Redirect Incoming Traffic to the Web Server
These rules redirect incoming traffic from the gateway to the web server:
rdr on $ext_if proto tcp from any to $external_addr port http -> $webserver rdr on $ext_if proto tcp from any to $external_addr port 8080 -> $webserver
As you can see, port 80 (http) and port 8080 both redirect to my web server.
Block/Pass Traffic on Those Ports
These rules will pass or block the traffic based on port and OS:
pass in quick on $ext_if inet proto tcp from any to $webserver port http flags S/SA synproxy state block in quick on $ext_if inet proto tcp from any os windows to $webserver port 8080 pass in quick on $ext_if inet proto tcp from any to $webserver port 8080 flags S/SA synproxy state
The first line allows traffic to flow freely from my internal NIC to the web server on port 80.
The second line blocks all traffic from any Windows machine headed towards port 8080 on my web server.
The last line passes all traffic on port 8080. The above line contains a
quick directive so if the client OS is Windows, subsequent filter rules have no effect on the packet.
I originally wanted to redirect different OS connections to different web servers, but the OS directive is not available on the RDR statement.
spamd comes as a port. The easiest way to install it is to have a fresh copy of the FreeBSD ports tree and issue the commands:
cd /usr/ports/mail/spamd make install clean
spamd, get greylisting going, get verbose logging, and add these entries to /etc/rc.conf:
pfspamd_enable="YES" pfspamd_flags="-g -v"
man spamd for more details on the various options you can specify.
If you are using greylisting, also run the command:
mount -t fdescfs fdescfs /dev/fd
This mount allows
spamlogd to update the
spamd table. To mount this directory at boot time, add a line to /etc/fstab:
fdescfs /dev/fd fdescfs rw 0 0
To ensure you have the latest versions of the spam blacklists, refresh them once per hour with a line in /etc/crontab:
48 * * * * /usr/local/sbin/spamd-setup
spamd-setup utility adds blacklists by adding addresses to the PF table
<spamd> according to the instructions in /usr/local/etc/spamd.conf. To distribute the load a bit and avoid having everyone hit the servers at the same time (perhaps 48 minutes past the hour, or at the top of the hour), change 48 to whatever minute it is when you enter the crontab entry.
Make a copy of spamd.conf:
cp /usr/local/etc/spamd.conf.sample /usr/local/etc/spamd.conf
You may wish to amend spamd.conf according to your needs. My changes are:
I also added a line to /etc/syslog.conf so I could see the log from
!spamd daemon.err;daemon.warn;daemon.info /var/log/spamd
I created the file:
Remember to HUP
syslogd so it reads your changes and takes appropriate action:
kill -HUP `cat /var/run/syslog.pid`
Although your logfile will be empty at this point, here are a few entries that appeared after mine had run for a while.
$ tail /var/log/spamd Nov 8 00:30:15 nyi spamd: 18.104.22.168: connected (1/0) Nov 8 00:30:15 nyi spamd: 22.214.171.124: disconnected after 0 seconds. Nov 8 00:37:31 nyi spamd: 126.96.36.199: connected (1/0) Nov 8 00:37:34 nyi spamd: (GREY) 188.8.131.52: <firstname.lastname@example.org> -> >email@example.com> Nov 8 00:37:34 nyi spamd: 184.108.40.206: disconnected after 3 seconds. Nov 8 00:37:38 nyi spamd: 220.127.116.11: connected (1/0) Nov 8 00:37:40 nyi spamd: (GREY) 18.104.22.168: >firstname.lastname@example.org> -> <email@example.com> Nov 8 00:37:40 nyi spamd: 22.214.171.124: disconnected after 2 seconds. Nov 8 00:45:16 nyi spamd: 126.96.36.199: connected (1/0) Nov 8 00:45:16 nyi spamd: 188.8.131.52: disconnected after 0 seconds.
No, those aren't the real email addresses from my logs, but they are close.