From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 12 20:43:01 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4DD4816A4ED
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Sep 2006 20:43:01 +0000 (UTC)
	(envelope-from bsilver@chrononomicon.com)
Received: from trans-warp.net (hyperion.trans-warp.net [216.37.208.37])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CF0B143E36
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Sep 2006 20:39:21 +0000 (GMT)
	(envelope-from bsilver@chrononomicon.com)
Received: from [127.0.0.1] (unverified [65.193.73.208]) 
	by trans-warp.net (SurgeMail 3.7a) with ESMTP id 74070528 
	for multiple; Tue, 12 Sep 2006 16:38:57 -0400
In-Reply-To: <B7DDE980-7DB8-4AB8-AA85-8FD89638469C@mac.com>
References: <7269D41C-C334-44DC-9549-ACB28F79014A@chrononomicon.com>
	<20060912160830.b7a91061.wmoran@collaborativefusion.com>
	<B7DDE980-7DB8-4AB8-AA85-8FD89638469C@mac.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <CC7F9A36-1D5B-4064-9E55-7D3A2E36CAB5@chrononomicon.com>
Content-Transfer-Encoding: 7bit
From: Bart Silverstrim <bsilver@chrononomicon.com>
Date: Tue, 12 Sep 2006 16:37:53 -0400
To: Chuck Swiger <cswiger@mac.com>
X-Mailer: Apple Mail (2.752.2)
X-Server: High Performance Mail Server - http://surgemail.com r=-1980812739
X-Authenticated-User: bsilver@chrononomicon.com 
Cc: freebsd-questions@freebsd.org, Bill Moran <wmoran@collaborativefusion.com>
Subject: Re: forwarding as a gateway, logging certain traffic
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2006 20:43:01 -0000


On Sep 12, 2006, at 4:28 PM, Chuck Swiger wrote:

> On Sep 12, 2006, at 1:08 PM, Bill Moran wrote:
>>> Is there some way to get the FreeBSD system to log machines using
>>> port 25 without interfering with the FreeBSD machine's filtering of
>>> email function?  Or at least make the traffic visible to sniffing
>>> with tcpdump or wireshark or ethereal?
>>
>> Off the top of my head ...
>> ipfw add 25 log tcp from any to any 25
>> should work.  There are certain kernel configs you have to have in
>> place for logging to work, though.
>
> Better to use something like:
>
> 	ipfw add 1 log tcp from any to me 25 setup
>
> If Bart would like to use tcpdump for the same purpose, consider  
> running something like:
>
> 	tcpdump -nt 'port 25 and (tcp[tcpflags] & tcp-syn != 0)'

Maybe my ipfw is old; it kept telling me that "log" is an invalid  
action.  However, I think I may be able to get the tcpdump idea to work.

Thanks!