Date: Sat, 22 Nov 2003 17:14:05 -0800 (PST) From: Dorin H <bj93542@yahoo.com> To: OpenMacNews <freebsd-security.20.openmacnews@spamgourmet.com> Cc: freebsd-security@freebsd.org Subject: Re: how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20) Message-ID: <20031123011405.80292.qmail@web12602.mail.yahoo.com> In-Reply-To: <2147483647.1069419685@[172.30.11.6]>
next in thread | previous in thread | raw e-mail | index | archive | help
<snip>
> <snip>
>
> hadn't dawned on me to this, so:
>
> ipfw add 7000 allow log tcp from any to
> ${smtp_server} 25 setup
> ipfw add 7001 allow tcp from any to ${smtp_server}
> 25 established
> ipfw add 7002 allow log tcp from ${smtp_server} 25
> to any setup
> ipfw add 7003 allow tcp from ${smtp_server} 25 to
> any established
>
> right?
Better with dynamic rules... you don't want any packet
directed to ${smtp_server} 25 going inside, just those
corresponding to a previous initiated connection
(dropping SYN will allow the packet to pass your
firewall, and it will not even be logged :))
2c.
/Dorin.
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031123011405.80292.qmail>