Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 May 2004 22:06:48 -0500
From:      D J Hawkey Jr <hawkeyd@visi.com>
To:        Tim Aslat <tim@spyderweb.com.au>
Cc:        freebsd security list <freebsd-security@freebsd.org>
Subject:   Re: quick FW question
Message-ID:  <20040512030648.GA2102@sheol.localdomain>
In-Reply-To: <20040512115607.23ac80ea@bofh.spyderweb.com.au>
References:  <20040512115607.23ac80ea@bofh.spyderweb.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On May 12, at 11:56 AM, Tim Aslat wrote:
> 
> I hope this isn't too off topic, but I'd like a quick solution to a
> problem.
> 
> I have a small network behind a NAT firewall (FreeBSD of course) and I'd
> like to block/redirect all traffic from the internal network to the
> local mail server (same box as firewall) in order to prevent direct smtp
> requests to the outside world (mainly virus/trokan programs).

Set up the mail server as the hub for your internal network, and have
the workstations forward mail to it. If you're running sendmail on the
workstations, put this in their .mc file:
    define(`SMART_HOST', `smtp:mailhub.privatedomain')
And rebuild their sendmail.cf (I use the same .mc file for all U**X
boxen on my network, except for the mail hub). Basically, just point
all internal boxen's mailers to the hub.

My mail hub, in turn, defines SMART_HOST to be my ISP's mail cluster,
and I define MASQUERADE_AS to be my ISP's domain (I use the feature
masquerade_envelope, too). You might not be able to do this, of course,
it'll depend on your connectivity.

You'll need an MX record set up for the mail hub in your DNS.

> I think I have it right in this rule, but I would prefer to get a
> second, or even a third opinion.
> 
> ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25

Given the above approach, the only thing I have in my firewall for
SMTP is a rule for stateful outbound on ports 25 and 995 (I use SSL-
enabled POP3 to download incoming mail from my ISP's mail cluster).

Hope this helps,
Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040512030648.GA2102>