From owner-freebsd-security Sat Oct 10 10:50:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA06902 for freebsd-security-outgoing; Sat, 10 Oct 1998 10:50:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA06893 for ; Sat, 10 Oct 1998 10:50:17 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id TAA24364; Sat, 10 Oct 1998 19:49:01 +0200 (CEST) Message-ID: <19981010194900.A24338@foobar.franken.de> Date: Sat, 10 Oct 1998 19:49:00 +0200 From: Harold Gutch To: "H. Eckert" , andrew@squiz.co.nz Cc: Alejandro Galindo Chairez AGALINDO , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and pop3 References: <19981010122539.52033@nostromo.in-berlin.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19981010122539.52033@nostromo.in-berlin.de>; from H. Eckert on Sat, Oct 10, 1998 at 12:25:40PM +0200 X-Organisation: BatmanSystemDistribution X-Mission: To free the world from the Penguin Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Oct 10, 1998 at 12:25:40PM +0200, H. Eckert wrote: > I have a pop3 service running on my server for which I want access > only from the inside. OTOH I want to access a remote pop3 server > from an internal machine. Without ipfw restriction anybody can get > at my server while the dialup is active. This is especially bad as > my popper is quite old and could easily be abused. There is no use > in hunting down security fixes for pop3 as there is no public access > anyway so I rather close that hole permanently. What I needed to > accomplish is this: > > [Net] <--- pop3 ok > [Net] ---> pop3 denied > > So I tried a rule like "ipfw deny tcp from any pop3 to any in ipi0" > Trouble was, this effectively denied me from getting mail from the > remote server :-( > Wouldn't something like the following work: ipfw add reset tcp from any to nostromo pop3 establish via ipi0 Replacing nostromo of course for the host your pop3d is running on. All this would deny is the establishing of TCP connections to nostromo's pop3d from connections coming over ipi0-interface, everything else would be allowed. In fact, this rule would even reset the connection, so the "outside world" would see nostromo's pop3d-port as if there was no service running on it. As I don't know your setup (private/real IPs etc.) you might have to change the ruleset a little according to it. -- bye, logix Sleep is an abstinence syndrome wich occurs due to lack of caffein. Wed Mar 4 04:53:33 CET 1998 #unix, ircnet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message