.if defined(IPFW)

CFLAGS+= -DIPFW

.if ${OSVERSION} < 490000

IGNORE=		IPFW with Tables is required for this port to function properly

.endif

.else

.endif

	@${INSTALL_SCRIPT} -m 555 ${WRKDIR}/pfspamd.sh ${PREFIX}/etc/rc.d/pfspamd.sh

--- spamd/grey.c	Wed Apr 13 03:22:17 2005

+++ spamd/grey.c	Mon Mar 20 15:26:18 2006

@@ -39,6 +39,10 @@

 #include <unistd.h>

 #include <netdb.h>

+#ifdef IPFW

+#include <netinet/ip_fw.h>

+#endif

+

 #include "grey.h"

 extern time_t passtime, greyexp, whiteexp, trapexp;

@@ -65,13 +69,17 @@

 char *traplist_msg = "\"Your address %A has mailed to spamtraps here\\n\"";

 pid_t db_pid = -1;

-int pfdev;

 int spamdconf;

+#ifdef IPFW

+extern int tabno;

+#else

+int pfdev;

 static char *pargv[11]= {

 	"pfctl", "-p", "/dev/pf", "-q", "-t",

 	"spamd-white", "-T", "replace", "-f" "-", NULL

 };

+#endif

 /* If the parent gets a signal, kill off the children and exit */

 /* ARGSUSED */

@@ -104,6 +112,7 @@

 	return(0);

 }

+#ifndef IPFW

 int

 configure_pf(char **addrs, int count)

 {

@@ -166,11 +175,54 @@

 	for (i = 0; i < count; i++)

 		if (addrs[i] != NULL)

 			fprintf(pf, "%s/32\n", addrs[i]);

+

 	fclose(pf);

 	waitpid(pid, NULL, 0);

 	sigaction(SIGCHLD, &sa, NULL);

 	return(0);

 }

+#else

+int

+configure_pf(char **addrs, int count)

+{

+	int s = -1;

+	ipfw_table_entry ent;

+	int i;

+

+	if (s == -1)

+		s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

+	if (s < 0)

+	{

+		syslog_r(LOG_INFO, &sdata, "IPFW socket unavailable (%m)");

+		return(-1);

+	}

+

+	/* flush the table */	

+	ent.tbl = tabno;

+	if (setsockopt(s, IPPROTO_IP, IP_FW_TABLE_FLUSH,  &ent.tbl, sizeof(ent.tbl)) < 0)

+	{

+		syslog_r(LOG_INFO, &sdata, "IPFW setsockopt(IP_FW_TABLE_FLUSH) (%m)");

+		return(-1);

+	}

+

+	for (i = 0; i < count; i++)

+		if (addrs[i] != NULL)

+	{

+		/* add addrs[i] to tabno */

+		ent.tbl = tabno;

+		ent.masklen = 32;

+		ent.value = 0;

+		inet_aton(addrs[i], (struct in_addr *)&ent.addr);

+		if (setsockopt(s, IPPROTO_IP, IP_FW_TABLE_ADD,  &ent, sizeof(ent)) < 0)

+		{

+			syslog_r(LOG_INFO, &sdata, "IPFW setsockopt(IP_FW_TABLE_ADD) (%m)");

+			return(-1);

+		}

+	}

+

+	return(0);

+}

+#endif

 void

 freeaddrlists(void)

@@ -590,11 +642,13 @@

 	int i;

 	struct sigaction sa;

+#ifndef IPFW

 	pfdev = open("/dev/pf", O_RDWR);

 	if (pfdev == -1) {

 		syslog_r(LOG_ERR, &sdata, "open of /dev/pf failed (%m)");

 		exit(1);

 	}

+#endif

 	/* check to see if /var/db/spamd exists, if not, create it */

 	if ((i = open(PATH_SPAMD_DB, O_RDWR, 0)) == -1 && errno == ENOENT) {

@@ -636,7 +690,9 @@

 		 * child, talks to jailed spamd over greypipe,

 		 * updates db. has no access to pf.

