Hello everyone.
I had a question about a setup that I am working on at work and was hoping
to get some feedback here as to whether or not my setup will work.
Here it is:
I have setup a Mail Gateway on our DMZ running OpenBSD 3.3 with Postfix. I
have also setup PF on the mail gateway as to add a extra layer of
protection on the mail gateway.
The company firewall is a brand called Watchguard. It is decent and does
the job.
Here is what I setup:
I setup a rule on our company firewall to pass all incoming SMTP traffic to
the OpenBSD Mail gateway server on our DMZ. I then setup the mail gateway
to relay traffic to our intranet mail server. I also setup a second rule on
the company firewall to only allow traffic from the mail gateway to our
mail server using a smtp-filter rule.
Here are my PF rules on my OpenBSD box:
# Define useful variables
ext_if="fxp0" # External Interface
int_if="fxp1"
tcp_services = "{ 25 }"
tcp_int_services = "{ 22 }"
table <NoRouteIPs> { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}
# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block log all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if from <NoRouteIPs> to any
block out log quick on $ext_if from any to <NoRouteIPs>
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
# only allow our machines to connect via ssh
#pass in on $IntIF inet proto tcp from $sshHost to any port = 22 keep state
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established
connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Basically, what I want to do is only allow SMTP traffic to the mail gateway
and drop everything else. At the same time, I want to only allow SSH
connections from our intranet.
My questions, in a nutshell:
1.) Does it appear that my rules look sufficient to perform the duties?
Anything look like it could possibly be a problem?
2.) Because the company firewall is 'different' could it pose a problem
when passing traffic from the firewall to the mail gateway? (Like, could
the openbsd box disallow connections, drop connections etc.)
That is about it.
I appreciate everyones help and input.
Jason
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
