I hope this isn't too off topic, but I'd like a quick solution to a problem. I have a small network behind a NAT firewall (FreeBSD of course) and I'd like to block/redirect all traffic from the internal network to the local mail server (same box as firewall) in order to prevent direct smtp requests to the outside world (mainly virus/trokan programs). I think I have it right in this rule, but I would prefer to get a second, or even a third opinion. ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 Cheers Tim -- Tim Aslat <tim@spyderweb.com.au> Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479
On May 12, at 11:56 AM, Tim Aslat wrote:> > I hope this isn't too off topic, but I'd like a quick solution to a > problem. > > I have a small network behind a NAT firewall (FreeBSD of course) and I'd > like to block/redirect all traffic from the internal network to the > local mail server (same box as firewall) in order to prevent direct smtp > requests to the outside world (mainly virus/trokan programs).Set up the mail server as the hub for your internal network, and have the workstations forward mail to it. If you're running sendmail on the workstations, put this in their .mc file: define(`SMART_HOST', `smtp:mailhub.privatedomain') And rebuild their sendmail.cf (I use the same .mc file for all U**X boxen on my network, except for the mail hub). Basically, just point all internal boxen's mailers to the hub. My mail hub, in turn, defines SMART_HOST to be my ISP's mail cluster, and I define MASQUERADE_AS to be my ISP's domain (I use the feature masquerade_envelope, too). You might not be able to do this, of course, it'll depend on your connectivity. You'll need an MX record set up for the mail hub in your DNS.> I think I have it right in this rule, but I would prefer to get a > second, or even a third opinion. > > ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25Given the above approach, the only thing I have in my firewall for SMTP is a rule for stateful outbound on ports 25 and 995 (I use SSL- enabled POP3 to download incoming mail from my ISP's mail cluster). Hope this helps, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/
Hello! If you would like to properly forward traffic to your mail server THROUGH the firewall, you need to have your firewall do it through NAT. By doing it through NAT (natd), it will change the IP headers for you so the traffice travels correctly. It took me a while to figure this out when trying to forward ssh and httpd to an internal machine. Setup your rc.conf like this: natd_enable="YES" natd_flags="-f /etc/natd.conf" In my natd.conf, I have a setup like this (you will need to change the redirect lines though): # Useful for trying not to break RFCs. use_sockets same_ports # My public interface interface dc0 # Use this since the public interface is set by DHCP. dynamic unregistered_only log_ipfw_denied redirect_port tcp 192.168.0.101:23 23 redirect_port tcp 192.168.0.101:8080 8080 #redirect_port tcp 192.168.0.101:389 389 #redirect_port tcp 192.168.0.101:636 636 William Michael Grim Student, Southern Illinois University at Edwardsville Unix Network Administrator, SIUE, Computer Science dept. Phone: (217) 341-6552 Email: wgrim@siue.edu On Wed, 12 May 2004, Tim Aslat wrote:> I hope this isn't too off topic, but I'd like a quick solution to a > problem. > > I have a small network behind a NAT firewall (FreeBSD of course) and I'd > like to block/redirect all traffic from the internal network to the > local mail server (same box as firewall) in order to prevent direct smtp > requests to the outside world (mainly virus/trokan programs). > > I think I have it right in this rule, but I would prefer to get a > second, or even a third opinion. > > ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 > > Cheers > > Tim > > -- > Tim Aslat <tim@spyderweb.com.au> > Spyderweb Consulting > http://www.spyderweb.com.au > Phone: +61 0401088479 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Problem solved. Here's the answer (for the archives) # block all SMTP traffic from inside to out while letting the server # through ipfw add allow tcp from any to me 25 ipfw add allow tcp from me to any 25 ipfw add deny tcp from any to any dst-port 25 This prevents any host within the network from sending directly to an SMTP server outside the network. Thanks to "D J Hawkey Jr <hawkeyd@visi.com>" for helping me out with this. Cheers Tim -- Tim Aslat <tim@spyderweb.com.au> Spyderweb Consulting http://www.spyderweb.com.au Phone: +61 0401088479