I have the following pf.rules:
However
I know there is something wrong with the order here, but I wasn't able to figure out what's happening. Anyone willing to help me with some detailed explanation about why this isn't working?
I'm not even sure if the spamd redirect is considering "queueing or filtering" at this point.
Thanks
Code:
# macros
net="vtnet0"
lo="lo0"
# create tables
table <ssh-bruteforce> persist
table <spamd-white> persist
table <nospamd> persist file "/usr/local/etc/mail/nospamd"
# Types
icmp_types = "{ echoreq, unreach }"
icmp6_types="{ 2, 128 }"
icmp6_types_ext_if="{ 128, 133, 134, 135, 136, 137 }"
tcp46_services="{ 2290, 80, 25, 993, 465, 62001, 62002, 8880, 8390, 8123 }"
tcp46_services_ext_if="{ 53 }" # DNS zone transfer
udp6_services_ext_if="{ 53, 123, 1194, 546}" # 546 == dhcpv6-client
# Logging
set loginterface $net
scrub in all
# antispoof and ping through
set skip on $lo
antispoof for $net inet
# default policy - block everything
block in all
pass out all
# allow ping reply, enable scrubbing works against attacks that use fragmented packets
pass inet proto icmp all icmp-type $icmp_types
# IPv6
pass in quick on $net inet6 proto ipv6-icmp icmp6-type $icmp6_types keep state
pass in quick on $net inet6 proto ipv6-icmp from any to { ($net ), ff02::1/16 } icmp6-type $icmp6_types_ext_if keep state
pass in quick on $net inet6 proto tcp from any to any port $tcp46_services flags S/SA keep state
pass in quick on $net inet6 proto tcp from any to ( $net ) port $tcp46_services_ext_if flags S/SA keep state
pass in quick on $net inet6 proto udp from any to ( $net ) port $udp6_services_ext_if keep state
# Tables for OpenSSH ssh-brutefoce
block quick from <ssh-brutefoce>
# Sendmail
pass in log on $net proto tcp from any to $net port 25
pass in log on $net proto tcp from any to $net port 465
# spamd redirect
no rdr inet proto tcp from <spamd-white> to any port 25
rdr pass inet proto tcp from any to any port 25 -> 127.0.0.1 port 8025
# openssh and ssh accessible from anywhere, max 5 connections, ban more than 4
connections in 60 secs, log everything
pass in log on $net proto tcp from any to $net port 2290 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 15/5, overload <ssh-brutefoce> flush global)
pass in log on $net proto { tcp udp } from any to $net port 1194 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 15/5, overload <ssh-brutefoce> flush global)However
pfctl -f /etc/pf.rules comes up with an error:
Code:
/etc/pf.rules:49: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.rules:50: Rules must be in order: options, normalization, queueing, translation, filteringI know there is something wrong with the order here, but I wasn't able to figure out what's happening. Anyone willing to help me with some detailed explanation about why this isn't working?
I'm not even sure if the spamd redirect is considering "queueing or filtering" at this point.
Thanks