freebsd security - Nov 2003 - how to get IPFW rules for SMTP server behind NAT server "right"?

hi all,

i've been struggling with setting appropriate rules for an SMTP-server
behind by NAT'd firewall.

it's not that there is too little info on the web -- or here, for that
matter -- there's scads of it for seemingly endless configs/req'ts --
none that seem to be exactly my own.

bottom line: i'm a bit confused, and looking for some experienced
advice.

my goals (for now) are to:

    (a) setup my firewall as tight as possible -- deny, then allow
    (b) log all transactions
    (c) keep the firewall as performance efficient as possible.

        (yes, i recognize that these may 'tug' at one another ...)

my question:  what are the most appropriate ipfw rules for SMTP traffic
to meet my goals above?


here's my environment:

-- i have three machines in this scenario: a gateway, a mail server,
and a client
-- all boxes are running OSX 10.2.8
-- Gateway/Firewall is the kernel's BSD ipfw(8)
-- gateway box has two ethernet interfaces

inif="en1"                 # internal gateway interface name
exif="en2"                 # external gateway interface name
innr="10.0.0.0/24"            # LOCAL network range
inip="10.0.0.1"               # gateway's internal (NAT) IP
address
exip="any"

gateway_server="10.0.0.1"     # the gateway/firewall box, 2 interfaces
smtp_server="10.0.0.2"        # SMTP server behind NAT firewall
client_machine="10.0.0.3"     # a client machine inside the NAT
firewall



i've launched NATD as follows:

/usr/sbin/natd \
   -interface ${exif} -dynamic -port 8668 \
   -log -log_denied \
   -unregistered_only \
   -use_sockets \
   -redirect_port tcp ${smtp_server}:25 25

tme SMTP server listens ONLY on port 25, IP address = 10.0.0.2


currently, my SMTP ipfw rules are as follows (snip'd from my startup
script)

============================================# allow connections to/from internal
smtp_server
   ipfw add 7000 allow log tcp from any to ${smtp_server} 25
   ipfw add 7001 allow log tcp from ${smtp_server} 25 to any

# allow clients to communicate with external smtp servers
   ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25
   ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535
============================================

it seems to me that everything's working.  question is, are these too
open, too closed, incomplete, risky, etc?

i appreciate any comments/suggestions y'all may have!

thanks,
   
richard