Date: 6 Apr 2003 18:18:05 +0200 From: "clemens fischer" <ino-qc@spotteswoode.de.eu.org> To: "Sereciya Kurdistani" <sereciya@kurdistan.ath.cx> Cc: freebsd-ipfw@freebsd.org Subject: Re: Quick IPFW Question Concerning Sendmail Message-ID: <wui77g76.fsf@ID-23066.news.dfncis.de> In-Reply-To: <20030405174853.GA94738@kurdistan.ath.cx> (Sereciya Kurdistani's message of "Sat, 5 Apr 2003 09:48:53 -0800") References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Sereciya Kurdistani <sereciya@kurdistan.ath.cx>:
> vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> ipfw add NNNN check-state
> ipfw add NNNN allow { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state
> ipfw add NNNN allow log tcp from any to any dst-port smtp,smtps in via tun0
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> This way, you don't have to allow any ports open for any incoming traffic not matched
> by the stateful rules, ;)
are you sure this does what you want? i don't see the customary
anti-spoofing rules and there's a lot to be said for keeping state
especially on _incoming_ connections. if these are all your rules,
then what about incoming SMTP and AUTH on port 113?
i imagine your rules allowing _you_ to query others for AUTH data,
but you don't allow others this privilege.
clemens
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?wui77g76.fsf>