BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Greylisting with PF
Pages: 1, 2, 3, 4, 5, 6, 7

Redirect Incoming Traffic to the Web Server

These rules redirect incoming traffic from the gateway to the web server:



rdr on $ext_if proto tcp from any to $external_addr port http    -> $webserver
rdr on $ext_if proto tcp from any to $external_addr port 8080    -> $webserver

As you can see, port 80 (http) and port 8080 both redirect to my web server.

Block/Pass Traffic on Those Ports

These rules will pass or block the traffic based on port and OS:

pass  in quick on $ext_if inet proto tcp from any to $webserver port http flags S/SA synproxy state
block in quick on $ext_if inet proto tcp from any os windows to $webserver port 8080
pass  in quick on $ext_if inet proto tcp from any to $webserver port 8080 flags S/SA synproxy state

The first line allows traffic to flow freely from my internal NIC to the web server on port 80.

The second line blocks all traffic from any Windows machine headed towards port 8080 on my web server.

The last line passes all traffic on port 8080. The above line contains a quick directive so if the client OS is Windows, subsequent filter rules have no effect on the packet.

I originally wanted to redirect different OS connections to different web servers, but the OS directive is not available on the RDR statement.

Enabling spamd

For FreeBSD, spamd comes as a port. The easiest way to install it is to have a fresh copy of the FreeBSD ports tree and issue the commands:

cd /usr/ports/mail/spamd
make install clean

To enable spamd, get greylisting going, get verbose logging, and add these entries to /etc/rc.conf:

pfspamd_enable="YES"
pfspamd_flags="-g -v"

See man spamd for more details on the various options you can specify.

If you are using greylisting, also run the command:

mount -t fdescfs fdescfs /dev/fd

This mount allows spamlogd to update the spamd table. To mount this directory at boot time, add a line to /etc/fstab:

fdescfs /dev/fd fdescfs rw 0 0

To ensure you have the latest versions of the spam blacklists, refresh them once per hour with a line in /etc/crontab:

48      *       *       *       *       /usr/local/sbin/spamd-setup

The spamd-setup utility adds blacklists by adding addresses to the PF table <spamd> according to the instructions in /usr/local/etc/spamd.conf. To distribute the load a bit and avoid having everyone hit the servers at the same time (perhaps 48 minutes past the hour, or at the top of the hour), change 48 to whatever minute it is when you enter the crontab entry.

Make a copy of spamd.conf:

cp /usr/local/etc/spamd.conf.sample  /usr/local/etc/spamd.conf

You may wish to amend spamd.conf according to your needs. My changes are:

all:\
        :spamhaus:china:korea:

to:

all:\
        :spamhaus:spews1

I also added a line to /etc/syslog.conf so I could see the log from spamd:

!spamd
daemon.err;daemon.warn;daemon.info      /var/log/spamd

I created the file:

touch /var/log/spamd

Remember to HUP syslogd so it reads your changes and takes appropriate action:

kill -HUP `cat /var/run/syslog.pid`

Although your logfile will be empty at this point, here are a few entries that appeared after mine had run for a while.

$ tail /var/log/spamd 
Nov  8 00:30:15 nyi spamd[27528]: 212.12.70.131: connected (1/0)
Nov  8 00:30:15 nyi spamd[27528]: 212.12.70.131: disconnected after 0 seconds.
Nov  8 00:37:31 nyi spamd[27528]: 210.4.36.220: connected (1/0)
Nov  8 00:37:34 nyi spamd[27528]: (GREY) 210.4.36.220: <deborahmckenzie_kg@browningdirect.example.com>
                        -> >papers@bsdcan.example.org>
Nov  8 00:37:34 nyi spamd[27528]: 210.4.36.220: disconnected after 3 seconds.
Nov  8 00:37:38 nyi spamd[27528]: 210.4.36.220: connected (1/0)
Nov  8 00:37:40 nyi spamd[27528]: (GREY) 210.4.36.220: >deborahsee@broadwayrealestate.example.com>
                        -> <papers@bsdcan.example.org>
Nov  8 00:37:40 nyi spamd[27528]: 210.4.36.220: disconnected after 2 seconds.
Nov  8 00:45:16 nyi spamd[27528]: 69.133.112.184: connected (1/0)
Nov  8 00:45:16 nyi spamd[27528]: 69.133.112.184: disconnected after 0 seconds.

No, those aren't the real email addresses from my logs, but they are close.

Pages: 1, 2, 3, 4, 5, 6, 7

Next Pagearrow





Sponsored by: