Configure a firewall

There is an older article for use with IPFW. I no longer use IPFW in favor of PF, which I recommend that you use as well. The rest of this article assumes the use of PF.

The table referenced in this document refers to OpenBSD's spamd application, found in /usr/ports/mail/spamd on FreeBSD. I have spamd pre-loaded to automatically block all of China, Korea, and the Spamhaus DNSBL.

Example PF config
ext_if="em0"   # actual external interface name i.e., dc0 int_if="em1" loop_if="lo0" int_net="127.0.0.1/8" loop_net="127.0.0.1/8" ext_addr="72.29.111.130" ext_net ="72.29.111.128/27" mail_ports = "{ 25, 110, 143, 465, 587, 993, 995 }"
 * 1) Macros: define common values, so they can be referenced and changed easily.

It would probably be a good idea to change the IP and interface names here :)

table  { 72.29.111.130 72.29.111.133 72.29.111.141 72.29.111.149 }
 * 1) Tables: similar to macros, but more flexible for many addresses.
 * 2) mail_servers are IPs which we run mail servers on.

In this example, my Mail Toaster is running inside a jail on .133. However, I have opened up port 25 on two more IPs, .130 and .149. I do this because I noticed that some spammers were scanning IP ranges for listeners on port 25. So I gave them one that will catch them scanning from the bottom up or top down. More on that later...

table persist table  persist file "/var/mail/whitelist.txt" table      { 72.29.111.130 72.29.111.149 }  is IPs which nobody has any business connecting to. Combined with my script that auto-blocks anyone who connects to it, this will catch anyone scanning blocks of IPs for open ports. -- muhahhaha
 * 1) the table is where we put those who offend us
 * 1) a way to override spamd, useful since I have all of china and korea in

altq on $ext_if bandwidth 10Mb cbq queue { q_default q_mail } queue q_default bandwidth 9Mb cbq(default) queue q_mail bandwidth 1Mb { q_mail_windows } queue q_mail_windows bandwidth 56Kb
 * 1) Queueing: rule-based bandwidth control.

Here I limit how much of my 100Mb can be utilized. I reserve 1Mb for email, and an even smaller 56Kb email queue Windows email senders. More on that later... no rdr on { lo0, lo1 } from any to any rdr inet proto tcp from to any port smtp -> $ext_addr port 8025 pass in quick proto tcp from any to $ext_addr port 8025 keep state pass in quick on $ext_if proto tcp from any to  port smtp \ synproxy state \ (max-src-conn-rate 1/60, overload flush global)
 * 1) Translation: specify how addresses are to be mapped or redirected.
 * 2) spamd-setup puts addresses to be redirected into table.
 * 1) allow traffic to spamd
 * 1) block probes to port 25

This rule catches anyone who makes more than 1 connect in 60 seconds to the IPs in my  list. My readings on the openbsd-misc list led me to conclude that there is not yet an option to do this on the first connect attempt, which is really what I wanted. Hence the reason for writing a script to do it...

pass in quick proto tcp from any os "Windows" to  port smtp \ keep state queue q_mail_windows
 * 1) limit port 25 bandwidth from Windows hosts

Since bot nets of hijacked Windows computers are a significant spam source, we should be able to use that knowledge to prevent spam. But, I do get legit email from Windows servers, I can't just block them entirely. But I can slow them down. This will do for now....

pass in quick proto tcp from any to  port $mail_ports \ keep state queue q_mail
 * 1) allow email connections

And the rest of the mail traffic gets dumped into the normal mail queue.