Quick IPFW Question Concerning Sendmail

Sereciya Kurdistani sereciya at kurdistan.ath.cx
Sat Apr 5 09:49:00 PST 2003 

       
Earlier...
       
> > Hello,
> >
> >   I have a quick question for you ipfw/firewall experts out there.
> >
> >   I've have set up an elaborate firewall only to have trouble with
> >   Sendmail.
> >
> >   I have opened port 25 incoming, and also allow outgoing to another
> >   port 25, but I always find stuck mail when I use "mailq".
> >
> >   Using tcpdump -- and no firewall -- I've found that between the
> >   dns lookups and smtp connections there are in fact some auth
> >   lookups too.
> >
> >   I opened incoming port 113 and outgoing to 113 but I still have
> >   stuck mail!
> >
> >   Any help would be greately appreciated, many thanks in advance!
> >
> > -Sereciya Kurdistani
> >
> > PS
> > My basic rules look like:
> >
> > ipfw add NNNN allow \{ tcp or udp \}     from any to any smtp,smtps out
> > ipfw add NNNN allow \{ tcp \}        log from any to any smtp,smtps in
> >
> > ipfw add NNNN allow \{ tcp or udp \}     from any to any auth out
> > ipfw add NNNN allow \{ tcp \}        log from any to any auth in
> >
       
  Later I found out that I had to allow connections to my high port from
  outside low ports incoming:
       
  ipfw allow tcp from any 1-1024 to any 1025-65535 in via ${oif_1}...
       
  The reason for this was that I forgot to add a "keep-state" ;))
       
  Here's my final solution:
       
  vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
  ipfw add NNNN check-state
  ipfw add NNNN allow      { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state
  ipfw add NNNN allow  log   tcp          from any to any dst-port smtp,smtps      in  via tun0
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       
  This way, you don't have to allow any ports open for any incoming traffic not matched
  by the stateful rules, ;)

-- 
+--------------------------------------------------------------+
| Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî  |
|   Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me      |
|     nêzîk e.                                                 |
|                                                              |
| Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin      |
|   Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan     |
|     kesên xwînperest, ne jî ji yên din.                      |
|                                                              |
|                                   -Sêrêciya Kurdistanî       |
+--------------------------------------------------------------+

More information about the freebsd-ipfw mailing list