From owner-freebsd-pf@FreeBSD.ORG Thu Dec 15 12:45:11 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CA2516A41F for ; Thu, 15 Dec 2005 12:45:11 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0FC343D5F for ; Thu, 15 Dec 2005 12:45:10 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 77184 invoked by uid 89); 15 Dec 2005 12:45:07 -0000 Received: by simscan 1.1.0 ppid: 77174, pid: 77176, t: 1.8584s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 15 Dec 2005 12:45:05 -0000 Message-ID: <43A16553.4010503@wombatsweb.com> Date: Thu, 15 Dec 2005 07:45:07 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <43A0C9FD.8060006@wombatsweb.com> <43A1506E.8060802@wombatsweb.com> In-Reply-To: <43A1506E.8060802@wombatsweb.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.2 Subject: Re: spamd logging [ud: on bridge] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2005 12:45:11 -0000 David Pierron on 12/15/2005 6:15 AM wrote: > David Pierron on 12/14/2005 8:42 PM wrote: > >> I am running FBSD 6.0 if_bridge PF firewall. >> >> cd /usr/ports/mail/spamd >> make install clean >> >> Seems to have installed "pfspamd" >> >> Anyway, I can't seem to get it to log to a logfile. Even running it >> non-daemonized "-d" I see no messaging ... >> /usr/local/libexec/spamd -v -b 127.0.0.1 -d >> >> rc.conf >> pfspamd_enable="YES" >> pfspamd_flags="-v -b 127.0.0.1" >> >> syslog.conf >> Tried as described in man page: >> !spamd >> daemon.err;daemon.warn;daemon.info >> >> also tried: >> !spamd >> *.* >> >> log file just shows that the service started ... >> I see the states created for it when running pftop[D, r] >> >> I don't know that spamd is actually doing any work to log ... > > > UPDATE: Logging works ... Seems the issue is spamd running on a > bridge ... I have been trying everything I've found on Google but so > far nothing is making it work ... The issue is "rdr"ing the > connection to an interface running spamd ... I am not running NAT > ... I have tried tags, route-to and individual rules ... I tried > rdr'ing to an interface besides localhost ... So far nothing is > working ... What to do? UPDATE: More searching (used AskJeeves) and found a message from May 2003: Daniel Hartmeier: Yes, a bridge operates on ethernet level. For an rdr, pf will only replace the destination IP address/port, it doesn't touch the destination MAC address. I assume that in your case, the TCP SYN is sent to the MAC address of the internal host (not the firewall). pf replaces the destination IP address/port and hands the packet back to the bridge, which forwards it based on its destination MAC address. You can use 'route-to lo0' to cause pf to route the incoming packets to the loopback interface (using 127.0.0.1 as replacement destination address) instead of handing it back to the bridge after translation: rdr on $ext_if inet proto tcp from $outside_system to any port smtp -> 127.0.0.1 port 8025 pass in on $ext_if route-to lo0 inet proto tcp from any to $ext_if port 8025 keep state Also, if the bridge is transparent (no IP addresses assigned to the interfaces), spamd won't work, as userland on the firewall is isolated from all networks. You need to assign an IP address to the external interface, otherwise there is no routing table entry which spamd needs to send replies to the external client. Many pf tricks work on bridges, but not all of them. Some require IP addresses assigned to the interfaces, for some you even need to enable IP forwarding. A bridge works very differently from a plain IP forwarder, you'll have to think in terms of ethernet frames, not IP packets. Don't use a bridge if you want the functionality of an IP forwarder.