From owner-freebsd-security@FreeBSD.ORG Tue May 11 20:06:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F5B316A4CE for ; Tue, 11 May 2004 20:06:52 -0700 (PDT) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB95543D54 for ; Tue, 11 May 2004 20:06:49 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id 03AE58297; Tue, 11 May 2004 22:06:49 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id i4C36mn02223; Tue, 11 May 2004 22:06:48 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Tue, 11 May 2004 22:06:48 -0500 From: D J Hawkey Jr To: Tim Aslat Message-ID: <20040512030648.GA2102@sheol.localdomain> References: <20040512115607.23ac80ea@bofh.spyderweb.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040512115607.23ac80ea@bofh.spyderweb.com.au> User-Agent: Mutt/1.4.1i cc: freebsd security list Subject: Re: quick FW question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 03:06:52 -0000 On May 12, at 11:56 AM, Tim Aslat wrote: > > I hope this isn't too off topic, but I'd like a quick solution to a > problem. > > I have a small network behind a NAT firewall (FreeBSD of course) and I'd > like to block/redirect all traffic from the internal network to the > local mail server (same box as firewall) in order to prevent direct smtp > requests to the outside world (mainly virus/trokan programs). Set up the mail server as the hub for your internal network, and have the workstations forward mail to it. If you're running sendmail on the workstations, put this in their .mc file: define(`SMART_HOST', `smtp:mailhub.privatedomain') And rebuild their sendmail.cf (I use the same .mc file for all U**X boxen on my network, except for the mail hub). Basically, just point all internal boxen's mailers to the hub. My mail hub, in turn, defines SMART_HOST to be my ISP's mail cluster, and I define MASQUERADE_AS to be my ISP's domain (I use the feature masquerade_envelope, too). You might not be able to do this, of course, it'll depend on your connectivity. You'll need an MX record set up for the mail hub in your DNS. > I think I have it right in this rule, but I would prefer to get a > second, or even a third opinion. > > ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 Given the above approach, the only thing I have in my firewall for SMTP is a rule for stateful outbound on ports 25 and 995 (I use SSL- enabled POP3 to download incoming mail from my ISP's mail cluster). Hope this helps, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/