From owner-freebsd-security@FreeBSD.ORG Tue May 11 21:00:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D3B816A4D0 for ; Tue, 11 May 2004 21:00:24 -0700 (PDT) Received: from mail.isg.siue.edu (mail.isg.siue.edu [146.163.5.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA4B943D1F for ; Tue, 11 May 2004 21:00:23 -0700 (PDT) (envelope-from wgrim@cougar.isg.siue.edu) Received: from WEBSHIELD1.isg.siue.edu (webshield1.isg.siue.edu [146.163.5.149])id XAA29733 for ; Tue, 11 May 2004 23:00:21 -0500 (CDT) Received: From cougar ([146.163.5.29]) by WEBSHIELD1.isg.siue.edu (WebShield SMTP v4.5 MR1a); id 1084334420827; Tue, 11 May 2004 23:00:20 -0500 Date: Tue, 11 May 2004 23:00:20 -0500 (CDT) From: William Michael Grim To: Tim Aslat In-Reply-To: <20040512115607.23ac80ea@bofh.spyderweb.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd security list Subject: Re: quick FW question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 May 2004 04:00:24 -0000 Hello! If you would like to properly forward traffic to your mail server THROUGH the firewall, you need to have your firewall do it through NAT. By doing it through NAT (natd), it will change the IP headers for you so the traffice travels correctly. It took me a while to figure this out when trying to forward ssh and httpd to an internal machine. Setup your rc.conf like this: natd_enable="YES" natd_flags="-f /etc/natd.conf" In my natd.conf, I have a setup like this (you will need to change the redirect lines though): # Useful for trying not to break RFCs. use_sockets same_ports # My public interface interface dc0 # Use this since the public interface is set by DHCP. dynamic unregistered_only log_ipfw_denied redirect_port tcp 192.168.0.101:23 23 redirect_port tcp 192.168.0.101:8080 8080 #redirect_port tcp 192.168.0.101:389 389 #redirect_port tcp 192.168.0.101:636 636 William Michael Grim Student, Southern Illinois University at Edwardsville Unix Network Administrator, SIUE, Computer Science dept. Phone: (217) 341-6552 Email: wgrim@siue.edu On Wed, 12 May 2004, Tim Aslat wrote: > I hope this isn't too off topic, but I'd like a quick solution to a > problem. > > I have a small network behind a NAT firewall (FreeBSD of course) and I'd > like to block/redirect all traffic from the internal network to the > local mail server (same box as firewall) in order to prevent direct smtp > requests to the outside world (mainly virus/trokan programs). > > I think I have it right in this rule, but I would prefer to get a > second, or even a third opinion. > > ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 > > Cheers > > Tim > > -- > Tim Aslat > Spyderweb Consulting > http://www.spyderweb.com.au > Phone: +61 0401088479 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >