Date: Fri, 14 Jul 2000 22:21:02 +0300 (EEST) From: Evren Yurtesen <yurtesen@ispro.net.tr> To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall allows smtp Message-ID: <Pine.BSF.4.21.0007142219500.51187-100000@finland.ispro.net.tr> In-Reply-To: <OFE3DC20B0.75BE0626-ON8625691C.0069B960@MC.VANDERBILT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
# Allow inside out
$fwcmd add divert natd all from any to any via ${oif}
>>> $fwcmd add pass all from any to any
that line in your firewall config file allows everything so
the ssh line below is not working your firewall stops at that
rule when it sees pass for everything.
just take it out and make some experiments =)
+---------------------------------------------------------+
| Name : Evren Yurtesen - yurtesen@ispro.net.tr |
| Job Title : Technical Consultant & System Administrator|
| S-Mail : Talikkokatu 6B 26, Turku 20540, Finland |
| Work Tel. : +90-232-2463992 |
| Mobile Tel.: +358-40-5073940 |
+---------------------------------------------------------+
On Fri, 14 Jul 2000 George.Giles@mcmail.vanderbilt.edu wrote:
> My firewall is below. I thought this would only allow ssh in, and anything
> local out. SMTP still works even though I think it should be denied.
>
> Please advise.
>
> # set these to your outside interface network and netmask and ip
> oif="mx0"
> onet="24.2.119.0"
> omask="255.255.255.0"
> oip="X.X.X.X" <- hide the guilty
>
> # set these to your inside interface network and netmask and ip
> iif="mx1"
> inet="10.0.0.0"
> imask="255.255.255.0"
> iip="10.0.0.1"
>
> # Allow inside out
> $fwcmd add divert natd all from any to any via ${oif}
> $fwcmd add pass all from any to any
>
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
> $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
> $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> # Allow TCP through if setup succeeded
> #$fwcmd add pass tcp from any to any established
>
> # SSH only.
> $fwcmd add pass tcp from any to ${oip} 22 setup
>
> # Allow setup of incoming email
> #$fwcmd add pass tcp from any to ${oip} 25 setup
>
> # Reject&Log all setup of incoming connections from the outside
> $fwcmd add deny log tcp from any to any in via ${oif} setup
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007142219500.51187-100000>