From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 09:27:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A887837B401 for ; Sun, 6 Apr 2003 09:27:37 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94E1E43F93 for ; Sun, 6 Apr 2003 09:27:36 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h36GRZY2014721; Sun, 6 Apr 2003 09:27:35 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h36GRZp6014720; Sun, 6 Apr 2003 09:27:35 -0700 (PDT) Date: Sun, 6 Apr 2003 09:27:35 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030406162735.GA2797@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4i Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 16:27:38 -0000 Clemens, Thank you for taking the time to respond to my posting ;) Your comments are greatly appreciated. On Sun, Apr 06, 2003 at 06:18:05PM +0200, clemens fischer wrote: > Sereciya Kurdistani : > > > vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv > > ipfw add NNNN check-state > > ipfw add NNNN allow { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state > > ipfw add NNNN allow log tcp from any to any dst-port smtp,smtps in via tun0 > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > This way, you don't have to allow any ports open for any incoming traffic not matched > > by the stateful rules, ;) > > are you sure this does what you want? i don't see the customary > anti-spoofing rules and there's a lot to be said for keeping state > especially on _incoming_ connections. if these are all your rules, > then what about incoming SMTP and AUTH on port 113? I think this is what I want... Would you please show me an example of anti-spoofing rules? I'd greatly appreciate it ;) ...Actually, I do have some facility for anti-spoofing rules, here they are: ipfw add NNNN skipto NEXT_BLOCK all from ${myhost} to not ${myhost} out via ${oif_1} ipfw add NNNN skipto NEXT_BLOCK all from not ${myhost} to ${myhost} in via ${oif_1} Do you mean I should check/filter for the private IP Addresses also? I'm not opening incoming AUTH because it seems unnecessary ; everything is running fine without opening that port. Incoming SMTP is handled with a rule like: ipfw add NNNN pipe N log tcp from any to any smtp,smtps in via ${oif} > i imagine your rules allowing _you_ to query others for AUTH data, > but you don't allow others this privilege. That's correct. Am I breaking a netiquette rule that I may not be familiar with? Thank you for your participation ;) -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+