DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th February 2017
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default Minor help with pf - FreeBSD 10.3

I used to run OpenBSD a long time ago, moved to Linux but now am making the transition to FreeBSD with ZFS to replace my Linux boxes, time has been the real issue and there have been so many cool things that are now in FreeBSD like zfs and the new package commands etc..
I still have my old pf.conf from the OpenBSD box.. but the syntax seems to be different.. so after many hours, I did get the gateway working but have this one thing and one other minor thing to solve..

FreeBSD 10.3 smtp gateway running (OpenBSD) spamd and amavisd.

The FreeBSD box replaced a Linux box and was working with what I am trying to do with FreeBSD.
Postfix is the MTA.

Email flow
Working
FreeBSD Gateway (filter spamd / amavisd) ==>port 2525 ==>Home Email
Not working
Home Email ==>port 2525 ==> FReeBSD ==> email out


Quote:
ext_if="bge0"
## macros
tcp_services = "{ ssh, smtp, domain, www }"
ssh2 = "{ 23991 }"
email_services = "{ 2525}"
udp_services = "{ domain, ntp }"
myemail = "{other IP, email server}"

set skip on lo0
scrub in all

### Spamd #####
table <spamd-white> persist
table <bruteforce> persist
## tried , doesn't work
#no rdr inet proto tcp from $myemail to \
port $email_services
no rdr inet proto tcp from <spamd-white> to any \
port smtp
rdr pass inet proto tcp from any to any \
port smtp -> 127.0.0.1 port spamd
### Spamd end #####

## Fiter rules
block in log all
pass quick on lo0
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
## rule for rdr for port 2525 -- incorrect syntax
# pass in quick from $myemail port $email_services to any port smtp
pass in proto tcp to any port $tcp_services keep state
pass out proto tcp to any port $tcp_services keep state
## send to my email server on non-standard port
pass out proto tcp to any port $email_services keep state

pass out proto tcp to any port 2200 keep state
pass proto udp to any port $udp_services keep state
pass inet proto icmp from localhost to any keep state
rc.conf (partial)
Quote:
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for PF
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
################
# Pf Spamd
obspamd_enable="YES"
obspamlogd_enable="YES"
spamd_flags="-v -G2:4:864"
spamd_grey="YES" # use spamd greylisting if YES
spamlogd_flags="-I -i lo0"
I will keep trying to figure this and do see the traffic from my Home email server dropped when coming in on port 2525...

Thx
__________________
All posts sent on ReCycled Electrons...
Reply With Quote
  #2   (View Single Post)  
Old 11th February 2017
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default

I managed to solve this...
2 changes
1) pf.conf rule
email_services = 2525
myemail = (my home email ip)
pass in proto tcp from $myemail to port $email_services
2) added to master.cf (Postfix)
2525 inet n - n - - smtpd

Since 2525 is only accessible from my home email server it isn't opened to the world and bypasses the spamd process completely, which is what I was trying to achieve.

If there is a more secure way to accomplish this, I would also that suggestion..
thx
__________________
All posts sent on ReCycled Electrons...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
libfreetype.so.18.1: minor version daemonfowl OpenBSD Packages and Ports 7 13th July 2012 04:18 AM


All times are GMT. The time now is 08:55 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick