Site Navigation

Date:      Tue, 18 Jul 2000 00:19:12 -0400 (EDT)
From:      Brian Dean <bsd@bsdhome.com>
To:        George.Giles@mcmail.vanderbilt.edu
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Firewall allows smtp
Message-ID:  <Pine.BSF.4.21.0007180012320.48107-100000@vger.bsdhome.com>
In-Reply-To: <OFE3DC20B0.75BE0626-ON8625691C.0069B960@MC.VANDERBILT.EDU>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On Fri, 14 Jul 2000 George.Giles@mcmail.vanderbilt.edu wrote:

> My firewall is below. I thought this would only allow ssh in, and anything
> local out. SMTP still works even though I think it should be denied.
> 
> Please advise.
> 
>     # set these to your outside interface network and netmask and ip
>     oif="mx0"
>     onet="24.2.119.0"
>     omask="255.255.255.0"
>     oip="X.X.X.X" <- hide the guilty
> 
>     # set these to your inside interface network and netmask and ip
>     iif="mx1"
>     inet="10.0.0.0"
>     imask="255.255.255.0"
>     iip="10.0.0.1"
> 
>     # Allow inside out
>     $fwcmd add divert natd all from any to any via ${oif}

>     $fwcmd add pass all from any to any

The above rule seems to be allowing everything in and out.  Turn on
logging and verify that this rule gets used when you connect to port
25 (or any other port for that matter).

-Brian

> 
>     # Stop spoofing
>     $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
>     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
> 
>     # Stop RFC1918 nets on the outside interface
>     $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
>     $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
>     $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> 
>     # Allow TCP through if setup succeeded
>     #$fwcmd add pass tcp from any to any established
> 
>     # SSH only.
>     $fwcmd add pass tcp from any to ${oip} 22 setup
> 
>     # Allow setup of incoming email
>     #$fwcmd add pass tcp from any to ${oip} 25 setup
> 
>     # Reject&Log all setup of incoming connections from the outside
>     $fwcmd add deny log tcp from any to any in via ${oif} setup



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007180012320.48107-100000>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact