[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

spamd & pf - passive OS the source




I ran a quick one liner of my spamd log and found that a single IP had disconnected from my spamd 334 times in about 45 days. Besides giving me a good laugh, it got me curious. I'd like to track the OS of IPs talking with spamd. I created the following rules in my pf.conf file.


pass in quick inet proto tcp from any os "Windows .NET" to localhost port spamd modulate state label "spamd Windows .NET"
pass in quick inet proto tcp from any os "Windows 2000" to localhost port spamd modulate state label "spamd Windows 2000"
pass in quick inet proto tcp from any os "Windows XP" to localhost port spamd modulate state label "spamd Windows XP"
pass in quick inet proto tcp from any os "Windows NT" to localhost port spamd modulate state label "spamd Windows NT"
pass in quick inet proto tcp from any os "Windows 95" to localhost port spamd modulate state label "spamd Windows 95"
pass in quick inet proto tcp from any os "Windows 98" to localhost port spamd modulate state label "spamd Windows 98"
pass in quick inet proto tcp from any os "OpenBSD" to localhost port spamd modulate state label "spamd OpenBSD"
pass in quick inet proto tcp from any to localhost port spamd modulate state label "spamd undefined"


Then I telnet to port 25 on the box running spamd. At this same time I've got a 'tail -f /var/log/spamd' going, and according to the log my telnet was the only incoming connection to spamd. After doing the telnet I do 'pfctl -s labels' on the box running pf and get the output below.


# pfctl -s labels rl0 ping in 2 0 0 rl3 ping in 3 0 0 spamd Windows .NET 1 0 0 spamd Windows 2000 1 0 0 spamd Windows XP 1 0 0 spamd Windows NT 1 0 0 spamd Windows 95 1 0 0 spamd Windows 98 1 0 0 spamd OpenBSD 1 11 691 spamd undefined 0 0 0

I'm confused why every rule and thus label applied, or seems to have applied. After a random IP shows up in /var/log/spamd I see

spamd Windows .NET 2 0 0
spamd Windows 2000 2 8 485
spamd Windows XP 1 0 0
spamd Windows NT 1 0 0
spamd Windows 95 1 0 0
spamd Windows 98 1 0 0
spamd OpenBSD 1 11 691
spamd undefined 0 0 0


All of the obsd boxes involved are running 3.6-release.



Thanks, Chad

Attachment: smime.p7s
Description: S/MIME cryptographic signature