Date: Thu, 06 Sep 2007 13:58:11 +1000 From: Gavin Cooper <gavin@shadow-security.net> To: freebsd-pf@freebsd.org Subject: ports/mail/spamd not greylisting correctly Message-ID: <46DF7AD3.9010104@shadow-security.net>
next in thread | raw e-mail | index | archive | help
Hi all,
I've been playing with this for a while to get it working and below is
my status. First, my setup - (NB, all servers mentioned are running
6-STABLE). I have a FreeBSD tri-homed gateway/router which is where I'm
trying to run spamd. On one NIC of the router I have my modem, the
second has my private network, the third has my DMZ. The private network
doesn't come into this story much at all. The DMZ has my FreeBSD/Qmail
Mailserver.
My intention is to run spamd on the gateway to reduce the amount of
processing the mailserver has to run for Spam Filtering.
My strategy is this - spamd on the gateway using a moderate to gentle
selection of block lists via spamd-setup. I also (more so) want to
configure greylisting.
My understanding is that with this setup, pf and spamd work together to
send all unknown servers a 455 Temp Failure error and asking them
politely to come back later. If they come back after 30 mins (default)
they're added to the <spamd-white> pf table via spamd. When they come
back a third time they're rdr'd to my real mailserver which to this
point has no knowledge of the SMTP attempt. Failing to retry the SMTP
session in the alloted time essentially means nothing other than the
sending server failed to send me mail - presumably spam if they're too
busy / poorly configured to come back. Additionally, I can modify a
<spamd-mywhite> table via a txt file of servers which need not proceed
through the greylisting treatment. All servers added via spamd-setup are
entered into the <spamd> table and are immediately tarpitted/stuttered
on connection.
Assuming my understanding is correct thus far, I've configured as
follows - spamd is started via rc.conf thus:
# options for pf and spamd
pf_enable="YES"
pfspamd_enable="YES"
pfspamd_flags="-g -v -p 8025"
pfspamlogd_enable="YES"
my spamd.conf is this: (I'll more carefully select lists when I know the
config is working)
all:\
:spews1:china:korea:
# Mirrored from http://www.spews.org/spews_list_level1.txt
spews1:\
:black:\
:msg=/usr/local/etc/spamdMsg.txt:\
:method=file:\
:file=/usr/local/etc/spamd/spews_list_level1.txt:
# Mirrored from http://www.spews.org/spews_list_level2.txt
spews2:\
:black:\
:msg=/usr/local/etc/spamdMsg.txt:\
:method=file:\
:file=www.openbsd.org/spamd/spews_list_level2.txt.gz:
# Mirrored from http://www.okean.com/chinacidr.txt
china:\
:black:\
:msg=/usr/local/etc/spamdMsg.txt:\
:method=file:\
:file=/usr/local/etc/spamd/chinacidr.txt:
# Mirrored from http://www.okean.com/koreacidr.txt
korea:\
:black:\
:msg=/usr/local/etc/spamdMsg.txt:\
:method=file:\
:file=/usr/local/etc/spamd/koreacidr.txt:
I've mounted fdescfs on /dev/fd (fdescfs) manually and added the
appropriate line to my fstab file.
I've checked that spamd is running and have proven to myself it's
working by telnetting to port 8025 on the localhost and am tarpitted.
(On that, I'm note sure that I *should* be tarpitted, but more on that
later).
In my pf.conf I have commented out my default rdr of tcp/25 to my
mailserver and added these six lines: (I've also included a full copy of
my pf.conf at the end of this message)
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/usr/local/etc/spamd-mywhite"
rdr pass on $ext_if inet proto tcp from <spamd> to any port smtp ->
127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from !<spamd-white> to any port
smtp -> 127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from <spamd-white> to any port
smtp -> $mail port smtp
Those rules make the most sense to me for what I'm trying to do - my
understanding is the first hands the table generated by the lists in
spamd-setup straight through to the spamd for tarpitting. The second
rule sends anything that's NOT in my spamd-mywhite table to spamd to be
given a 445 temp failure until they finally prove themselves as sane and
are added to spamd-white which is covered by the third rule and sent
straight through to my mailserver.
