From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 11 20:46:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71E5816A4CE for ; Thu, 11 Mar 2004 20:46:51 -0800 (PST) Received: from ns1.valuedj.com (adsl-216-100-130-21.dsl.snfc21.pacbell.net [216.100.130.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AA1743D31 for ; Thu, 11 Mar 2004 20:46:51 -0800 (PST) (envelope-from whizkid@ValueDJ.com) Received: by ns1.valuedj.com (Postfix, from userid 80) id 11DA260EA; Thu, 11 Mar 2004 20:51:45 -0800 (PST) Received: from 216.100.130.17 (SquirrelMail authenticated user whizkid) by www.ValueDJ.com with HTTP; Thu, 11 Mar 2004 20:51:45 -0800 (PST) Message-ID: <3934.216.100.130.17.1079067105.squirrel@www.ValueDJ.com> Date: Thu, 11 Mar 2004 20:51:45 -0800 (PST) From: whizkid@ValueDJ.com To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Problems connecting to port 25 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 04:46:51 -0000 Hello all, I just joined this list, I didn't see to much help from the FreeBSD_Questions side so I thought I would ask here. I currently have 2 FreeBSD 5.1 boxes. one is a test server the other I would consider production. Both provide Email/Web/DNS services. I have a firewall I found on the internet, and everything works, DNS/Web/Webmin/SSH but I cannot telnet into port 25. Can someone tell me what I am doing wrong? Or send me a copy of a Firewall that will improve my current one? I found alot of samples on the net, but nothing seems to work. I am running Qmail / MailDrop. Not sure if that helps. Thanks in advance.. # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via xl0 add 00302 deny ip from 172.16.0.0/12 to any in via xl0 add 00303 deny ip from 192.168.0.0/16 to any in via xl0 # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 in via xl0 setup keep-state #IMAP-SSL add 04001 allow tcp from any to me dst-port 143 in via xl0 setup keep-state # NTP add 04002 allow tcp from any to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from any to me dst-port 123 in via xl0 keep-state #webmin add 04004 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state #http add 04005 allow tcp from any to me dst-port 80 in via xl0 setup keep-state # DNS add 04006 allow udp from any to me dst-port 53 in via xl0 #POP add 04007 allow tcp from any to me dst-port 110 in via xl0 setup keep-state add 04008 allow tcp from any to me dst-port 443 in via xl0 setup keep-state #IMAPS add 04009 allow tcp from any to me dst-port 993 in via xl0 setup keep-state #SMTP add 04010 allow tcp from any to me 25 in via xl0 setup add 04011 allow tcp from any to me established add 04012 allow udp from any to me established # drop everything else add 04020 deny ip from any to me # allow all outgoing traffic from the router add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60001 deny log ip from any to any