[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf rules blocking rdr to tarpit

To: "'Jay Moore'" <jaymo@cullmail.com>
Subject: Re: pf rules blocking rdr to tarpit
From: "Manfred Gloiber" <illtis@illtis.dyndns.org>
Date: Mon, 29 Sep 2003 01:35:45 +0200
Cc: <misc@openbsd.org>

Hello,

After a quick look I don't see any obvious problems but you can try
debugging your setup with tcpdump.

Something like the following could be helpful:
# tcpdump -nettti pflog0

pflog0 normally is the pf logging interface.

Here is a short step-by-step guide:

1. Put the following rule at the top of your pf.conf:
pass quick all

2. Load your pf.conf and run the above mentioned tcpdump

3. Try telneting to your spamd (on another console, of course).

4. You should then see what exactly happens on which interface and what
needs to be set up ... hopefully ;-)

Because of your question about securing your mail server ... if you are
using sendmail you can perhaps set it up running in a dual sendmail config
so you have running two instances of sendmail, one "internal" and one
"external". The advantage about this is that the "external" instance can run
as non-root e. g. smmsp:smmsp, ergo less privileged.

If you have further questions about this "sendmail dual config" feel free to
read http://www.ijs.si/software/amavisd/README.sendmail-dual and as a last
chance try asking me ;-)

Btw. ... I ever wanted to ask on this list why OpenBSD doesn't come with
this "sendmail dual config" ... I should do that right now ;-)

Hope this helps,
- Manfred

-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf Of
Jay Moore
Sent: Sonntag, 28. September 2003 21:50
To: bodhi@hagakure.org
Cc: misc@openbsd.org
Subject: Re: pf rules blocking rdr to tarpit

Dave Taira said:

> So everything is blocked, and he explicitly allows only connections to
> his $ExtIf, but spoofed packets get dropped, rather than returned.
>
> Note that this doesn't address Jay's original issue. Nothing in the
> pf.conf looks like it should affect the rdr. Maybe it's a spamd config
> problem, rather than a pf problem?

Well, maybe - but spamd.conf is all about where to get blacklist data;
i.e. sources for the <spamd> table. I don't see anything in there that
could affect the ability of connections to get to the spamd port on
127.0.0.1.

The limited info I could glean from 'pfctl -v -s rules' suggests that
the 'block all' rule is snagging the rdr (or its response). This in turn
suggests that I need a "pass" rule... but I don't know what that rule
should be.

I see there's a pf list... maybe I shoulda' posted this there?

Thanks,
Jay

References:
- Re: pf rules blocking rdr to tarpit
  - From: Jay Moore <jaymo@cullmail.com>

Prev by Date: test
Next by Date: Re: OpenBSD and FS-Support (compiling kernel without support..)
Prev by thread: Re: pf rules blocking rdr to tarpit
Next by thread: Re: pf rules blocking rdr to tarpit
Index(es):
- Date
- Thread