From owner-freebsd-questions@FreeBSD.ORG Wed Oct 13 04:58:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B594B16A4CE for ; Wed, 13 Oct 2004 04:58:50 +0000 (GMT) Received: from web41403.mail.yahoo.com (web41403.mail.yahoo.com [66.218.93.69]) by mx1.FreeBSD.org (Postfix) with SMTP id 4CDE643D1F for ; Wed, 13 Oct 2004 04:58:50 +0000 (GMT) (envelope-from davemac11@yahoo.com) Message-ID: <20041013045850.82892.qmail@web41403.mail.yahoo.com> Received: from [4.14.230.236] by web41403.mail.yahoo.com via HTTP; Tue, 12 Oct 2004 21:58:50 PDT Date: Tue, 12 Oct 2004 21:58:50 -0700 (PDT) From: Dave McCammon To: David Banning In-Reply-To: <20041013033432.GA6977@skytrackercanada.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: questions@freebsd.org Subject: Re: ipfw - denying all - what port for OE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Oct 2004 04:58:50 -0000 --- David Banning wrote: > I am attempting to block everything except ports 80, > 110, 25 and a > few others, but I can't seem to get Outlook Express > mail clients > to collect mail on the network. Does anyone happen > to know what > ports they use? I have tried 110, 25, 443 and about > 20 others. > > I tried using tcpdump to track the activity when I > have all ports > open and use OE, but it seems to use a different > port each time: > ports like 2843 and other non-allocated port > numbers. > > The client(OE) will use a non-privileged port to connect to the POP3(I assume this is what you want) server port 110. To be clearer, are you attempting to block everything except 80,110,25, and a few others _in_ or _out_? If you are allowing the client to connect,let's say out, to the pop server, are you allowing the return traffic? Example:(arrows for traffic flow) Client request client(2843)->ipfw allow->pop3(110) Server reply client(2843)<-ipfw established<-pop3(110) Simple rule example allow tcp from any to me established allow tcp from me to (server) 110 setup deny ip from any to any This is similar to the example in the ipfw man page. Simple rule using dynamic rules check-state allow tcp from me to (server) 110 setup keep-state deny ip from any to any When "me" makes a setup connection to pop server it creates a dynamic rule for return traffic. After looking at the man page again, this rule is like the example except i didn't use the "established" rule. Read through the examples in the man page and look at key words like "established, keep-state, setup, check-state". _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com