# IPFW - fwd to obspamd interface not receiving packets



## Lopan (Mar 21, 2013)

Greetings,

I have a fresh install of FreeBSD 8.3-RELEASE. This machine is used as a NAT box and border mail server.  IPFW rules forwarding to ports on internal net servers (IMAP/POP, and WWW) are working as they should, but my fwd rule to send port 25 traffic on the border mail server to spamd is being bypassed for some reason.  I've read the docs for the IPFW setup and the Man pages, but I'm stuck. 

The spamd daemon is alive and answers when I telnet to localhost 8025

I'm hoping someone can spot what I'm doing wrong here.

Thanks


```
ns1# more /boot/loader.conf 
netgraph_load="YES"
ng_iface_load="YES"
ng_ipfw_load="YES"
ng_tee_load="YES"
```


```
ns1# kldstat
Id Refs Address    Size     Name
 1   14 0xc0400000 c785b4   kernel
 2    1 0xc1079000 4138     ng_iface.ko
 3    5 0xc107e000 d9b4     netgraph.ko
 4    1 0xc108c000 2b78     ng_tee.ko
 5    1 0xc108f000 1a90     ng_ipfw.ko
 6    1 0xc7e96000 4000     fdescfs.ko
 7    1 0xc82f9000 4000     ng_socket.ko

ns1# ngctl list
There are 3 total nodes:
  Name: ng0             Type: iface           ID: 00000003   Num hooks: 1
  Name: ipfw            Type: ipfw            ID: 00000001   Num hooks: 1
  Name: ngctl8728       Type: socket          ID: 0000000f   Num hooks: 0

ns1# ngctl type
There are 4 total types:
      Type name   Number of living nodes
      ---------   ----------------------
         socket       1
           ipfw       1
            tee       0
          iface       1

ns1# more /etc/natd.conf
use_sockets yes
same_ports yes
redirect_port   tcp 192.168.10.150:80 66.207.*.*:80

redirect_port   tcp 192.168.10.88:465 66.207.*.*:465
redirect_port   tcp 192.168.10.88:993 66.207.*.*:993
redirect_port   tcp 192.168.10.88:995 66.207.*.*:995
redirect_port   tcp 192.168.10.88:2525 66.207.*.*:2525

redirect_port   tcp 192.168.10.88:8088 66.207.*.*:8088
redirect_port   tcp 192.168.10.88:8089 66.207.*.*:8089


ns1# ipfw show
00100     88     36184 allow ip from any to any via lo0
00200      0         0 deny ip from any to 127.0.0.0/8
00300      0         0 deny ip from 127.0.0.0/8 to any
00400      0         0 deny ip from any to ::1
00500      0         0 deny ip from ::1 to any
00600      0         0 allow ipv6-icmp from :: to ff02::/16
00700      0         0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800      0         0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900      0         0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000      0         0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100      0         0 deny ip from 192.168.10.1 to any in via fxp1
01200   9332    548352 deny ip from 66.207.*.* to any in via fxp0
01300      0         0 deny ip from any to 10.0.0.0/8 via fxp1
01400      0         0 deny ip from any to 172.16.0.0/12 via fxp1
01500      0         0 deny ip from any to 192.168.0.0/16 via fxp1
01600      0         0 deny ip from any to 0.0.0.0/8 via fxp1
01700      0         0 deny ip from any to 169.254.0.0/16 via fxp1
01800      0         0 deny ip from any to 192.0.2.0/24 via fxp1
01900      0         0 deny ip from any to 224.0.0.0/4 via fxp1
02000      0         0 deny ip from any to 240.0.0.0/4 via fxp1
02100 365792 108477678 divert 8668 ip4 from any to any via fxp1
02200      2       104 deny ip from 10.0.0.0/8 to any via fxp1
02300      0         0 deny ip from 172.16.0.0/12 to any via fxp1
02400      7       280 deny ip from 192.168.0.0/16 to any via fxp1
02500      0         0 deny ip from 0.0.0.0/8 to any via fxp1
02600      0         0 deny ip from 169.254.0.0/16 to any via fxp1
02700      0         0 deny ip from 192.0.2.0/24 to any via fxp1
02800      1        40 deny ip from 224.0.0.0/4 to any via fxp1
02900      1        40 deny ip from 240.0.0.0/4 to any via fxp1
03000 395168 178856474 allow tcp from any to any established
03100      0         0 allow ip from any to any frag
[color="Red"]03200      0         0 fwd 127.0.0.1,8025 tcp from table(2) to me dst-port 25 in
03300      0         0 ngtee 555 tcp from table(1) to me dst-port 25 in
03400      0         0 allow tcp from table(1) to me dst-port 25 in
03500    171      9236 fwd 127.0.0.1,8025 tcp from any to me dst-port 25 in[/color]
03600      0         0 fwd 192.168.10.88,2525 tcp from any to any dst-port 2525
03700      4       256 fwd 192.168.10.88,465 tcp from any to any dst-port 465
03800  18794   1104944 fwd 192.168.10.88,993 tcp from any to any dst-port 993
03900    136      8704 fwd 192.168.10.88,995 tcp from any to any dst-port 995
04000      0         0 allow tcp from any to me dst-port 53 setup
04100      0         0 allow udp from any to me dst-port 53
04200  68592   5388585 allow udp from me 53 to any
04300      0         0 allow tcp from any to me dst-port 80 setup
04400   2996    174744 allow tcp from any to any dst-port 80 setup
04500      0         0 fwd 192.168.10.150,80 tcp from any to any dst-port 80
04600      0         0 allow tcp from any to 66.207.67.7 dst-port 8080 setup
04700      0         0 allow tcp from any to any dst-port 7777 setup
04800      0         0 fwd 192.168.10.151,7777 tcp from any to any dst-port 7777
04900      0         0 allow tcp from any to any dst-port 8050 setup
05000      0         0 fwd tablearg,554 tcp from any to any dst-port 554 setup
05100      0         0 fwd tablearg,554 udp from any to any dst-port 554
05200      0         0 fwd tablearg,7070 tcp from any to any dst-port 7070
05300      4       200 fwd 192.168.10.201,8080 tcp from any to any dst-port 8080
05400      0         0 fwd 192.168.10.30,8050 tcp from any to any dst-port 8050
05500      0         0 fwd 192.168.10.201,5000 tcp from any to any dst-port 5000
05600      0         0 fwd tablearg,8000 tcp from any to any dst-port 8000
05700      0         0 fwd tablearg,8001 tcp from any to any dst-port 8001
05800      0         0 allow udp from any 554 to any dst-port 6970-6980
05900      0         0 fwd 192.168.10.88,8089 tcp from any to any dst-port 8089
06000     21      1108 allow tcp from any to any dst-port 22 in via 66.207.67.7 setup
06100      0         0 allow tcp from any to any dst-port 22 in via 192.168.10.1 setup
06200      0         0 allow tcp from any 20 to any dst-port 1024-65535 setup
06300      1        40 allow tcp from any to any dst-port 21 in via 66.207.67.7 setup
06400    371     17931 deny log ip4 from any to any in via fxp1 setup proto tcp
06500   6029    384044 allow tcp from any to any setup
06600   2172    251395 allow udp from me to any dst-port 53 keep-state
06700   9525    723900 allow udp from me to any dst-port 123 keep-state
65535 582255  80934226 allow ip from any to any
```


```
ns1# netstat -an|grep LISTEN
tcp4       0      0 127.0.0.1.8026         *.*                    LISTEN
tcp4       0      0 127.0.0.1.8025         *.*                    LISTEN
tcp4       0      0 *.587                  *.*                    LISTEN
tcp4       0      0 *.25                   *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp6       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.953          *.*                    LISTEN
tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
tcp4       0      0 192.168.10.1.53        *.*                    LISTEN
```