 		 */

+#ifndef IPFW

 		close(pfdev);

+#endif

 		setproctitle("(%s update)", PATH_SPAMD_DB);

 		greyreader();

 		/* NOTREACHED */

@@ -655,7 +711,11 @@

 	sigaction(SIGCHLD, &sa, NULL);

 	sigaction(SIGINT, &sa, NULL);

+#ifndef IPFW

 	setproctitle("(pf <spamd-white> update)");

+#else

+	setproctitle("(ipfw white table update)");

+#endif

 	greyscanner();

 	/* NOTREACHED */

 	exit(1);

--- spamd/grey.h	Thu Mar 16 19:55:33 2006

+++ spamd/grey.h	Thu Mar 16 19:55:56 2006

@@ -22,6 +22,7 @@

 #define WHITEEXP (60 * 60 * 24 * 36) /* remove white entries after 36 days */

 #define TRAPEXP (60 * 60 * 24) /* hitting a spamtrap blacklists for a day */

 #define PATH_PFCTL "/sbin/pfctl"

+#define PATH_IPFW "/sbin/ipfw"

 #define DB_SCAN_INTERVAL 60

 #define PATH_SPAMD_DB "/var/db/spamd"

--- spamd/spamd.c	Thu Mar 16 20:56:45 2006

+++ spamd/spamd.c	Thu Mar 16 21:07:11 2006

@@ -123,6 +123,10 @@

 pid_t jail_pid = -1;

 u_short cfg_port;

+#ifdef IPFW

+int tabno=1;

+#endif

+

 extern struct sdlist *blacklists;

 int conffd = -1;

@@ -153,6 +157,10 @@

 	    "             [-G mins:hours:hours] [-n name] [-p port]\n");

 	fprintf(stderr,

 	    "             [-r reply] [-s secs] [-w window]\n");

+#ifdef IPFW

+	fprintf(stderr,

+	    "             [-t table_no]\n");

+#endif

 	exit(1);

 }

@@ -958,7 +966,11 @@

 	if (gethostname(hostname, sizeof hostname) == -1)

 		err(1, "gethostname");

+#ifdef IPFW

+	while ((ch = getopt(argc, argv, "45b:c:B:p:dgG:r:s:n:vw:t:")) != -1) {

+#else

 	while ((ch = getopt(argc, argv, "45b:c:B:p:dgG:r:s:n:vw:")) != -1) {

+#endif

 		switch (ch) {

 		case '4':

 			nreply = "450";

@@ -1015,6 +1027,11 @@

 		case 'v':

 			verbose = 1;

 			break;

+#ifdef IPFW

+		case 't':

+			tabno = atoi(optarg);

+			break;

+#endif

 		case 'w':

 			window = atoi(optarg);

 			if (window <= 0)

--- spamd-setup/spamd-setup.c	Wed Apr 13 03:18:59 2005

+++ spamd-setup/spamd-setup.c	Fri Mar 17 16:19:25 2006

@@ -41,9 +41,14 @@

 #include <netdb.h>

 #include <zlib.h>

+#ifdef IPFW

+#include <net/if.h>

+#include <netinet/ip_fw.h>

+#endif

+

 #define PATH_FTP		"/usr/bin/ftp"

-#define PATH_PFCTL		"%%LOCAL_PFCTL%%"

-#define PATH_SPAMD_CONF		"%%LOCAL_SPAMD_CONF%%"

+#define PATH_PFCTL		""

+#define PATH_SPAMD_CONF		"/usr/local/etc/spamd.conf"

 #define SPAMD_ARG_MAX		256 /* max # of args to an exec */

 struct cidr {

@@ -93,6 +98,11 @@

 int		debug;

 int		dryrun;

+#ifdef IPFW

+int tabno=2;

+#endif

+

+

 u_int32_t

 imask(u_int8_t b)

 {

@@ -630,6 +640,7 @@

 }

+#ifndef IPFW

 int

 configure_pf(struct cidr **blacklists)

 {

@@ -676,6 +687,51 @@

 	}

 	return(0);

 }

+#else

+int

+configure_pf(struct cidr **blacklists)

+{

+	int s = -1;

+	ipfw_table_entry ent;

+

+	if (s == -1)

+		s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

+	if (s < 0)

+	{

+		err(1, "IPFW socket unavailable");

+		return(-1);

+	}

+

+	/* flush the table */   

+	ent.tbl = tabno;

+	if (setsockopt(s, IPPROTO_IP, IP_FW_TABLE_FLUSH,  &ent.tbl, sizeof(ent.tbl)) < 0)

+	{

+		err(1, "IPFW setsockopt(IP_FW_TABLE_FLUSH)");

+		return(-1);

+	}

+

+	while (*blacklists != NULL) {

+		struct cidr *b = *blacklists;