So what's happening? When the above rules are applied to pf (pfctl -f
/etc/pf.conf) I tested and received the following:
telnet port 25 from an external, unknown server and I am tarpitted. Try
again after 30 minutes and I'm still tarpitted. /var/log/spamd.log
reports xxx.xxx.xxx.xxx Connection 1/10 - or something to that effect.
After either typing 'quit' or finishing the SMTP telnet session the log
reports xxx.xxx.xxx.xxx disconnected after 383 seconds.
This is my biggest problem. It seems no matter what, grey servers are
never submitted into the <spamd-white> table. Servers in the
spamd-mywhite table are allowed through, no questions asked and servers
in <spamd> are tarpitted (that's fine by me).
I tested with first an unknown server, was tarpitted indefinitely. I
then added the same server to my <spamd-mywhite> table and was allowed
through. This ws done by issuing the command 'pfctl -t spamd-white -T
add xxx.xxx.xxx.xxx'. I then removed this (-T delete xxx.xxx.xxx.xxx)
and added the server to the <spamd> table and was tarpitted.
So basically, can anyone see where I'm going wrong with my
configuration? My apologies this message is quite lengthy, but I'm
hoping that I've provided all information necessary.
I eagerly await any assistance provided. Check below for my full pf.conf
Kind Regards,
Sh4d03
----- /etc/pf.conf ------ (comments about remainder of ruleset are welcome)
# Macros
#
# User-defined variables may be defined and used later, simplifying the
# configuration file. Macros must be defined before they are referenced.
#
# available interfaces
ext_if= "tun0"
int_if= "vr0"
dmz_if= "sis0"
# list of networks
ext_ip= "2xx.xxx.xxx.xxx"
int_net= "192.168.1.0/24"
dmz_net= "10.10.1.0/24"
# list of hosts
mail= "10.10.1.10"
mail2= "10.10.1.11"
ns= "10.10.1.12"
ns2= "10.10.1.13"
fserv= "10.10.1.14"
desktop= "192.168.1.150"
# list of ports
webports= "{ 80 }"
mailports= "{ 43, 110, 143, 789 }"
dnsports= "{ 53 }"
fservSSH= "{ 7878 }"
fservNFS= "{ 111, 2049, 9875 }"
samba= "{ 137, 128, 445 }"
mailSSH= "{ 3232 }"
mail2SSH= "{ 3333 }"
ntp= "{ 123 }"
cvsupd= "{ 5999 }"
dataweb= "{ 9980 }"
torrentflux= "{ 49160:49300 }"
rdp= "{ 3389 }"
###############################################################################
# Tables
#
# Tables provide a mechanism for increasing the performance and flexibility
# of rules with large numbers of source or destination addresses.
#
table <private> const { 10/8, 172.16/12 }
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/usr/local/etc/spamd-mywhite"
###############################################################################
# Options
#
# Options tune the behaviour of the packet filtering engine.
#
set optimization normal
set block-policy drop
set skip on lo0
###############################################################################
# Traffic Normalization
#
# Traffic normalization protects internal machines against in Internet
# protocols and implementations.
#
scrub in all no-df random-id
scrub out all
###############################################################################
# Translation
#
# Translation rules specify how addresses are to be mapped or redirected to
# other addresses.
#
nat on $ext_if inet from $int_if:network to any -> $ext_ip
nat on $ext_if inet from $dmz_if:network to any -> $ext_ip
###############################################################################
# Redirection
#
# Traffic Redirection (or Port Forwarding) enables traffic to be routed to
# different interfaces, ports and addresses.
#
# Redirect via FTP proxy
rdr on $int_if inet proto tcp from any to any port 21 -> 127.0.0.1
port 8021
rdr on $dmz_if inet proto tcp from any to any port 21 -> 127.0.0.1
port 8021
# Redirect for mail and web traffic
rdr on $ext_if inet proto tcp from any to any port $mailports -> $mail
rdr on $ext_if inet proto tcp from any to any port $webports -> $mail
rdr on $ext_if inet proto tcp from any to any port $mailSSH -> $mail
rdr on $ext_if inet proto tcp from any to any port $mail2SSH -> $mail2
#rdr on $ext_if inet proto tcp from any to any port smtp -> $mail
port smtp
# Redirect for DNS
rdr on $ext_if inet proto { tcp, udp } from any to any port 53 -> $ns
# Redirect for dataserver
rdr on $ext_if inet proto tcp from any to any port $fservSSH -> $fserv
rdr on $ext_if inet proto { tcp, udp } from any to any port
$torrentflux -> $fserv
rdr on $ext_if inet proto { tcp, udp } from any to any port $dataweb
-> $fserv
rdr on $ext_if inet proto { tcp } from any to any port $rdp -> $desktop
# Redirect for spamd
rdr pass on $ext_if inet proto tcp from <spamd> to any port smtp ->
127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from !<spamd-white> to any port
