From owner-freebsd-security  Fri Jul 14 12:16:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202])
	by hub.freebsd.org (Postfix) with ESMTP id EE59A37C19B
	for <freebsd-security@freebsd.org>; Fri, 14 Jul 2000 12:16:07 -0700 (PDT)
	(envelope-from George.Giles@mcmail.vanderbilt.edu)
Subject: Firewall allows smtp
To: freebsd-security@freebsd.org
X-Mailer: Lotus Notes Release 5.0.2a  November 23, 1999
Message-ID: <OFE3DC20B0.75BE0626-ON8625691C.0069B960@MC.VANDERBILT.EDU>
From: George.Giles@mcmail.vanderbilt.edu
Date: Fri, 14 Jul 2000 14:18:28 -0500
X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at
 07/14/2000 02:17:32 PM
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

My firewall is below. I thought this would only allow ssh in, and anything
local out. SMTP still works even though I think it should be denied.

Please advise.

    # set these to your outside interface network and netmask and ip
    oif="mx0"
    onet="24.2.119.0"
    omask="255.255.255.0"
    oip="X.X.X.X" <- hide the guilty

    # set these to your inside interface network and netmask and ip
    iif="mx1"
    inet="10.0.0.0"
    imask="255.255.255.0"
    iip="10.0.0.1"

    # Allow inside out
    $fwcmd add divert natd all from any to any via ${oif}
    $fwcmd add pass all from any to any

    # Stop spoofing
    $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
    $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

    # Stop RFC1918 nets on the outside interface
    $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
    $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
    $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
    $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
    $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
    $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

    # Allow TCP through if setup succeeded
    #$fwcmd add pass tcp from any to any established

    # SSH only.
    $fwcmd add pass tcp from any to ${oip} 22 setup

    # Allow setup of incoming email
    #$fwcmd add pass tcp from any to ${oip} 25 setup

    # Reject&Log all setup of incoming connections from the outside
    $fwcmd add deny log tcp from any to any in via ${oif} setup




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message