Date: Sun, 6 Apr 2003 09:27:35 -0700 From: Sereciya Kurdistani <sereciya@kurdistan.ath.cx> To: freebsd-ipfw@freebsd.org Subject: Re: Quick IPFW Question Concerning Sendmail Message-ID: <20030406162735.GA2797@kurdistan.ath.cx> In-Reply-To: <wui77g76.fsf@ID-23066.news.dfncis.de> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> <wui77g76.fsf@ID-23066.news.dfncis.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Clemens,
Thank you for taking the time to respond to my posting ;)
Your comments are greatly appreciated.
On Sun, Apr 06, 2003 at 06:18:05PM +0200, clemens fischer wrote:
> Sereciya Kurdistani <sereciya@kurdistan.ath.cx>:
>
> > vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> > ipfw add NNNN check-state
> > ipfw add NNNN allow { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state
> > ipfw add NNNN allow log tcp from any to any dst-port smtp,smtps in via tun0
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> > This way, you don't have to allow any ports open for any incoming traffic not matched
> > by the stateful rules, ;)
>
> are you sure this does what you want? i don't see the customary
> anti-spoofing rules and there's a lot to be said for keeping state
> especially on _incoming_ connections. if these are all your rules,
> then what about incoming SMTP and AUTH on port 113?
I think this is what I want...
Would you please show me an example of anti-spoofing rules? I'd
greatly appreciate it ;)
...Actually, I do have some facility for anti-spoofing rules, here they are:
ipfw add NNNN skipto NEXT_BLOCK all from ${myhost} to not ${myhost} out via ${oif_1}
ipfw add NNNN skipto NEXT_BLOCK all from not ${myhost} to ${myhost} in via ${oif_1}
Do you mean I should check/filter for the private IP Addresses also?
I'm not opening incoming AUTH because it seems unnecessary ; everything
is running fine without opening that port.
Incoming SMTP is handled with a rule like:
ipfw add NNNN pipe N log tcp from any to any smtp,smtps in via ${oif}
> i imagine your rules allowing _you_ to query others for AUTH data,
> but you don't allow others this privilege.
That's correct. Am I breaking a netiquette rule that I may not be
familiar with?
Thank you for your participation ;)
--
+--------------------------------------------------------------+
| Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî |
| Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me |
| nêzîk e. |
| |
| Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin |
| Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan |
| kesên xwînperest, ne jî ji yên din. |
| |
| -Sêrêciya Kurdistanî |
+--------------------------------------------------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030406162735.GA2797>