From owner-freebsd-questions@FreeBSD.ORG Fri Apr 23 05:47:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF7EC16A4CF for ; Fri, 23 Apr 2004 05:47:30 -0700 (PDT) Received: from smtp16.wxs.nl (smtp16.wxs.nl [195.121.6.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 910CF43D3F for ; Fri, 23 Apr 2004 05:47:30 -0700 (PDT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186])3questions@freebsd.org; Fri, 23 Apr 2004 14:47:29 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i3NClOLj036713; Fri, 23 Apr 2004 14:47:25 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i3NClJH6036002; Fri, 23 Apr 2004 14:47:19 +0200 Content-return: prohibited Date: Fri, 23 Apr 2004 14:47:19 +0200 From: Alex de Kruijff In-reply-to: <40884EA0.8000304@samsys.com> To: Peter Tokanel Message-id: <20040423124719.GD24076@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <408704DF.5070907@samsys.com> <20040422125136.GD903@alex.lan> <40884EA0.8000304@samsys.com> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: questions@freebsd.org Subject: Re: Newbie:Home network mail forwarding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2004 12:47:31 -0000 On Thu, Apr 22, 2004 at 07:00:48PM -0400, Peter Tokanel wrote: > > > Alex de Kruijff wrote: > > >On Wed, Apr 21, 2004 at 07:33:51PM -0400, Peter Tokanel wrote: > > > > > >>Hi, > >> > >>I am new to unix but I have managed to setup a home network using > >>Free BSD. The > >>FreeBSD box is a gateway/firewall/router for my Windows XP box and a > >>wireless access > >>point. The XP box can access the web just great using the shared > >>connection. > >>My problem is when email is used on the WindowsXP box , no messages can be > >>sent out. I can receive email from my ISP's pop-server just fine. I am > >>not sure if I need > >>to start some kind of mail daemon or what???? Is it my firewall > >>configuration???? > >>I have included some of my setup files, hopefully someone can tell me > >> > >> > > > >XP 192.168.1.0/24 <-> 192.168.1.0/24 gateway <-> internet > > > >It could be your firewall but it could also be you XP configuration. > >If you give me the output of 'ipfw sh' then i'll check if I can find > >anything that blocks sending mail. > > > > > > > > -- > Hi, > Here is the output of 'ipfw sh'......I don't pretend to understand > what all these mean. The > ipfw rules for the 'simple' case in rc.firewall were a starting point, > but then I added a few > additional rules from various spots on the net attempting to fix various > problems. Any advice > would be appreciated. I couldn't find exacly what the problem is. It looks oke for me. If you like to go on with this one you could try doing: 1. ipfw z 2. Try sending your mail 3. ipfw sh (and look where the packed gets blocked) 4. If you sloved the problem skip to the end 5. Add log to the rule and do 1-3. Then check /etc/security and look for the rigth packets and see what happens. What I like to do is offer you an alternative framework. I'll be in a better position to help you this way. For this first put these lines in your /etc/rc.conf. This will load the firewall rules from that file. firewall_enable="YES" firewall_type="/etc/firewall.conf" Then put these rules in your /etc/firewall.conf: # Select NIC (10000 = internal 20000 = external) add 00010 skipto 10000 ip from any to any via rl0 add 00020 skipto 20000 ip from any to any via vl0 add 00030 allow ip from any to any via lo0 add 09999 deny ip from any to any > A packet send from the XP box to the internet passes these rule twice > because it goes through two NICs. # Internal NIC 19997 allow ip from 192.168.1.0/24 to any 19997 allow ip from any to 192.168.1.0/24 19998 reject log ip from any to any in 19999 deny log ip from any to any out > reject = deny + it tells the sender that no such service exist. That > is smart for _you own_ computer. ## External NIC - Anti spoofing #add 20200 skipto 20300 ip from 192.168.1.0/24 to any in #add 20210 reject ip from any to 10.0.0.0/8 out #add 20220 reject ip from any to 172.0.0.0/12 out #add 20230 reject ip from any to 192.168.0.0/16 out #add 20240 deny ip from 10.0.0.0/8 to any in #add 20250 deny ip from 172.0.0.0/12 to any in #add 20260 deny ip from 192.168.0.0/16 to any in > Afther everything works you can place your anti spoofing rules here > and keep those packets from going into natd. Rules 200,240-260 can > block you out and are optional. # External NIC - Natd 20520 skipto 20600 ip from me to any 20530 divert 8668 ip from any to any 20540 allow ip from me to any 20550 allow ip from any to 192.168.31.0/24 > This acts like a stateful firewall (like below) for the lan. # External NIC - Stateful firewall 29800 allow tcp from me to any keep-state setup 29810 allow udp from me to any keep-state 29820 allow ip from me to any keep-state > This allows packets out and responce back in. # External NIC - deny or reject everyting else 29998 deny log ip from any to any in 29999 reject log ip from any to any out -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/