Date: Fri, 4 Apr 2003 10:14:28 -0800 From: Sereciya Kurdistani <sereciya@kurdistan.ath.cx> To: freebsd-ipfw@freebsd.org Subject: Re: Sereciya :: Quick IPFW Question Concerning Sendmail Message-ID: <20030404181428.GA19093@kurdistan.ath.cx> In-Reply-To: <20030403135048.D92663-100000@diana.northnetworks.ca> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Steve, Hello Everybody,
I was having some trouble earlier with my firewall setup w/
sendmail (original question/posting below); I believe I
have -- more-or-less -- solved the problem.
> > Hello,
> >
> > I have a quick question for you ipfw/firewall experts out there.
> >
> > I've have set up an elaborate firewall only to have trouble with
> > Sendmail.
> >
> > I have opened port 25 incoming, and also allow outgoing to another
> > port 25, but I always find stuck mail when I use "mailq".
> >
> > Using tcpdump -- and no firewall -- I've found that between the
> > dns lookups and smtp connections there are in fact some auth
> > lookups too.
> >
> > I opened incoming port 113 and outgoing to 113 but I still have
> > stuck mail!
> >
> > Any help would be greately appreciated, many thanks in advance!
> >
> > -Sereciya Kurdistani
> >
> > PS
> > My basic rules look like:
> >
> > ipfw add NNNN allow \{ tcp or udp \} from any to any smtp,smtps out
> > ipfw add NNNN allow \{ tcp \} log from any to any smtp,smtps in
> >
> > ipfw add NNNN allow \{ tcp or udp \} from any to any auth out
> > ipfw add NNNN allow \{ tcp \} log from any to any auth in
> >
> > and yes, this is ipfw2 on 4.8-STABLE
Here is what happens...
Your mail client, on a high port 1024-65535, makes a connection to the remote
server on port 25, Sendmail.
Various connections are made back to your orignation high ports from the remote
server, port 25.
I'll toss in a dns lookup or two here... (outgoing)
Somewhere here, you make a connection to the remote server, port 113, auth.
( I've noticed that the remote server does *not* need to connect to your
auth port, you do not need to open it; this is a perfect canidate for a
stateful rule... )
Then... the remote server makes a connection from a low port 1-1024 to your
high port 1024-65535.
The following rules seem to work:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
allow log { udp or tcp } from any to any dst-port 25,113,465 out via tun0
allow log tcp from any to any dst-port 25,113,465 in via tun0
check-state
allow log tcp from any 1-1024,1024-65535 to any dst-port 1024-65535,1-1024 out via tun0 keep-state
allow log tcp from any 1-1024 to any dst-port 1024-65535 in via tun0
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
If anybody has a better explanation, please let me know. I'm working on trial-and-error
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ here, mostly error ;)
TIA
-Sereciya Kurdistani
PS
Who says "count" is not a useful feature in ipfw?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030404181428.GA19093>