smtp -> 127.0.0.1 port 8025
rdr pass on $ext_if inet proto tcp from <spamd-white> to any port
smtp -> $mail port smtp
###############################################################################
# Packet Filtering
#
# Stateful and stateless packet filtering provides rule-based blocking or
# passing of packets.
#
# DO NOT ENABLE THE FOLLOWING WITHOUT CAREFUL CONSIDERATION!!!
#pass quick all
# Uncomment the following to allow pings
#pass quick inet proto icmp keep state
# default policy
block in log all
block out log all
block quick from <bad_hosts>
# trusted interfaces
pass in quick on $int_if all keep state
pass out quick on $int_if all keep state
# dmz interface
pass in quick on $dmz_if inet from $dmz_net to !$int_net keep state
pass out log quick on $dmz_if inet all flags S/SA modulate state
# Cvsup from Lan to DMZ (dataserver)
pass in quick on $int_if inet proto tcp from $int_if:network to
$fserv port $cvsupd keep state
# Samba from Lan to DMZ (dataserver)
pass in quick on $int_if inet proto tcp from $int_if:network to
$fserv port $samba keep state
pass in quick on $int_if inet proto tcp from $int_if:network to $mail
port $mailSSH keep state
# anti-spoofing
block drop in quick on $ext_if inet from <private> to any
block drop out quick on $ext_if inet from any to <private>
# anti-ping
block drop quick inet proto icmp
# outbound traffic (icmp, udp, tcp)
pass out on $ext_if inet proto { tcp } all flags S/SA modulate state
pass out on $ext_if inet proto { udp } all keep state
pass out on $ext_if inet proto { icmp } all keep state
# inbound traffic (firewall)
pass in on $dmz_if inet proto { tcp, udp } from any to $dmz_if port
53 keep state
pass in on $int_if inet proto { tcp, udp } from any to $int_if port
53 keep state
pass in on $int_if inet proto udp from $int_if:network to $int_if
port $ntp keep state
pass in on $dmz_if inet proto udp from $dmz_if:network to $dmz_if
port $ntp keep state
# inbound traffic (web/mail)
pass in on $ext_if inet proto tcp from any to $mail port $webports
keep state \
(max-src-conn-rate 9/10, overload <bad_hosts>
flush global)
pass in on $ext_if inet proto tcp from any to $mail port $mailports
flags S/SA modulate state \
(max-src-conn-rate 9/10, overload <spammers>
flush global)
pass in log on $ext_if inet proto tcp from any to $mail port smtp
flags S/SA modulate state \
(max-src-conn-rate 9/10, overload <spammers>
flush global)
pass in on $ext_if inet proto tcp from any to $mail port $mailSSH
flags S/SA modulate state \
(max-src-conn-rate 5/10, overload <bad_hosts>
flush global)
pass in on $ext_if inet proto tcp from any to $mail2 port $mail2SSH
flags S/SA modulate state \
(max-src-conn-rate 5/10, overload <bad_hosts>
flush global)
# inbound traffic (dns)
pass in on $ext_if inet proto { tcp, udp } from any to $ns port 53
keep state
pass out on $dmz_if inet proto { tcp, udp } from any to $ns port 53
keep state
# inbound traffic (fileserver)
pass in on $ext_if inet proto tcp from any to any port $fservSSH keep
state
pass in on $ext_if inet proto tcp from any to any port $torrentflux
keep state
pass in on $ext_if inet proto tcp from any to any port $dataweb keep
state
pass in on $int_if inet proto { tcp, udp } from any to any port
$fservNFS keep state
pass out on $dmz_if inet proto {tcp, udp } from any to any port
$fservNFS keep state
# inbound traffic (desktop)
pass in on $ext_if inet proto tcp from any to any port $rdp keep state
pass out on $int_if inet proto tcp from any to any port $rdp keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46DF7AD3.9010104>