From owner-freebsd-isp  Wed Dec 10 13:39:00 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id NAA21404
          for isp-outgoing; Wed, 10 Dec 1997 13:39:00 -0800 (PST)
          (envelope-from owner-freebsd-isp)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA21399
          for <freebsd-isp@freebsd.org>; Wed, 10 Dec 1997 13:38:57 -0800 (PST)
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id NAA14462; Wed, 10 Dec 1997 13:38:22 -0800 (PST)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma014460; Wed Dec 10 13:38:21 1997
Received: (from archie@localhost) by bubba.whistle.com (8.8.5/8.6.12) id NAA19732; Wed, 10 Dec 1997 13:38:21 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199712102138.NAA19732@bubba.whistle.com>
Subject: Re: ipfw rule needed
In-Reply-To: <Pine.BSF.3.96.971210100457.19886B-100000@fly.com> from Gary Blumenstein at "Dec 10, 97 10:54:34 am"
To: garyb@fly.com (Gary Blumenstein)
Date: Wed, 10 Dec 1997 13:38:21 -0800 (PST)
Cc: freebsd-isp@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Gary Blumenstein writes:
> Can anyone help me define a working rule combination that allows smtp
> traffic to and from a specific host sitting outside my firewall?  By
> default, I block all ip traffic to the network where this particular host
> resides, so I want to install a a more specific rule earlier in the chain
> that preferably defines the port numbers on both the inbound and outbound
> packet (ie. port 25 and corresponding "ack" response flags on ports >
> 1024)

If 1.2.3.4 is your mail host and 192.168.1.0/24 is your internal network..

- For connections from inside clients to outside SMTP server:

  ipfw add 10 allow tcp from 192.168.1.0/24 to 1.2.3.4 25
  ipfw add 10 allow tcp from 1.2.3.4 25 to 192.168.1.0/24 established

- For connections from outside SMTP server to inside clients:

  ipfw add 10 allow tcp from 1.2.3.4 to 192.168.1.0/24 25
  ipfw add 10 allow tcp from 192.168.1.0/24 25 to 1.2.3.4 established

- For both, do all four rules.

> P.S.  Also, is there a FAQ (besides the FreeBSD faq) for this mailing
> list?  I'm a new member.

Not that I've heard of..

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com