Contributed by deanna on from the cheque-is-in-the-mail dept.
I work as security/system admin at the University of Alberta. Every so often my boss (beck@) or I are called to swoop in like ninjas to rescue someone's mailserver from a joe-job or the mail virus du jour. This involves putting a spamd box inline with their mail processors. To make this work, we use a box with at least two network interfaces (names like Nexcom, Commell and Soekris come to mind because they're easy to carry around) and an IP address on the same subnet as the mail server to be protected.For this example, I am protecting my workstation from my laptop with a Nexcom. The interface closest to the edge of the case (fxp2) is designated the external interface, and is given an address (172.16.5.111) on the same subnet as the protected mail server.
At this point, the machine is forwarding ethernet frames, but is not doing any filtering. Thus, connections to the mailserver are passed unmolested. This is what we are trying to prevent. Enter pf. The net.inet.ip.forwarding sysctl must be set to 1 because network address translation and redirection involves routing - it's not just ethernet any more.ifconfig fxp0 up ifconfig fxp2 inet 172.16.5.111 netmask 255.255.255.0 up route add default 172.16.5.1 ifconfig bridge0 create brconfig bridge0 add fxp0 add fxp2 up
The stock pf.conf that ships with OpenBSD comes close, but it doesn't work on a bridge. The rdr statement rewrites the destination address, but it won't be routed properly. Actually, it won't be routed at all - the destination is rewritten but the routing table is not consulted. Thus, you get packets on the wire headed for localhost - which doesn't work. Pf of course has an answer for this. If you think you know better than the routing table where a packet should go, you can specify the interface where the packet should be sent from, you may specify it with route-to. Because the smtp connection is to be handled by spamd on localhost, it should be routed out the lo0 interface.sysctl net.inet.ip.forwarding=1 pfctl -ef /etc/pf.conf
Enough with the chatter, here's a pf.conf that will trap smtp connections passing through a bridge and send them to spamd on localhost.
There you have it - everything required to set up a bump-in-the-wire spam trap. While I have given commands which will produce the desired result, this configuration can be made permanent by editing the relevant configuration files:ext_if="fxp2" table <spamd> persist table <spamd-white> persist rdr on $ext_if inet proto tcp from <spamd> to port smtp \ -> 127.0.0.1 port spamd rdr on $ext_if inet proto tcp from !<spamd-white> to port smtp \ -> 127.0.0.1 port spamd # "log" so you can watch the connections getting trapped pass in log on $ext_if route-to lo0 inet proto tcp to 127.0.0.1 port spamd
(Comments are closed)