet proto tcp from <spamd-white> \
to port smtp flags S/SA keep state
# Allow anything from the internal network out onto the Internet
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass quick on $int_if
----
One more question I want to ask is that will it be ok to enable
multicost routing on this server. Or is it that I need to add more
rules to the above for it to work with Multicost routing.
Thanx & Regards
Ram
