Hello,
I use OpenBSD 7.5 stable amd64.
I uncommented an old rule and the corresponding macro in pf.conf
which definitely worked when the
machine was on version 7.3 and possibly 7.4.
After that:
pfctl -nf /etc/pf.conf shows nothing
pfctl -f /etc/pf.conf shows nothing
So Packet Filter seems to be happy with the config as a whole.
pfctl -vvsr shows the old rules WITHOUT the uncommented one.
pfctl -vvnf /etc/pf.conf warns that the uncommented macro
used in the uncommented rule is NOT used.
The output of pfctl -vvnf /etc/pf.conf is appended as
pfctl_vvnf file
The output of pfctl -vvsr is appended as
pfctl_vvsr file
Did I miss something when changing the configuration?
The uncommented section 1 is:
mail_ports = "{ submission imaps }"
The uncommented section 2 is:
pass in on egress inet proto tcp to (egress) \
port $mail_ports \
keep state (max-src-conn 20, \
max-src-conn-rate 35/300, overload <bad_ips> \
flush global) rdr-to $mail_server
My whole pf.conf (all uncommented lines):
int_if = "{ vether1 em1 em2 em3 }"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 \
169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
}
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
table <bad_ips> persist file "/etc/pf/bad_ips"
transmission_server = "192.168.1.65"
mail_server = "192.168.1.171"
mail_ports = "{ submission imaps }"
block log all
set limit table-entries 1000000
set block-policy drop
set syncookies adaptive (start 29%, end 15%)
set skip on lo
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from (vether1:network) \
to any nat-to (egress:0)
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block quick from <bad_ips>
pass out quick inet
pass in on $int_if inet
pass in on egress inet proto tcp \
to (egress) port 22 keep state \
(max-src-conn 2, max-src-conn-rate 2/300, \
overload <bad_ips> flush global)
pass in on egress inet proto { tcp udp } \
to (egress) port domain keep state \
(max-src-states 10) \
rdr-to 127.0.0.1 port 8053
pass in on $int_if inet proto { tcp udp } from \
(vether1:network) to (egress) port domain
pass in on egress inet proto { tcp udp } \
to (egress) port 50000 \
rdr-to $transmission_server
pass in on egress inet proto tcp to (egress) \
port $mail_ports \
keep state (max-src-conn 20, \
max-src-conn-rate 35/300, overload <bad_ips> \
flush global) rdr-to $mail_server
pass in on egress proto tcp to (egress) \
port smtp divert-to 127.0.0.1 port spamd
pass in on egress proto tcp from <nospamd> to (egress) \
port smtp rdr-to $mail_server
pass in log on egress proto tcp from <spamd-white> \
to (egress) port smtp \
rdr-to $mail_server
pass out on egress proto tcp to (egress) port smtp
--
Best regards
Maksim Rodin
warning: macro 'mail_ports' not used
Loaded 714 passive OS fingerprints
int_if = "{ vether1 em1 em2 em3 }"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16
172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 }
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
table <bad_ips> persist file "/etc/pf/bad_ips"
transmission_server = "192.168.1.65"
mail_server = "192.168.1.171"
mail_ports = "{ submission imaps }"
set limit table-entries 1000000
set block-policy drop
set syncookies adaptive (start 29%, end 15%)
set skip on { lo }
@0 block drop log all
@1 match in all scrub (no-df random-id max-mss 1440)
@2 match out on egress inet from (vether1:network:*) to any nat-to (egress:0:*)
round-robin
@3 block drop in quick on egress from <martians:0> to any
@4 block return out quick on egress from any to <martians:0>
@5 block drop quick from <bad_ips:0> to any
@6 pass out quick inet all flags S/SA
@7 pass in on vether1 inet all flags S/SA
@8 pass in on em1 inet all flags S/SA
@9 pass in on em2 inet all flags S/SA
@10 pass in on em3 inet all flags S/SA
@11 pass in on egress inet proto tcp from any to (egress:*) port = 22 flags
S/SA keep state (source-track rule, max-src-conn 2, max-src-conn-rate 2/300,
overload <bad_ips> flush global, src.track 300)
@12 pass in on egress inet proto tcp from any to (egress:*) port = 53 flags
S/SA keep state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port
8053
@13 pass in on egress inet proto udp from any to (egress:*) port = 53 keep
state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port 8053
@14 pass in on vether1 inet proto tcp from (vether1:network:*) to (egress:*)
port = 53 flags S/SA
@15 pass in on em1 inet proto tcp from (vether1:network:*) to (egress:*) port =
53 flags S/SA
@16 pass in on em2 inet proto tcp from (vether1:network:*) to (egress:*) port =
53 flags S/SA
@17 pass in on em3 inet proto tcp from (vether1:network:*) to (egress:*) port =
53 flags S/SA
@18 pass in on vether1 inet proto udp from (vether1:network:*) to (egress:*)
port = 53
@19 pass in on em1 inet proto udp from (vether1:network:*) to (egress:*) port =
53
@20 pass in on em2 inet proto udp from (vether1:network:*) to (egress:*) port =
53
@21 pass in on em3 inet proto udp from (vether1:network:*) to (egress:*) port =
53
@22 pass in on egress inet proto tcp from any to (egress:*) port = 50000 flags
S/SA rdr-to 192.168.1.65
@23 pass in on egress inet proto udp from any to (egress:*) port = 50000 rdr-to
192.168.1.65
