From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 5 09:49:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8169437B401 for ; Sat, 5 Apr 2003 09:49:00 -0800 (PST) Received: from kurdistan.ath.cx (adsl-64-163-110-168.dsl.chic01.pacbell.net [64.163.110.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8501F43FA3 for ; Sat, 5 Apr 2003 09:48:59 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h35HmsQU054058; Sat, 5 Apr 2003 09:48:56 -0800 (PST) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h35HmrGi054003; Sat, 5 Apr 2003 09:48:53 -0800 (PST) Date: Sat, 5 Apr 2003 09:48:53 -0800 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030405174853.GA94738@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030403135048.D92663-100000@diana.northnetworks.ca> User-Agent: Mutt/1.4i Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2003 17:49:00 -0000 Earlier... > > Hello, > > > > I have a quick question for you ipfw/firewall experts out there. > > > > I've have set up an elaborate firewall only to have trouble with > > Sendmail. > > > > I have opened port 25 incoming, and also allow outgoing to another > > port 25, but I always find stuck mail when I use "mailq". > > > > Using tcpdump -- and no firewall -- I've found that between the > > dns lookups and smtp connections there are in fact some auth > > lookups too. > > > > I opened incoming port 113 and outgoing to 113 but I still have > > stuck mail! > > > > Any help would be greately appreciated, many thanks in advance! > > > > -Sereciya Kurdistani > > > > PS > > My basic rules look like: > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any smtp,smtps out > > ipfw add NNNN allow \{ tcp \} log from any to any smtp,smtps in > > > > ipfw add NNNN allow \{ tcp or udp \} from any to any auth out > > ipfw add NNNN allow \{ tcp \} log from any to any auth in > > Later I found out that I had to allow connections to my high port from outside low ports incoming: ipfw allow tcp from any 1-1024 to any 1025-65535 in via ${oif_1}... The reason for this was that I forgot to add a "keep-state" ;)) Here's my final solution: vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ipfw add NNNN check-state ipfw add NNNN allow { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state ipfw add NNNN allow log tcp from any to any dst-port smtp,smtps in via tun0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This way, you don't have to allow any ports open for any incoming traffic not matched by the stateful rules, ;) -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+