OpenBSD Journal

Heads Up: spamd(8) PF Rule Change

Contributed by tbert on from the divert-power-to-shields dept.

With a recent commit, Reyk Flöter (reyk@) flipped the switch on spamd(8)'s pf interfacement:

hange spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies.  For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.

Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to.  spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.

Those of you running spamd setups looking to upgrade need to double-check your pf configurations to make sure they still work the way you expect.

(Comments are closed)


Comments
  1. By Just Another OpenBSD User (95.42.212.65) on

    Do these need a quick review/update possibly?

    http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/share/man/man5/pf.conf.5
    http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/pf/tagging.html

    Comments
    1. By Otto Moerbeek (otto) on http://www.drijf.net

      > Do these need a quick review/update possibly?
      >
      > http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/share/man/man5/pf.conf.5
      > http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/faq/pf/tagging.html

      man page: yes
      faq: not yet, the faq describes last release.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]