Date: Fri, 14 Jul 2000 14:18:28 -0500 From: George.Giles@mcmail.vanderbilt.edu To: freebsd-security@freebsd.org Subject: Firewall allows smtp Message-ID: <OFE3DC20B0.75BE0626-ON8625691C.0069B960@MC.VANDERBILT.EDU>
next in thread | raw e-mail | index | archive | help
My firewall is below. I thought this would only allow ssh in, and anything
local out. SMTP still works even though I think it should be denied.
Please advise.
# set these to your outside interface network and netmask and ip
oif="mx0"
onet="24.2.119.0"
omask="255.255.255.0"
oip="X.X.X.X" <- hide the guilty
# set these to your inside interface network and netmask and ip
iif="mx1"
inet="10.0.0.0"
imask="255.255.255.0"
iip="10.0.0.1"
# Allow inside out
$fwcmd add divert natd all from any to any via ${oif}
$fwcmd add pass all from any to any
# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
# Allow TCP through if setup succeeded
#$fwcmd add pass tcp from any to any established
# SSH only.
$fwcmd add pass tcp from any to ${oip} 22 setup
# Allow setup of incoming email
#$fwcmd add pass tcp from any to ${oip} 25 setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFE3DC20B0.75BE0626-ON8625691C.0069B960>