Thanks Jim. I appreciate your detailed and accurate response to my question. Your example rule below is exactly what I was looking for.
******************************* silently drop and log all dest port 25 traffic on all interfaces, block out log quick proto tcp from any to any port = 25 ******************************* Matt -----Original Message----- From: Jim Sandoz [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 04, 2005 5:32 PM To: Borsari, Matt Cc: [email protected] Subject: Re: Ipfilter Rule Definition: matt, i'm sure by now you've found the ipf howto http://www.obfuscation.org/ipf/ and the ipf faq http://www.phildev.net/ipf/ but here's a start for you... silently drop and log all dest port 25 traffic on all interfaces, block out log quick proto tcp from any to any port = 25 you may want to return a RST to the source instead, block return-rst out log quick proto tcp from any to any port = 25 to make the rule interface-specific, where hme0 is the interface, block out log quick on hme0 proto tcp from any to any port = 25 to allow a single host to smtp, add this rule PRIOR to a block, pass in quick on hme0 proto tcp from 192.168.0.1/32 \ to any port = 25 flags S keep state keep frags to allow a /24 subnet to smtp, add this rule PRIOR to a block, pass in quick on hme0 proto tcp from 192.168.0.0/24 \ to any port = 25 flags S keep state keep frags n.b: block, pass = action in, out = direction on interface log, " " = whether to log, or not quick, " " = whether this action is immediate, or not on ifname, " " = interface rule is applied to, or all. proto pname, " " = match protocol, or not from sourceip, any = source IP by host or subnet, or any. to destip, any = dest IP by host or subnet, or any. port = N, " " = port to apply rule to, or all ports ps: in the case of a routing firewall using ipf, note that it is concurrently simpler and safer to "block in" on one interface than "block out" on the other interface. regards, jim Borsari, Matt wrote: > Hello all, > > I am a new user of Ipfilter and am running into some difficulty defining > a rule for a specific purpose. > Any assistance that you can provide would be appreciated. > > OS Type: Solaris 8 and 9 > IP Filter version: 4.1.3 > > What I need the rule to do: Block outbound packets destined for port 25 > on any system located on > any subnet. The rule should apply to all local network interfaces on the > server that has the rule in > place and blocking activity should be logged locally. > > Thanks, > > Matt > >
