Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 5 Apr 2003 09:48:53 -0800
From:      Sereciya Kurdistani <sereciya@kurdistan.ath.cx>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: Quick IPFW Question Concerning Sendmail
Message-ID:  <20030405174853.GA94738@kurdistan.ath.cx>
In-Reply-To: <20030403135048.D92663-100000@diana.northnetworks.ca>
References:  <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
       
Earlier...
       
> > Hello,
> >
> >   I have a quick question for you ipfw/firewall experts out there.
> >
> >   I've have set up an elaborate firewall only to have trouble with
> >   Sendmail.
> >
> >   I have opened port 25 incoming, and also allow outgoing to another
> >   port 25, but I always find stuck mail when I use "mailq".
> >
> >   Using tcpdump -- and no firewall -- I've found that between the
> >   dns lookups and smtp connections there are in fact some auth
> >   lookups too.
> >
> >   I opened incoming port 113 and outgoing to 113 but I still have
> >   stuck mail!
> >
> >   Any help would be greately appreciated, many thanks in advance!
> >
> > -Sereciya Kurdistani
> >
> > PS
> > My basic rules look like:
> >
> > ipfw add NNNN allow \{ tcp or udp \}     from any to any smtp,smtps out
> > ipfw add NNNN allow \{ tcp \}        log from any to any smtp,smtps in
> >
> > ipfw add NNNN allow \{ tcp or udp \}     from any to any auth out
> > ipfw add NNNN allow \{ tcp \}        log from any to any auth in
> >
       
  Later I found out that I had to allow connections to my high port from
  outside low ports incoming:
       
  ipfw allow tcp from any 1-1024 to any 1025-65535 in via ${oif_1}...
       
  The reason for this was that I forgot to add a "keep-state" ;))
       
  Here's my final solution:
       
  vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
  ipfw add NNNN check-state
  ipfw add NNNN allow      { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state
  ipfw add NNNN allow  log   tcp          from any to any dst-port smtp,smtps      in  via tun0
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       
  This way, you don't have to allow any ports open for any incoming traffic not matched
  by the stateful rules, ;)

-- 
+--------------------------------------------------------------+
| Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijmin  |
|   Riya azadiy ne hsan e, hviya xwe bernedin, dema me      |
|     nzk e.                                                 |
|                                                              |
| Hevalt bi kesn du r nekin, hevalt bi hevdu ra bikin      |
|   Ne ji hevaltiya wan kesn pxwas  r dirj, ne bi wan     |
|     kesn xwnperest, ne j ji yn din.                      |
|                                                              |
|                                   -Srciya Kurdistan       |
+--------------------------------------------------------------+


Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030405174853.GA94738>