@24 pass in on egress inet proto tcp from any to (egress:*) port = 25 flags
S/SA divert-to 127.0.0.1 port 8025
@25 pass in on egress inet proto tcp from <nospamd:0> to (egress:*) port = 25
flags S/SA rdr-to 192.168.1.171
@26 pass in log on egress inet proto tcp from <spamd-white:0> to (egress:*)
port = 25 flags S/SA rdr-to 192.168.1.171
@27 pass out on egress proto tcp from any to (egress:*) port = 25 flags S/SA
@0 block drop log all
[ Evaluations: 1331 Packets: 746 Bytes: 35871 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@1 match in all scrub (no-df random-id max-mss 1440)
[ Evaluations: 1331 Packets: 21182 Bytes: 12745032 States: 19 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@2 match out on egress inet from (vether1:network:1) to any nat-to (egress:0:1)
round-robin
[ Evaluations: 1331 Packets: 20878 Bytes: 12693160 States: 14 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@3 block drop in quick on egress from <martians:9> to any
[ Evaluations: 973 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@4 block return out quick on egress from any to <martians:9>
[ Evaluations: 973 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@5 block drop quick from <bad_ips:8018> to any
[ Evaluations: 1331 Packets: 157 Bytes: 9756 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@6 pass out quick inet all flags S/SA
[ Evaluations: 1174 Packets: 21152 Bytes: 12742195 States: 19 ]
[ Inserted: uid 0 pid 13268 State Creations: 215 ]
@7 pass in on vether1 inet all flags S/SA
[ Evaluations: 959 Packets: 21031 Bytes: 12722634 States: 17 ]
[ Inserted: uid 0 pid 13268 State Creations: 170 ]
@8 pass in on em1 inet all flags S/SA
[ Evaluations: 959 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@9 pass in on em2 inet all flags S/SA
[ Evaluations: 959 Packets: 54 Bytes: 8100 States: 1 ]
[ Inserted: uid 0 pid 13268 State Creations: 18 ]
@10 pass in on em3 inet all flags S/SA
[ Evaluations: 959 Packets: 54 Bytes: 8910 States: 1 ]
[ Inserted: uid 0 pid 13268 State Creations: 18 ]
@11 pass in on egress inet proto tcp from any to (egress:1) port = 22 flags
S/SA keep state (source-track rule, max-src-conn 2, max-src-conn-rate 2/300,
overload <bad_ips> flush global, src.track 300)
[ Evaluations: 959 Packets: 19 Bytes: 3983 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 1 ]
@12 pass in on egress inet proto tcp from any to (egress:1) port = 53 flags
S/SA keep state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port
8053
[ Evaluations: 599 Packets: 15 Bytes: 862 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 2 ]
@13 pass in on egress inet proto udp from any to (egress:1) port = 53 keep
state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port 8053
[ Evaluations: 22 Packets: 3 Bytes: 194 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 1 ]
@14 pass in on vether1 inet proto tcp from (vether1:network:1) to (egress:1)
port = 53 flags S/SA
[ Evaluations: 325 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@15 pass in on em1 inet proto tcp from (vether1:network:1) to (egress:1) port =
53 flags S/SA
[ Evaluations: 149 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@16 pass in on em2 inet proto tcp from (vether1:network:1) to (egress:1) port =
53 flags S/SA
[ Evaluations: 149 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@17 pass in on em3 inet proto tcp from (vether1:network:1) to (egress:1) port =
53 flags S/SA
[ Evaluations: 131 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@18 pass in on vether1 inet proto udp from (vether1:network:1) to (egress:1)
port = 53
[ Evaluations: 240 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@19 pass in on em1 inet proto udp from (vether1:network:1) to (egress:1) port =
53
[ Evaluations: 149 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@20 pass in on em2 inet proto udp from (vether1:network:1) to (egress:1) port =
53
[ Evaluations: 149 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@21 pass in on em3 inet proto udp from (vether1:network:1) to (egress:1) port =
53
[ Evaluations: 131 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@22 pass in on egress inet proto tcp from any to (egress:1) port = 50000 flags
S/SA rdr-to 192.168.1.65
[ Evaluations: 727 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@23 pass in on egress inet proto udp from any to (egress:1) port = 50000 rdr-to
192.168.1.65
[ Evaluations: 20 Packets: 2 Bytes: 185 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 2 ]
@24 pass in on egress inet proto tcp from any to (egress:1) port = 25 flags
S/SA divert-to 127.0.0.1 port 8025
[ Evaluations: 619 Packets: 4 Bytes: 164 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 1 ]
@25 pass in on egress inet proto tcp from <nospamd:20> to (egress:1) port = 25
flags S/SA rdr-to 192.168.1.171
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@26 pass in log on egress inet proto tcp from <spamd-white:1> to (egress:1)
port = 25 flags S/SA rdr-to 192.168.1.171
[ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
@27 pass out on egress proto tcp from any to (egress:1) port = 25 flags S/SA
[ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 13268 State Creations: 0 ]
