Date: Fri, 21 Nov 2003 13:01:25 -0800 From: OpenMacNews <freebsd-security.20.openmacnewsREMOVETHIS@spamgourmet.com> To: freebsd-security@freebsd.org Subject: Re: how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20) Message-ID: <2147483647.1069419685@[172.30.11.6]> In-Reply-To: <200311212048.hALKmNCM061651@bunrab.catwhisker.org> References: <200311212048.hALKmNCM061651@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-- On Friday, November 21, 2003 12:48 PM -0800 "David Wolfskill - david@catwhisker.org" <+freebsd-security+openmacnews+0459602105.david#catwhisker.org@spamgourmet.com> wrote: David, thanks for your reply! >> i've been struggling with setting appropriate rules for an SMTP-server >> behind by NAT'd firewall. > > OK.... <snip> > >> currently, my SMTP ipfw rules are as follows (snip'd from my startup >> script) > >> ============================================= >># allow connections to/from internal smtp_server >> ipfw add 7000 allow log tcp from any to ${smtp_server} 25 > > I suggest appending " setup" to that. Unless I'm very confused, you > don't really want to see *every* incoming SMTP packet -- just those that > initiate an SMTP conversation. (Note that -- at least in FreeBSD -- the > mail traffic gets logged to /var/log/maillog anyway.) > >> ipfw add 7001 allow log tcp from ${smtp_server} 25 to any > > Again, you may wish to append " setup" to that, for the same reasons. > > In conjunction with the above, you'd likely want to (silently) permit > "established" connections. hadn't dawned on me to this, so: ipfw add 7000 allow log tcp from any to ${smtp_server} 25 setup ipfw add 7001 allow tcp from any to ${smtp_server} 25 established ipfw add 7002 allow log tcp from ${smtp_server} 25 to any setup ipfw add 7003 allow tcp from ${smtp_server} 25 to any established right? >># allow clients to communicate with external smtp servers >> ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25 >> ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535 > > Why? Wouldn't you want them to send their mail to your internal mail > server, which would then send it out? usually, yes BUT, sometimes i want to be able to use a local LAN mail client to directly access on offsite SMTP server. my understanding is that usually a client uses "high ports" to communicate to those servers at THEIR port 25 -- just like to my internal svr, but internal lan traffic is "all open" in this case would you recommend the "setup & established" approach as above? >> it seems to me that everything's working. question is, are these too >> open, too closed, incomplete, risky, etc? > > Have you actually looked at your security log? yes i have of course, i've had little DENIED on port 25 ( and a LOT of entries ....) other than servers/connection attempts that clearly are failing SMTP 'transactions', i'm frankly not sure what to look for for 'unauthorized' access to port25/my server ... because of its "open" nature, what are the legit triggers for "suspicious" activity for SMTP? > Peace, > david > -- cheers, richard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2147483647.1069419685>