A relevant excerpt from my current firewall setup:
I have a mail server running in a jail which has a dedicated IP I added as an alias in rc.conf. The redirection works as expected. However, the blocking, once fail2ban adds IPs, does not. Searching for similar issues, I came across Thread 52893, pointing me toward the fact that the
I don't understand why. Could someone enlighten me?
Code:
[...]
MAIL_INT="192.168.x.x"
MAIL_EXT="148.x.x.x"
[...]
rdr pass log on $ext_if proto tcp from any to $MAIL_EXT port { 25 80 443 465 587 993 995 } -> $MAIL_INT
nat pass log on $ext_if from $MAIL_INT to any -> $MAIL_EXT
[...]
### Deny rogue redirection
no rdr
# Anchor for fail2ban
anchor "f2b/*"
### Default blocking
block drop in log on $ext_if
pass out
I have a mail server running in a jail which has a dedicated IP I added as an alias in rc.conf. The redirection works as expected. However, the blocking, once fail2ban adds IPs, does not. Searching for similar issues, I came across Thread 52893, pointing me toward the fact that the
pass
keyword bypasses other rules, which makes sense. When I remove the keyword, the redirection stops working altogether.I don't understand why. Could someone enlighten me?