spamd logging [ud: on bridge]

David Pierron david at wombatsweb.com
Thu Dec 15 04:45:11 PST 2005 

David Pierron on 12/15/2005 6:15 AM wrote:

> David Pierron on 12/14/2005 8:42 PM wrote:
>
>> I am running FBSD 6.0 if_bridge PF firewall.
>>
>> cd /usr/ports/mail/spamd
>> make install clean
>>
>> Seems to have installed "pfspamd"
>>
>> Anyway, I can't seem to get it to log to a logfile.  Even running it 
>> non-daemonized "-d" I see no messaging ...
>> /usr/local/libexec/spamd -v -b 127.0.0.1 -d
>>
>> rc.conf
>> pfspamd_enable="YES"
>> pfspamd_flags="-v -b 127.0.0.1"
>>
>> syslog.conf
>> Tried as described in man page:
>> !spamd
>> daemon.err;daemon.warn;daemon.info
>>
>> also tried:
>> !spamd
>> *.*
>>
>> log file just shows that the service started ...
>> I see the states created for it when running pftop[D, r]
>>
>> I don't know that spamd is actually doing any work to log ...
>
>
> UPDATE:  Logging works ... Seems the issue is spamd running on a 
> bridge ... I have been trying everything I've found on Google but so 
> far nothing is making it work ...  The issue is "rdr"ing the 
> connection to an interface running spamd ...  I am not running NAT 
> ...  I have tried tags, route-to and individual rules ... I tried 
> rdr'ing to an interface besides localhost ... So far nothing is 
> working ...  What to do?

UPDATE: More searching (used AskJeeves) and found a message from May 2003:
Daniel Hartmeier:

Yes, a bridge operates on ethernet level.

For an rdr, pf will only replace the destination IP address/port, it 
doesn't touch the destination MAC address. I assume that in your case, 
the TCP SYN is sent to the MAC address of the internal host (not the 
firewall). pf replaces the destination IP address/port and hands the 
packet back to the bridge, which forwards it based on its destination 
MAC address.

You can use 'route-to lo0' to cause pf to route the incoming packets to 
the loopback interface (using 127.0.0.1 as replacement destination 
address) instead of handing it back to the bridge after translation:

rdr on $ext_if inet proto tcp from $outside_system to any port smtp -> 
127.0.0.1 port 8025

pass in on $ext_if route-to lo0 inet proto tcp from any to $ext_if port 
8025 keep state

Also, if the bridge is transparent (no IP addresses assigned to the 
interfaces), spamd won't work, as userland on the firewall is isolated 
from all networks. You need to assign an IP address to the external 
interface, otherwise there is no routing table entry which spamd needs 
to send replies to the external client.

Many pf tricks work on bridges, but not all of them. Some require IP 
addresses assigned to the interfaces, for some you even need to enable 
IP forwarding. A bridge works very differently from a plain IP 
forwarder, you'll have to think in terms of ethernet frames, not IP 
packets. Don't use a bridge if you want the functionality of an IP 
forwarder.

More information about the freebsd-pf mailing list