I used the document text below as a guide:
Using spamd with IPFW.
---------------------

FreeBSD port of the OpenBSD spamd is designed to work with IPFW or PF firewalls. This howto is related to the IPFW spamd mode.

To install spamd you need to compile yourkernel with the "options IPFIREWALL_FORWARD" option.

You will need to add rules to your firewall configuration script.
   E.g.:
        # bsd spamd rules set. Use table 1 and 2 for white and black listing
`# ${fwcmd} add fwd 127.0.0.1,8025 tcp from table\(2\) to me 25 in`
`# ${fwcmd} add allow tcp from table\(1\) to me 25 in`
`# ${fwcmd} add fwd 127.0.0.1,8025 tcp from any to me 25 in`

Then add to rc.conf lines like:

```
obspamd_enable="yes"
       obspamd_flags="-m ipfw"
```
see spamd(8) manual for additional keys. Also you need to use "-m ipfw" with spamd-setup and spamlogd utility. If you want to change default IPFW table number - use '-t' option.

If you are using greylisting and want to use spamd whitelist update daemon- 'spamlogd', you will need to setup netgraph interface for this. Here is  an example:

Load netgraph modules:
`#  kldload netgraph.ko`
`#  kldload ng_iface.ko`
`#  kldload ng_ipfw.ko`

add IPFW rules to deny all traffic on pseudo interface.
`#  ipfw add 1 deny ip from any to any via ng0`
add IPFW rules to tee traffic to the netgraph system, using ng_ipfw. You need to add this line before 'allow tcp from table\(1\) to me 25 in' in your firewall configuration
`# ${fwcmd}  add ngtee 555 tcp from table\(1\) to me 25 in`
Create ng0 interface and connect it to the ipfw hook:
`#  ngctl mkpeer ipfw: iface 555 inet`
`#  ifconfig ng0 up`
 Add to rc.conf line like:

```
obspamlogd_enable="YES"
     obspamlogd_flags="-m ipfw -l ng0"
```

 Make startup script for the step 5.1-5.4 and add it to your startup commands.


----------

