On Tue, 10 Oct 2006 23:57:53 +0200, Martin Toft <[EMAIL PROTECTED]> wrote: --8<----8<----8<----8<-- > rdr pass on $ext_if inet proto tcp from <spamd> to $ext_ip port smtp -> > 127.0.0.1 port spamd > > I'm not familiar with spamd on FreeBSD, only on OpenBSD. On OpenBSD, > running spamd without greylisting doesn't require traffic logging. > However, I understand that you want to log incoming traffic, and > therefore you need to instruct pf to do so (here I split rdr and pass, > as I don't know if pf accepts "log" in a combined rdr+pass): > > rdr on $ext_if inet proto tcp from <spamd> to $ext_ip port smtp -> > 127.0.0.1 port spamd > pass in log on $ext_if inet proto tcp from <spamd> to 127.0.0.1 port > spamd flags S/SA keep state > > Now, if any spammer is caught, you should get some output when running > "tcpdump -i pflog0".
Martin Thanks for your reply, I've tried your suggestion and it's working! First thing, in your reply you said to do: rdr on $ext_if inet proto tcp from <spamd> to $ext_ip port smtp -> 127.0.0.1 port spamd But I don't have ext_ip defined, only ext_if I changed it to that -- is that a problem on my end, or a mistype on yours? So, I have an email from my work, with it's IP (199.249.176.8) in the spamd.list loaded into pf, and I think it's stuck! [10:41:24] [EMAIL PROTECTED] /root]# sockstat | grep 8025 nobody spamd 68820 4 tcp4 *:8025 *:* nobody spamd 68820 6 tcp4 127.0.0.1:8025 199.249.176.8:2520 But the problem is I can't see it active in the logs. tcpdump -vv -i pflog0 never tells me anything is this because of this error? [EMAIL PROTECTED] /var/log]# tcpdump -vv -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes The only place I found it was in /var/log/debug.log, but looking at it, it only held the connection for one second on the 2 emails it 'caught': [EMAIL PROTECTED] /var/log]# grep spamd /var/log/* debug.log:Oct 11 10:41:58 chavez spamd[68820]: 199.249.176.8: Body: This is a multi-part message in MIME format. debug.log:Oct 11 10:41:58 chavez spamd[68820]: 199.249.176.8: Body: ------_=_NextPart_001_01C6ED4B.00B377B4 debug.log:Oct 11 10:41:58 chavez spamd[68820]: 199.249.176.8: Body: Content-Type: text/plain; debug.log:Oct 11 10:41:58 chavez spamd[68820]: 199.249.176.8: Body: charset=us-ascii debug.log:Oct 11 10:41:58 chavez spamd[68820]: 199.249.176.8: Body: Content-Transfer-Encoding: quoted-printable debug.log:Oct 11 10:41:58 chavez spamd[68820]: 199.249.176.8: Body: FYI 2 debug.log:Oct 11 11:00:22 chavez spamd[68820]: 199.249.176.8: Body: This is a multi-part message in MIME format. debug.log:Oct 11 11:00:22 chavez spamd[68820]: 199.249.176.8: Body: ------_=_NextPart_001_01C6ED4D.9250C072 debug.log:Oct 11 11:00:22 chavez spamd[68820]: 199.249.176.8: Body: Content-Type: text/plain; debug.log:Oct 11 11:00:22 chavez spamd[68820]: 199.249.176.8: Body: charset=us-ascii debug.log:Oct 11 11:00:22 chavez spamd[68820]: 199.249.176.8: Body: Content-Transfer-Encoding: quoted-printable debug.log:Oct 11 11:00:22 chavez spamd[68820]: 199.249.176.8: Body: FYI 3 So, do I still have something amiss, and how can I trace it like they did on: http://www.benzedrine.cx/relaydb.html -- they only showed the output from the logs, not how they got it. Do I wait for debug.log to update later? I don't see why it wouldn't be writing it now... Thanks again Martin! P -- http://fak3r.com - you don't have to kick it -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.