Re: how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20)

From: OpenMacNews (freebsd-security.20.openmacnewsREMOVETHIS_at_spamgourmet.com)
Date: 11/21/03

  • Next message: OpenMacNews: "teet"
    Date: Fri, 21 Nov 2003 13:01:25 -0800
    To: freebsd-security@freebsd.org
    
    

    -- On Friday, November 21, 2003 12:48 PM -0800 "David Wolfskill - david@catwhisker.org"
    <+freebsd-security+openmacnews+0459602105.david#catwhisker.org@spamgourmet.com> wrote:

    David,

    thanks for your reply!

    >> i've been struggling with setting appropriate rules for an SMTP-server
    >> behind by NAT'd firewall.
    >
    > OK....

    <snip>

    >
    >> currently, my SMTP ipfw rules are as follows (snip'd from my startup
    >> script)
    >
    >> =============================================
    >># allow connections to/from internal smtp_server
    >> ipfw add 7000 allow log tcp from any to ${smtp_server} 25
    >
    > I suggest appending " setup" to that. Unless I'm very confused, you
    > don't really want to see *every* incoming SMTP packet -- just those that
    > initiate an SMTP conversation. (Note that -- at least in FreeBSD -- the
    > mail traffic gets logged to /var/log/maillog anyway.)
    >
    >> ipfw add 7001 allow log tcp from ${smtp_server} 25 to any
    >
    > Again, you may wish to append " setup" to that, for the same reasons.
    >
    > In conjunction with the above, you'd likely want to (silently) permit
    > "established" connections.

    hadn't dawned on me to this, so:

    ipfw add 7000 allow log tcp from any to ${smtp_server} 25 setup
    ipfw add 7001 allow tcp from any to ${smtp_server} 25 established
    ipfw add 7002 allow log tcp from ${smtp_server} 25 to any setup
    ipfw add 7003 allow tcp from ${smtp_server} 25 to any established

    right?

    >># allow clients to communicate with external smtp servers
    >> ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25
    >> ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535
    >
    > Why? Wouldn't you want them to send their mail to your internal mail
    > server, which would then send it out?

    usually, yes

    BUT, sometimes i want to be able to use a local LAN mail client to directly access on offsite SMTP server.

    my understanding is that usually a client uses "high ports" to communicate to those servers at THEIR port 25 -- just
    like to my internal svr, but internal lan traffic is "all open"

    in this case would you recommend the "setup & established" approach as above?

    >> it seems to me that everything's working. question is, are these too
    >> open, too closed, incomplete, risky, etc?
    >
    > Have you actually looked at your security log?

    yes i have

    of course, i've had little DENIED on port 25 ( and a LOT of entries ....)

    other than servers/connection attempts that clearly are failing SMTP 'transactions', i'm frankly not sure what to look
    for for 'unauthorized' access to port25/my server ...

    because of its "open" nature, what are the legit triggers for "suspicious" activity for SMTP?

    > Peace,
    > david
    > --
    cheers,

    richard
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: OpenMacNews: "teet"