Date: Sat, 10 Oct 1998 12:25:40 +0200 From: "H. Eckert" <ripley@nostromo.in-berlin.de> To: andrew@squiz.co.nz Cc: Alejandro Galindo Chairez AGALINDO <agalindo@servidor.exsocom.com.mx>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and pop3 Message-ID: <19981010122539.52033@nostromo.in-berlin.de> In-Reply-To: <Pine.BSF.4.01.9810081322010.2912-100000@aniwa.sky>; from Andrew McNaughton on Thu, Oct 08, 1998 at 01:26:35PM %2B1300 References: <Pine.BSF.3.96.981007170501.28754A-100000@servidor.exsocom.com.mx> <Pine.BSF.4.01.9810081322010.2912-100000@aniwa.sky>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 08, 1998 at 01:26:35PM +1300, Andrew McNaughton wrote: > On Wed, 7 Oct 1998, Alejandro Galindo Chairez AGALINDO wrote: > > can you help to me in establish the rule for permit the pop3 port access? > > i only need to permit the network 208.195.117.0 (mask 0xffffff00) > > or can you indicate to me where can i find some rule samples for this? > > I'm not quite clear on your setup (where is the firewall?) but your > network can be defined as 208.195.117.0:255.255.255.0 How about 208.195.117/24 ? I had some slight trouble about pop3 access and ipfw rules lately, too. My setup is quite simple: [Internet]<--Dialup IP(ipi0)-->[FreeBSD Server]<--Ethernet-->[internal net] I have a pop3 service running on my server for which I want access only from the inside. OTOH I want to access a remote pop3 server from an internal machine. Without ipfw restriction anybody can get at my server while the dialup is active. This is especially bad as my popper is quite old and could easily be abused. There is no use in hunting down security fixes for pop3 as there is no public access anyway so I rather close that hole permanently. What I needed to accomplish is this: [Net] <--- pop3 ok [Net] ---> pop3 denied So I tried a rule like "ipfw deny tcp from any pop3 to any in ipi0" Trouble was, this effectively denied me from getting mail from the remote server :-( The solution is actually really simple, I installed tcp_wrapper. Now I can freely let pop3 through my ipfw ruleset and access to the pop3 service on my server machine from the outside is blocked. No machine on my internal net runs pop3 and they're unreachable due to nat, anyway. inetd.conf: pop3 stream tcp nowait root /usr/local/libexec/tcpd /usr/local/libexec/popper -s /usr/local/etc/hosts.allow: # Wed Oct 7 03:00:00 CEST 1998 popper : LOCAL 10.175. : allow #popper : UNKNOWN PARANOID : deny popper : ALL : deny ALL : ALL (the commented out line didn't work; does anybody know why ?) Greetings, Ripley -- http://www.in-berlin.de/User/nostromo/ == "You don't say what kind of CD drive or hard disks you have, but since it is causing you trouble I'll assume it is IDE." -- comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981010122539.52033>