Re: how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20)

From: Dorin H (bj93542_at_yahoo.com)
Date: 11/23/03

  • Next message: Mike Tancsa: "perms of /dev/uhid0"
    Date: Sat, 22 Nov 2003 17:14:05 -0800 (PST)
    To: OpenMacNews <freebsd-security.20.openmacnews@spamgourmet.com>
    
    

    <snip>
    > <snip>
    >
    > hadn't dawned on me to this, so:
    >
    > ipfw add 7000 allow log tcp from any to
    > ${smtp_server} 25 setup
    > ipfw add 7001 allow tcp from any to ${smtp_server}
    > 25 established
    > ipfw add 7002 allow log tcp from ${smtp_server} 25
    > to any setup
    > ipfw add 7003 allow tcp from ${smtp_server} 25 to
    > any established
    >
    > right?

    Better with dynamic rules... you don't want any packet
    directed to ${smtp_server} 25 going inside, just those
    corresponding to a previous initiated connection
    (dropping SYN will allow the packet to pass your
    firewall, and it will not even be logged :))
    2c.
    /Dorin.

    __________________________________
    Do you Yahoo!?
    Free Pop-Up Blocker - Get it now
    http://companion.yahoo.com/
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Mike Tancsa: "perms of /dev/uhid0"

    Relevant Pages

    • Re: IPFW update frequency
      ... Your tests presumably have little if any contention on the lock. ... the lock acquisition cost is in the 'setup' part but i cannot tell ... main rule loop of ipfw to speed things up. ... last year with an Agilent packet generator and hwpmc. ...
      (freebsd-net)
    • Re: ipfw flooding in /var/log/ipfw.log
      ... `ipfw add 900 allow log tcp from any to any setup' should work. ... you'll probably have to either add the additional 'allow log udp from ...
      (freebsd-questions)
    • Re: [was] addition to ipfw (read vlans from bridge)..
      ... into the packet as well as the packet, then yes I like that idea, ... At the moment I plan the ipfw code to be unaware of vlan headers. ... What we need to do is make a convention so that vlan tags are always ...
      (freebsd-net)
    • Re: [was] addition to ipfw (read vlans from bridge)..
      ... If what you are suggesting is that we pass into ipfw an 'offset' ... into the packet as well as the packet, then yes I like that idea, ... What vlan tag? ...
      (freebsd-net)
    • FYI: ipfw converted to PFIL_HOOKS
      ... Convert ipfw to use PFIL_HOOKS. ... The ipfw core packet inspection and filtering ... IPDIVERT is entirely handled within the ipfw PFIL handlers. ... with the new destination sockaddr_in. ...
      (freebsd-current)