+

+		while (b->addr != 0) {

+			/* add b to tabno */

+			ent.tbl = tabno;

+			ent.masklen = b->bits;

+			ent.value = 0;

+			inet_aton(atop(b->addr), (struct in_addr *)&ent.addr);

+			if (setsockopt(s, IPPROTO_IP, IP_FW_TABLE_ADD,  &ent, sizeof(ent)) < 0)

+			{

+				err(1, "IPFW setsockopt(IP_FW_TABLE_ADD)");

+				return(-1);

+			}

+			b++;

+		}

+		blacklists++;

+	}

+

+	return(0);

+}

+#endif

 int

 getlist(char ** db_array, char *name, struct blacklist *blist,

@@ -773,7 +829,11 @@

 	struct servent *ent;

 	int i, ch;

+#ifndef IPFW

 	while ((ch = getopt(argc, argv, "nd")) != -1) {

+#else

+	while ((ch = getopt(argc, argv, "ndt")) != -1) {

+#endif

 		switch (ch) {

 		case 'n':

 			dryrun = 1;

@@ -781,6 +841,11 @@

 		case 'd':

 			debug = 1;

 			break;

+#ifdef IPFW

+		case 't':

+			tabno = atoi(optarg);

+			break;

+#endif

 		default:

 			break;

 		}

--- spamd/spamd.8	Wed Apr 13 03:21:48 2005

+++ spamd/spamd.8	Mon Mar 20 15:12:10 2006

@@ -49,6 +49,8 @@

 daemon which rejects false mail.

 If the

 .Xr pf 4

+or

+.Xr ipfw 4

 packet filter is configured to redirect port 25 (SMTP) to this daemon,

 it will attempt to waste the time and resources of the spam sender.

 .Pp

@@ -151,11 +153,15 @@

 which processes a list of spammers' addresses, and applies appropriate

 .Xr pfctl 8

 .Em rdr

+or

+.Xr ipfw 8

+.Em fwd

 rules.

 .Xr spamd-setup 8

 is run from

 .Xr cron 8 .

 .Sh REDIRECTING SMTP CONNECTIONS

+.Ss "When using PF"

 With

 .Xr pf 4 ,

 connections to port 25 (SMTP) can be redirected to another host or port,

@@ -189,6 +195,8 @@

 can also be used to load addresses into the

 .Em <spamd>

 table.

+

+

 .Xr spamd-setup 8

 also has the added benefit of being able to remove addresses from

 blacklists, and will connect to

@@ -203,6 +211,52 @@

 This is important as it allows legitimate mail

 senders to pressure spam sources into behaving properly so that they

 may be removed from the relevant blacklists.

+

+.Ss "If compiled with IPFW"

+With

+.Xr ipfw 4 ,

+the syntax for redirection of TCP sessions is quite different

+from that of

+.Xr pf 4 .

+The

+.Em fwd

+rule used for this purpose are described in

+.Xr ipfw 8 .

+The rules should be added to the ruleset called by /etc/rc.firewall

+to be present at boot time.

+.Bd -literal -offset 4n

+fwd 127.0.0.1,8025 tcp from table(2) to me 25 in

+allow tcp from table(1) to me 25 in

+fwd 127.0.0.1,8025 tcp from any to me 25 in

+.Ed

+.Pp

+Any addresses in the blacklist table

+.Em 2

+and not in the whitelist table

+.Em 1

+are then redirected to

+.Nm

+running on port 8025.

+Addresses can be loaded into the blacklist

+.Em table ,

+like:

+.Bd -literal -offset 4n

+# ipfw table 1 add a.b.c.d/x

+.Ed

+.Pp

+.Xr spamd-setup 8

+can also be used to load addresses into the blacklist table

+.Em 2 .

+.Pp

+The 

+.Op Fl t Ar table_no

+option to 

+.Em spamd 

+and 

+.Em spamd-setup 

+can be used to change the default table

+numbers.

+

 .Sh CONFIGURATION CONNECTIONS

 .Nm

 listens for configuration connections on the port identified by the

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

To use spamd with ipfw firewall, simply include ipfw rules similar to the 

following:

00400 fwd tcp from table(2) to any dst-port 25

00410 allow tcp from table(1) to any dst-port 25

00420 fwd 127.0.0.1,8025 tcp from any to any dst-port 25 in

Other table numbers can be used by using the -t option to spamd and spamd-setup