From owner-freebsd-questions@FreeBSD.ORG Tue Mar 9 08:22:41 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CCB216A4CE for ; Tue, 9 Mar 2004 08:22:41 -0800 (PST) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE0A143D2D for ; Tue, 9 Mar 2004 08:22:40 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Tue, 9 Mar 2004 10:23:04 -0600 Message-ID: <404DEF4D.1050800@daleco.biz> Date: Tue, 09 Mar 2004 10:22:37 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mike Jackson References: <20040309145635.GG8152@gentoo.netauth.com> In-Reply-To: <20040309145635.GG8152@gentoo.netauth.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 09 Mar 2004 16:23:04.0765 (UTC) FILETIME=[CCB1DED0:01C405F2] cc: freebsd-questions@freebsd.org Subject: Re: firewall rules for mail gateway X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 16:22:41 -0000 Mike Jackson wrote: >Hi, > I have a 5.2.1 firewall box that also has a mailserver. > >Goal: > > - firewall can send and receive mail <-> rest of the world > - firewall can send and receive mail <-> internal LAN machines > - firewall blocks internal LAN machines from connecting to > external SMTP servers > >firewall/mail gw >----------------------- >xl0 - public interface >xl1 - private interface (gateway ip for LAN) 192.168.1.1 > > >I tried something like: > >block out quick on xl1 proto tcp from any to any port = 25 > >with no effect, workstations could still get past it. > >Any help would be appreciated :-) > >Thanks, > > So, you're using ipf or ipfilter, not ipfw, as I take it from your syntax. I imagine the ipfilter gurus on the list would like to see your entire ruleset. IIRC, your firewall is a "last match" setup rather than "first match." Might have something to do with it. If the machine is running NAT/divert whatever, it might well be diverting before blocking? But I'm wrong so often it's not very funny ... and I use ipfw instead of ipf..... The other thing I see; using ipfw, I'd be blocking traffic from LAN to dst-port 25 via the *outside* interface...so, can you put an "allow server out via 25" and then a "deny any out via 25" on your xl0? What does that do? Kevin Kinsey DaleCo, S.P.