From owner-freebsd-questions@FreeBSD.ORG Tue Mar 1 20:25:29 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA58D16A4CE for ; Tue, 1 Mar 2005 20:25:29 +0000 (GMT) Received: from smtp-out.hotpop.com (smtp-out.hotpop.com [38.113.3.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2750A43D39 for ; Tue, 1 Mar 2005 20:25:29 +0000 (GMT) (envelope-from bitchat@hotpop.com) Received: from hotpop.com (kubrick.hotpop.com [38.113.3.103]) by smtp-out.hotpop.com (Postfix) with SMTP id 3F939F3F0FC for ; Tue, 1 Mar 2005 20:25:22 +0000 (UTC) Received: from [10.1.1.3] (c9061811.virtua.com.br [201.6.24.17]) by smtp-3.hotpop.com (Postfix) with ESMTP id 1A4351483683 for ; Tue, 1 Mar 2005 20:25:19 +0000 (UTC) From: "Adolfo B. Ferreira" To: freebsd-questions@freebsd.org Date: Sun, 27 Feb 2005 09:33:48 -0300 Message-Id: <1109507628.927.4.camel@notebook> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 20:25:29 -0000 Hi, I set up a firewall in my freebsd box using ipfw.conf and its working fine. I'm running on my firewall ( i know its not recommended ) smtp server and all my services is working fine but smtp is not receiving incomming connections from outside(internet). I would like to show my ipfw rules and get some answer why its not working. Thanks Guys, here is my firewall: # QoS: LAN pipe 10 config mask src-ip 0xfffffff0 bw 40Kbit/s # LAN Upload pipe 20 config mask dst-ip 0xfffffff0 bw 20Kbit/s # Lan Download # QoS: SERVICES pipe 30 config bw 120Kbit/s queue 6Kbytes # FTP pipe 40 config mask bw 75Kbit/s # SMTP pipe 50 config mask bw 70Kbit/s # DNS TCP pipe 60 config mask bw 300Kbit/s queue 20Kbytes # WEB / SSL pipe 70 config mask bw 75Kbit/s # POP3 # DEVICE: lo0 add 100 allow all from any to any via lo0 add 101 allow tcp from any to 127.0.0.1 110 add 102 deny ip from any to 127.0.0.0/8 # LAN: NAT add 200 divert natd ip from any to any in via rl0 # LAN: IN add 300 allow tcp from 10.1.1.0/28 to 10.1.1.1 22,139,445 in via vr0 add 400 allow udp from 10.1.1.0/28 to 10.1.1.1 137,138 in via vr0 # CHECK STATE add 500 check-state # DNS: SYNC add 600 allow ip from any to any 53 via rl0 add 601 allow ip from any 53 to any via rl0 # DHCP: CLIENT add 700 allow udp from any to 10.12.0.1 67 out via rl0 # LAN: ROOT add 800 allow tcp from me to any out via rl0 setup keep-state uid root # LAN: OUT add 900 skipto 2000 tcp from any to any 80 out via rl0 setup keep-state add 901 skipto 2000 tcp from any to any 443 out via rl0 setup keep-state add 902 skipto 2000 tcp from any to any 25 out via rl0 setup keep-state add 903 skipto 2000 tcp from any to any 110 out via rl0 setup keep-state add 905 skipto 2000 icmp from any to any out via rl0 icmptypes 8 add 906 skipto 2000 tcp from any to any 20,21 out via rl0 setup keep-state add 907 skipto 2000 tcp from any to any 43 out via rl0 setup keep-state add 909 skipto 2000 tcp from any to any 1755 out via rl0 setup keep-state add 910 skipto 2000 tcp from any to any 1863 out via rl0 setup keep-state add 911 skipto 2000 tcp from any to any 2222 out via rl0 setup keep-state add 912 skipto 2000 tcp from any to any 6667 out via rl0 setup keep-state #add 913 skipto 2000 tcp from any to any 1-4000 out via rl0 setup keep-state # NETCRAFT add 1000 deny all from 195.92.95.0/32 to any in via rl0 add 1100 allow icmp from any to any in via rl0 icmptypes 0 # ICMP: BLOCK PING add 1101 prob 0.2 allow icmp from any to 201.6.24.17 in via rl0 icmptypes 8 add 1102 prob 0.2 allow icmp from 201.6.24.17 to any out via rl0 icmptypes 0 # LAN: RFC add 1200 deny all from 192.168.0.0/16 to any in via rl0 add 1220 deny all from 172.16.0.0/12 to any in via rl0 add 1240 deny all from 127.0.0.0/8 to any in via rl0 add 1250 deny all from 0.0.0.0/8 to any in via rl0 add 1260 deny all from 169.254.0.0/16 to any in via rl0 add 1270 deny all from 192.0.2.0/24 to any in via rl0 add 1280 deny all from 204.152.64.0/23 to any in via rl0 add 1290 deny all from 224.0.0.0/3 to any in via rl0 # INTERNET: FRAG add 1300 deny all from any to any frag in via rl0 # INTERNET: STATE STABLE add 1400 deny ip from any to any established in via rl0 # DHCP: CLIENT add 1500 allow udp from 10.12.0.1 to any 68 in via rl0 keep-state # INTERNET: SERVICES IN add 1600 pipe 30 ip from any to 201.6.24.17 20,21 in via rl0 setup limit src-addr 2 add 1601 pipe 40 tcp from any to 201.6.24.17 25 in via rl0 add 1602 pipe 50 ip from any to 201.6.24.17 53 in via rl0 setup limit src-addr 2 add 1603 pipe 60 tcp from any to 201.6.24.17 80,443 in via rl0 setup limit src-addr 2 add 1604 pipe 70 tcp from any to 201.6.24.17 995 in via rl0 setup limit src-addr 2 # DENY / LOG add 1800 deny log all from any to any out via rl0 add 1900 deny log all from any to any in via rl0 # LAN: NAT add 2000 divert natd ip from any to any out via rl0 add 2001 allow ip from any to any Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Grupo Ferreira Limitada Telefone: 11 50628877 Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Grupo Ferreira Limitada Telefone: 11 50628877