Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Apr 2003 09:27:35 -0700
From:      Sereciya Kurdistani <sereciya@kurdistan.ath.cx>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: Quick IPFW Question Concerning Sendmail
Message-ID:  <20030406162735.GA2797@kurdistan.ath.cx>
In-Reply-To: <wui77g76.fsf@ID-23066.news.dfncis.de>
References:  <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> <wui77g76.fsf@ID-23066.news.dfncis.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Clemens,

  Thank you for taking the time to respond to my posting ;)

  Your comments are greatly appreciated.

On Sun, Apr 06, 2003 at 06:18:05PM +0200, clemens fischer wrote:
> Sereciya Kurdistani <sereciya@kurdistan.ath.cx>:
> 
> >   vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> >   ipfw add NNNN check-state
> >   ipfw add NNNN allow      { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state
> >   ipfw add NNNN allow  log   tcp          from any to any dst-port smtp,smtps      in  via tun0
> >   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >        
> >   This way, you don't have to allow any ports open for any incoming traffic not matched
> >   by the stateful rules, ;)
> 
> are you sure this does what you want?  i don't see the customary
> anti-spoofing rules and there's a lot to be said for keeping state
> especially on _incoming_ connections.  if these are all your rules,
> then what about incoming SMTP and AUTH on port 113?

  I think this is what I want...
  
  Would you please show me an example of anti-spoofing rules?  I'd
  greatly appreciate it ;)

  ...Actually, I do have some facility for anti-spoofing rules, here they are:

  ipfw add NNNN skipto NEXT_BLOCK all from     ${myhost} to not ${myhost} out via ${oif_1}
  ipfw add NNNN skipto NEXT_BLOCK all from not ${myhost} to     ${myhost} in  via ${oif_1}

  Do you mean I should check/filter for the private IP Addresses also?

  I'm not opening incoming AUTH because it seems unnecessary ; everything
  is running fine without opening that port.

  Incoming SMTP is handled with a rule like:

  ipfw add NNNN pipe N log tcp from any to any smtp,smtps in via ${oif}

> i imagine your rules allowing _you_ to query others for AUTH data,
> but you don't allow others this privilege.

  That's correct.  Am I breaking a netiquette rule that I may not be
  familiar with?

Thank you for your participation ;)
 
-- 
+--------------------------------------------------------------+
| Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijmin  |
|   Riya azadiy ne hsan e, hviya xwe bernedin, dema me      |
|     nzk e.                                                 |
|                                                              |
| Hevalt bi kesn du r nekin, hevalt bi hevdu ra bikin      |
|   Ne ji hevaltiya wan kesn pxwas  r dirj, ne bi wan     |
|     kesn xwnperest, ne j ji yn din.                      |
|                                                              |
|                                   -Srciya Kurdistan       |
+--------------------------------------------------------------+



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030406162735.GA2797>