Date: Sat, 10 Oct 1998 19:49:00 +0200 From: Harold Gutch <logix@foobar.franken.de> To: "H. Eckert" <ripley@nostromo.in-berlin.de>, andrew@squiz.co.nz Cc: Alejandro Galindo Chairez AGALINDO <agalindo@servidor.exsocom.com.mx>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw and pop3 Message-ID: <19981010194900.A24338@foobar.franken.de> In-Reply-To: <19981010122539.52033@nostromo.in-berlin.de>; from H. Eckert on Sat, Oct 10, 1998 at 12:25:40PM %2B0200 References: <Pine.BSF.3.96.981007170501.28754A-100000@servidor.exsocom.com.mx> <Pine.BSF.4.01.9810081322010.2912-100000@aniwa.sky> <19981010122539.52033@nostromo.in-berlin.de>
index | next in thread | previous in thread | raw e-mail
On Sat, Oct 10, 1998 at 12:25:40PM +0200, H. Eckert wrote: > I have a pop3 service running on my server for which I want access > only from the inside. OTOH I want to access a remote pop3 server > from an internal machine. Without ipfw restriction anybody can get > at my server while the dialup is active. This is especially bad as > my popper is quite old and could easily be abused. There is no use > in hunting down security fixes for pop3 as there is no public access > anyway so I rather close that hole permanently. What I needed to > accomplish is this: > > [Net] <--- pop3 ok > [Net] ---> pop3 denied > > So I tried a rule like "ipfw deny tcp from any pop3 to any in ipi0" > Trouble was, this effectively denied me from getting mail from the > remote server :-( > Wouldn't something like the following work: ipfw add reset tcp from any to nostromo pop3 establish via ipi0 Replacing nostromo of course for the host your pop3d is running on. All this would deny is the establishing of TCP connections to nostromo's pop3d from connections coming over ipi0-interface, everything else would be allowed. In fact, this rule would even reset the connection, so the "outside world" would see nostromo's pop3d-port as if there was no service running on it. As I don't know your setup (private/real IPs etc.) you might have to change the ruleset a little according to it. -- bye, logix <Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981010194900.A24338>