Skip site navigation (1)Skip section navigation (2)
Date:      6 Apr 2003 18:18:05 +0200
From:      "clemens fischer" <ino-qc@spotteswoode.de.eu.org>
To:        "Sereciya Kurdistani" <sereciya@kurdistan.ath.cx>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Quick IPFW Question Concerning Sendmail
Message-ID:  <wui77g76.fsf@ID-23066.news.dfncis.de>
In-Reply-To: <20030405174853.GA94738@kurdistan.ath.cx> (Sereciya Kurdistani's message of "Sat, 5 Apr 2003 09:48:53 -0800")
References:  <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Sereciya Kurdistani <sereciya@kurdistan.ath.cx>:

>   vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
>   ipfw add NNNN check-state
>   ipfw add NNNN allow      { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state
>   ipfw add NNNN allow  log   tcp          from any to any dst-port smtp,smtps      in  via tun0
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        
>   This way, you don't have to allow any ports open for any incoming traffic not matched
>   by the stateful rules, ;)

are you sure this does what you want?  i don't see the customary
anti-spoofing rules and there's a lot to be said for keeping state
especially on _incoming_ connections.  if these are all your rules,
then what about incoming SMTP and AUTH on port 113?

i imagine your rules allowing _you_ to query others for AUTH data,
but you don't allow others this privilege.

  clemens



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?wui77g76.fsf>