From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 4 10:14:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8727E37B404 for ; Fri, 4 Apr 2003 10:14:31 -0800 (PST) Received: from kurdistan.ath.cx (adsl-64-163-110-168.dsl.chic01.pacbell.net [64.163.110.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 844CA43FD7 for ; Fri, 4 Apr 2003 10:14:30 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h34IETQU019132; Fri, 4 Apr 2003 10:14:29 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h34IESeY019131; Fri, 4 Apr 2003 10:14:28 -0800 (PST) Date: Fri, 4 Apr 2003 10:14:28 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030404181428.GA19093@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030403135048.D92663-100000@diana.northnetworks.ca> User-Agent: Mutt/1.4i Subject: Re: Sereciya :: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2003 18:14:31 -0000 Hello Steve, Hello Everybody, I was having some trouble earlier with my firewall setup w/ sendmail (original question/posting below); I believe I have -- more-or-less -- solved the problem. > > Hello, > > > > I have a quick question for you ipfw/firewall experts out there. > > > > I've have set up an elaborate firewall only to have trouble with > > Sendmail. > > > > I have opened port 25 incoming, and also allow outgoing to another > > port 25, but I always find stuck mail when I use "mailq". > > > > Using tcpdump -- and no firewall -- I've found that between the > > dns lookups and smtp connections there are in fact some auth > > lookups too. > > > > I opened incoming port 113 and outgoing to 113 but I still have > > stuck mail! > > > > Any help would be greately appreciated, many thanks in advance! > > > > -Sereciya Kurdistani > > > > PS > > My basic rules look like: > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any smtp,smtps out > > ipfw add NNNN allow \{ tcp \} log from any to any smtp,smtps in > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any auth out > > ipfw add NNNN allow \{ tcp \} log from any to any auth in > > > > and yes, this is ipfw2 on 4.8-STABLE Here is what happens... Your mail client, on a high port 1024-65535, makes a connection to the remote server on port 25, Sendmail. Various connections are made back to your orignation high ports from the remote server, port 25. I'll toss in a dns lookup or two here... (outgoing) Somewhere here, you make a connection to the remote server, port 113, auth. ( I've noticed that the remote server does *not* need to connect to your auth port, you do not need to open it; this is a perfect canidate for a stateful rule... ) Then... the remote server makes a connection from a low port 1-1024 to your high port 1024-65535. The following rules seem to work: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ allow log { udp or tcp } from any to any dst-port 25,113,465 out via tun0 allow log tcp from any to any dst-port 25,113,465 in via tun0 check-state allow log tcp from any 1-1024,1024-65535 to any dst-port 1024-65535,1-1024 out via tun0 keep-state allow log tcp from any 1-1024 to any dst-port 1024-65535 in via tun0 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv If anybody has a better explanation, please let me know. I'm working on trial-and-error ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ here, mostly error ;) TIA -Sereciya Kurdistani PS Who says "count" is not a useful feature in ipfw?