Date: Tue, 09 Mar 2004 10:22:37 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> To: Mike Jackson <mj@sci.fi> Cc: freebsd-questions@freebsd.org Subject: Re: firewall rules for mail gateway Message-ID: <404DEF4D.1050800@daleco.biz> In-Reply-To: <20040309145635.GG8152@gentoo.netauth.com> References: <20040309145635.GG8152@gentoo.netauth.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Jackson wrote: >Hi, > I have a 5.2.1 firewall box that also has a mailserver. > >Goal: > > - firewall can send and receive mail <-> rest of the world > - firewall can send and receive mail <-> internal LAN machines > - firewall blocks internal LAN machines from connecting to > external SMTP servers > >firewall/mail gw >----------------------- >xl0 - public interface >xl1 - private interface (gateway ip for LAN) 192.168.1.1 > > >I tried something like: > >block out quick on xl1 proto tcp from any to any port = 25 > >with no effect, workstations could still get past it. > >Any help would be appreciated :-) > >Thanks, > > So, you're using ipf or ipfilter, not ipfw, as I take it from your syntax. I imagine the ipfilter gurus on the list would like to see your entire ruleset. IIRC, your firewall is a "last match" setup rather than "first match." Might have something to do with it. If the machine is running NAT/divert whatever, it might well be diverting before blocking? But I'm wrong so often it's not very funny ... and I use ipfw instead of ipf..... The other thing I see; using ipfw, I'd be blocking traffic from LAN to dst-port 25 via the *outside* interface...so, can you put an "allow server out via 25" and then a "deny any out via 25" on your xl0? What does that do? Kevin Kinsey DaleCo, S.P.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?404DEF4D.1050800>