Re: firewall rules for mail gateway

2004-03-09 Thread Kevin D. Kinsey, DaleCo, S.P. 
Mike Jackson wrote:

Hi,
I have a 5.2.1 firewall box that also has a mailserver.
Goal:

- firewall can send and receive mail - rest of the world
- firewall can send and receive mail - internal LAN machines
- firewall blocks internal LAN machines from connecting to
  external SMTP servers
firewall/mail gw
---
xl0 - public interface
xl1 - private interface (gateway ip for LAN) 192.168.1.1
I tried something like:

block out quick on xl1 proto tcp from any to any port = 25

with no effect, workstations could still get past it.

Any help would be appreciated :-)

Thanks,
 

So, you're using ipf or ipfilter, not
ipfw, as I take it from your syntax.
I imagine the ipfilter gurus on the
list would like to see your entire
ruleset.
IIRC, your firewall is a last match
setup rather than first match.  Might
have something to do with it.  If the machine
is running NAT/divert whatever, it might
well be diverting before blocking?  But I'm
wrong so often it's not very funny ... and
I use ipfw instead of ipf.
The other thing I see; using ipfw, I'd be
blocking traffic from LAN to dst-port 25
via the *outside* interface...so, can you put
an allow server out via 25 and then a deny
any out via 25 on your xl0?  What does that
do?
Kevin Kinsey
DaleCo, S.P.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: firewall rules for mail gateway

2004-03-09 Thread Mike Jackson 
Kevin D. Kinsey, DaleCo, S.P. ([EMAIL PROTECTED]) wrote:
 So, you're using ipf or ipfilter, not
 ipfw, as I take it from your syntax.

# ipfilter logging
ipmon_enable=yes
ipmon_flags=-D /var/log/ipflog
 
 I imagine the ipfilter gurus on the
 list would like to see your entire
 ruleset.

 I had to set my tw=80 in order to prevent wrapping. Hope this doesn't
tick anybody off.

Please, if anybody sees any huge, gaping holes, point them out,
preferrably in private email.

#-
#
# ipfilter rules
#
# interfaces:
#   xl0 - external
#   xl1 - internal
#

#
# Outside Interface 
#

#
# Allow traffic for services we provide
#
pass in quick on xl0 proto tcp/udp from any to any port = 53# DNS
pass in quick on xl0 proto tcp from any to any port = 22# SSH
pass in quick on xl0 proto tcp from any to any port = 25# SMTP
pass in quick on xl0 proto tcp from any to any port = 80# WWW

#
# Allow out all TCP, UDP, and ICMP traffic  keep state on it
# so that it's allowed back in.
#
pass out quick on xl0 proto tcp from any to any keep state
pass out quick on xl0 proto udp from any to any keep state
pass out quick on xl0 proto icmp from any to any keep state
block out quick on xl0 all

#---
# Block all inbound traffic from non-routable or reserved address spaces
#---
block in log quick on xl0 from 192.168.0.0/16 to any  #RFC 1918 private IP
block in log quick on xl0 from 172.16.0.0/12 to any   #RFC 1918 private IP
block in log quick on xl0 from 10.0.0.0/8 to any  #RFC 1918 private IP
block in log quick on xl0 from 127.0.0.0/8 to any #loopback
block in log quick on xl0 from 0.0.0.0/8 to any   #loopback
block in log quick on xl0 from 169.254.0.0/16 to any  #DHCP auto-config
block in log quick on xl0 from 192.0.2.0/24 to any#reserved for doc's
block in log quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on xl0 from 224.0.0.0/3 to any #Class D  E multicast

#
# Allow bootp traffic in from your ISP's DHCP server only. 
#
pass in quick on xl0 proto udp from 10.0.0.0/8 to any port = 68 keep state

#
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service 
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear 
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#
block return-rst in log quick on xl0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from any to any
block in log quick on xl0 all 


# 
# Inside Interface
# 

# 
# Allow out all TCP, UDP, and ICMP traffic  keep state 
#
pass out quick on xl1 proto tcp from any to any keep state 
pass out quick on xl1 proto udp from any to any keep state 
pass out quick on xl1 proto icmp from any to any keep state 
block out quick on xl1 all 

#
# Allow in all TCP, UDP, and ICMP traffic  keep state 
# 
pass in quick on xl1 proto tcp from any to any keep state 
pass in quick on xl1 proto udp from any to any keep state 
pass in quick on xl1 proto icmp from any to any keep state 
block in quick on xl1 all 

# 
# Loopback Interface 
# 

# 
# Allow everything to/from your loopback interface so you 
# can ping yourself (e.g. ping localhost) 
# 
pass in quick on lo0 all 
pass out quick on lo0 all 

## EOF

--
mike
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to

Re: firewall rules for mail gateway

2004-03-09 Thread Mike Jackson 
Kevin D. Kinsey, DaleCo, S.P. ([EMAIL PROTECTED]) wrote:
 
 have something to do with it.  If the machine
 is running NAT/divert whatever, it might
 well be diverting before blocking?  But I'm
 wrong so often it's not very funny ... and
 I use ipfw instead of ipf.

One last thing, I forgot to mention that I am running NAT.

iprules.nat
--
map xl0 192.168.1.0/16 - 0.0.0.0/32

--
mike 
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]