From owner-freebsd-isp  Fri Nov  7 08:19:12 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA07693
          for isp-outgoing; Fri, 7 Nov 1997 08:19:12 -0800 (PST)
          (envelope-from owner-freebsd-isp)
Received: from ns.mt.sri.com (SRI-56K-FR.mt.net [206.127.65.42])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA07672
          for <freebsd-isp@freebsd.org>; Fri, 7 Nov 1997 08:19:03 -0800 (PST)
          (envelope-from nate@rocky.mt.sri.com)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.8.7/8.8.7) with ESMTP id JAA21910;
	Fri, 7 Nov 1997 09:19:01 -0700 (MST)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id JAA28143; Fri, 7 Nov 1997 09:18:59 -0700 (MST)
Date: Fri, 7 Nov 1997 09:18:59 -0700 (MST)
Message-Id: <199711071618.JAA28143@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: "Jonathan A. Zdziarski" <jonz@netrail.net>
Cc: freebsd-isp@freebsd.org
Subject: Re: Banning IPs from Sendmail
In-Reply-To: <Pine.BSF.3.95q.971107113544.21576A-100000@netrail.net>
References: <Pine.BSF.3.95q.971107113544.21576A-100000@netrail.net>
X-Mailer: VM 6.29 under 19.15 XEmacs Lucid
Sender: owner-freebsd-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> What's the easiest way to deny local smtp delivery to specific IP
> addresses?

IPFW.

netif == outside network connection
myeip == my external IP addresses (necessary since packets are generated
         with it as my IP address)
myiip == my 'internal' IP address, which is the one given to the world.

The following rules limit email to my 'gateway' box, and only that box.
You can modify it to accept email from other machines, or whatever.

############ 
# allow incoming SMTP only on NS, so we only have to keep it's stuff
# current.  There's no other reason for people to look internally, since
# they are handled w/MX records.

ipfw add  900 pass tcp from any to ${myeip} 25 via ${netif} in
ipfw add  901 pass tcp from any to ${myiip} 25,53,110,113 via ${netif} in
# Don't log (somewhat valid) attempts to connect to internal SMTP hosts
# (sendmail uses AUTH, so don't log attempts there either.)
ipfw add  910 deny tcp from any to any 25 via ${netif} in



Nate