OpenMacNews
2003-Nov-21 13:02 UTC
how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20)
-- On Friday, November 21, 2003 12:48 PM -0800 "David Wolfskill - david@catwhisker.org" <+freebsd-security+openmacnews+0459602105.david#catwhisker.org@spamgourmet.com> wrote: David, thanks for your reply!>> i've been struggling with setting appropriate rules for an SMTP-server >> behind by NAT'd firewall. > > OK....<snip>> >> currently, my SMTP ipfw rules are as follows (snip'd from my startup >> script) > >> ============================================>># allow connections to/from internal smtp_server >> ipfw add 7000 allow log tcp from any to ${smtp_server} 25 > > I suggest appending " setup" to that. Unless I'm very confused, you > don't really want to see *every* incoming SMTP packet -- just those that > initiate an SMTP conversation. (Note that -- at least in FreeBSD -- the > mail traffic gets logged to /var/log/maillog anyway.) > >> ipfw add 7001 allow log tcp from ${smtp_server} 25 to any > > Again, you may wish to append " setup" to that, for the same reasons. > > In conjunction with the above, you'd likely want to (silently) permit > "established" connections.hadn't dawned on me to this, so: ipfw add 7000 allow log tcp from any to ${smtp_server} 25 setup ipfw add 7001 allow tcp from any to ${smtp_server} 25 established ipfw add 7002 allow log tcp from ${smtp_server} 25 to any setup ipfw add 7003 allow tcp from ${smtp_server} 25 to any established right?>># allow clients to communicate with external smtp servers >> ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25 >> ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535 > > Why? Wouldn't you want them to send their mail to your internal mail > server, which would then send it out?usually, yes BUT, sometimes i want to be able to use a local LAN mail client to directly access on offsite SMTP server. my understanding is that usually a client uses "high ports" to communicate to those servers at THEIR port 25 -- just like to my internal svr, but internal lan traffic is "all open" in this case would you recommend the "setup & established" approach as above?>> it seems to me that everything's working. question is, are these too >> open, too closed, incomplete, risky, etc? > > Have you actually looked at your security log?yes i have of course, i've had little DENIED on port 25 ( and a LOT of entries ....) other than servers/connection attempts that clearly are failing SMTP 'transactions', i'm frankly not sure what to look for for 'unauthorized' access to port25/my server ... because of its "open" nature, what are the legit triggers for "suspicious" activity for SMTP?> Peace, > david > --cheers, richard
Dorin H
2003-Nov-22 17:14 UTC
how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20)
<snip>> <snip> > > hadn't dawned on me to this, so: > > ipfw add 7000 allow log tcp from any to > ${smtp_server} 25 setup > ipfw add 7001 allow tcp from any to ${smtp_server} > 25 established > ipfw add 7002 allow log tcp from ${smtp_server} 25 > to any setup > ipfw add 7003 allow tcp from ${smtp_server} 25 to > any established > > right?Better with dynamic rules... you don't want any packet directed to ${smtp_server} 25 going inside, just those corresponding to a previous initiated connection (dropping SYN will allow the packet to pass your firewall, and it will not even be logged :)) 2c. /Dorin. __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/