OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
A transparent spamd(8) bridge
Contributed by deanna on Wed Nov 8 15:17:50 2006 (GMT)
from the cheque-is-in-the-mail dept.

Chris Kuethe (ckuethe@) writes:

I work as security/system admin at the University of Alberta. Every so often my boss (beck@) or I are called to swoop in like ninjas to rescue someone's mailserver from a joe-job or the mail virus du jour. This involves putting a spamd box inline with their mail processors. To make this work, we use a box with at least two network interfaces (names like Nexcom, Commell and Soekris come to mind because they're easy to carry around) and an IP address on the same subnet as the mail server to be protected.

For this example, I am protecting my workstation from my laptop with a Nexcom. The interface closest to the edge of the case (fxp2) is designated the external interface, and is given an address (172.16.5.111) on the same subnet as the protected mail server.

ifconfig fxp0 up
ifconfig fxp2 inet 172.16.5.111 netmask 255.255.255.0 up
route add default 172.16.5.1
ifconfig bridge0 create
brconfig bridge0 add fxp0 add fxp2 up
At this point, the machine is forwarding ethernet frames, but is not doing any filtering. Thus, connections to the mailserver are passed unmolested. This is what we are trying to prevent. Enter pf. The net.inet.ip.forwarding sysctl must be set to 1 because network address translation and redirection involves routing - it's not just ethernet any more.

sysctl net.inet.ip.forwarding=1
pfctl -ef /etc/pf.conf
The stock pf.conf that ships with OpenBSD comes close, but it doesn't work on a bridge. The rdr statement rewrites the destination address, but it won't be routed properly. Actually, it won't be routed at all - the destination is rewritten but the routing table is not consulted. Thus, you get packets on the wire headed for localhost - which doesn't work. Pf of course has an answer for this. If you think you know better than the routing table where a packet should go, you can specify the interface where the packet should be sent from, you may specify it with route-to. Because the smtp connection is to be handled by spamd on localhost, it should be routed out the lo0 interface.

Enough with the chatter, here's a pf.conf that will trap smtp connections passing through a bridge and send them to spamd on localhost.

ext_if="fxp2"

table <spamd> persist
table <spamd-white> persist

rdr on $ext_if inet proto tcp from <spamd> to port smtp \
        -> 127.0.0.1 port spamd
rdr on $ext_if inet proto tcp from !<spamd-white> to port smtp \
        -> 127.0.0.1 port spamd

# "log" so you can watch the connections getting trapped
pass in log on $ext_if route-to lo0 inet proto tcp to 127.0.0.1 port spamd
There you have it - everything required to set up a bump-in-the-wire spam trap. While I have given commands which will produce the desired result, this configuration can be made permanent by editing the relevant configuration files: 		[topicsysadmin]

<< OpenSSH 4.5 Released. | Reply | Flattened | Expanded | BSDTalk Interview with Jason Wright >>

Threshold: Help

Related Links
more by deanna


  Here is my formula (mod 5/19)
by Will Backman (216.220.225.229) on Wed Nov 8 14:21:18 2006 (GMT)
http://cisx1.uma.maine.edu/~wbackman/spamd.html
  Here is formula for a drop-in spamd transparent bridge.
It works so far.

http://cisx1.uma.maine.edu/~wbackman/spamd.html
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Using spamd(8) on a Transparent Bridge (mod -4/18)
by Anonymous Coward (195.29.148.236) on Wed Nov 8 14:51:39 2006 (GMT)
  Could you please explain these two contradictive (to me) statements:

1) sysctl net.inet.ip.forwarding=1 (this enables forwarding: packets not destined to "us" are forwarded, i.e. routed)

2) "The rdr statement rewrites the destination address, but it won't be routed properly. Actually, it won't be routed at all - the destination is rewritten but the routing table is not consulted."

Why are we dealing with forwarding if routing table is not consulted at all ? Forwarding should consult routing table. Please explain, I'm obviously missing something here.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: A transparent spamd(8) bridge (mod 1/17)
by Anonymous Coward (75.132.114.37) on Wed Nov 8 16:04:22 2006 (GMT)
  How fortuitous; I was looking into this in the wee hours of the morning today.

I'm having a problem visualizing the routing here, though, so let me see if this is correct.

The switch is plugged in to fxp0 (for example). fxp1 then would connect to the mail server via crossover cable, I would assume.

The bridge operates at layer 2, so the switch sees the MAC address of the mail server's NIC? And it will also see the MAC address of fxp0, which has a legitimate routable IP address?

And the TCP segments with spamd will have the address as the bridge's external IP? That is, if I attempt a connect to the mail server IP and get routed to lo0's spamd, what IP address am I talking to?

I was going to trace this out last night and was installing 4.0 on a machine connected via a Belkin KVM. Switched over to another machine to do some browsing. Switched back at the end of the install and had no keyboard access to type "done halt", so there it sits until tonight.....
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: A transparent spamd(8) bridge (mod -6/18)
by Martijn Rijkeboer (145.100.55.162) on Wed Nov 8 16:21:18 2006 (GMT)
http://www.bunix.org/
 

Nice article, but shouldn't spamd be told about good mailservers, so whitelisted addresses aren't removed after 30 days?

For example: 

pass out log quick on $ext_if inet proto tcp from $mailserver_ip to any \
      port smtp keep state
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: A transparent spamd(8) bridge (mod -6/18)
by david (64.113.73.133) (dlg+undeadly@dorkzilla.org) on Wed Nov 8 20:28:16 2006 (GMT)
  You mention using soekris machines. Do you just use the greylisting and DNSRBL capabilities of spamd, then, and count on that being sufficient to knock down the bulk of the mail? I can't imagine a soekris being able to handle something like spamassassin.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: A transparent spamd(8) bridge (mod 1/21)
by Jason L. Wright (134.20.35.80) (jason@openbsd.org) on Thu Nov 9 17:32:59 2006 (GMT)
http://www.thought.net/jason
  Does anyone but me have a hard time picturing beck@ swooping like a ninja?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. Some icons from slashdot.org used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]