matt, i'm sure by now you've found the ipf howto http://www.obfuscation.org/ipf/
and the ipf faq http://www.phildev.net/ipf/
but here's a start for you...
silently drop and log all dest port 25 traffic on all interfaces, block out log quick proto tcp from any to any port = 25
you may want to return a RST to the source instead, block return-rst out log quick proto tcp from any to any port = 25
to make the rule interface-specific, where hme0 is the interface, block out log quick on hme0 proto tcp from any to any port = 25
to allow a single host to smtp, add this rule PRIOR to a block,
pass in quick on hme0 proto tcp from 192.168.0.1/32 \
to any port = 25 flags S keep state keep fragsto allow a /24 subnet to smtp, add this rule PRIOR to a block,
pass in quick on hme0 proto tcp from 192.168.0.0/24 \
to any port = 25 flags S keep state keep fragsn.b: block, pass = action in, out = direction on interface log, " " = whether to log, or not quick, " " = whether this action is immediate, or not on ifname, " " = interface rule is applied to, or all. proto pname, " " = match protocol, or not from sourceip, any = source IP by host or subnet, or any. to destip, any = dest IP by host or subnet, or any. port = N, " " = port to apply rule to, or all ports
ps: in the case of a routing firewall using ipf, note that it is concurrently simpler and safer to "block in" on one interface than "block out" on the other interface.
regards, jim
Borsari, Matt wrote:
Hello all,
I am a new user of Ipfilter and am running into some difficulty defining
a rule for a specific purpose. Any assistance that you can provide would be appreciated.
OS Type: Solaris 8 and 9 IP Filter version: 4.1.3
What I need the rule to do: Block outbound packets destined for port 25 on any system located on any subnet. The rule should apply to all local network interfaces on the server that has the rule in place and blocking activity should be logged locally.
Thanks,
Matt
