From owner-freebsd-security@FreeBSD.ORG Sat Nov 22 17:14:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5140416A4CE for ; Sat, 22 Nov 2003 17:14:18 -0800 (PST) Received: from web12602.mail.yahoo.com (web12602.mail.yahoo.com [216.136.173.225]) by mx1.FreeBSD.org (Postfix) with SMTP id A426843F75 for ; Sat, 22 Nov 2003 17:14:17 -0800 (PST) (envelope-from bj93542@yahoo.com) Message-ID: <20031123011405.80292.qmail@web12602.mail.yahoo.com> Received: from [128.226.68.47] by web12602.mail.yahoo.com via HTTP; Sat, 22 Nov 2003 17:14:05 PST Date: Sat, 22 Nov 2003 17:14:05 -0800 (PST) From: Dorin H To: OpenMacNews In-Reply-To: <2147483647.1069419685@[172.30.11.6]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2003 01:14:18 -0000 > > > hadn't dawned on me to this, so: > > ipfw add 7000 allow log tcp from any to > ${smtp_server} 25 setup > ipfw add 7001 allow tcp from any to ${smtp_server} > 25 established > ipfw add 7002 allow log tcp from ${smtp_server} 25 > to any setup > ipfw add 7003 allow tcp from ${smtp_server} 25 to > any established > > right? Better with dynamic rules... you don't want any packet directed to ${smtp_server} 25 going inside, just those corresponding to a previous initiated connection (dropping SYN will allow the packet to pass your firewall, and it will not even be logged :)) 2c. /Dorin. __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/