From owner-freebsd-security  Mon Jul 17 21:19:27 2000
Delivered-To: freebsd-security@freebsd.org
Received: from bsdhome.dyndns.org (rdu25-22-120.nc.rr.com [24.25.22.120])
	by hub.freebsd.org (Postfix) with ESMTP id BAD3337B601
	for <freebsd-security@FreeBSD.ORG>; Mon, 17 Jul 2000 21:19:23 -0700 (PDT)
	(envelope-from bsd@bsdhome.com)
Received: from vger.bsdhome.com (vger [192.168.220.2])
	by bsdhome.dyndns.org (8.9.3/8.9.3) with ESMTP id AAA13005;
	Tue, 18 Jul 2000 00:19:12 -0400 (EDT)
	(envelope-from bsd@bsdhome.com)
Received: from localhost (bsd@localhost)
	by vger.bsdhome.com (8.9.3/8.9.3) with ESMTP id AAA48583;
	Tue, 18 Jul 2000 00:19:12 -0400 (EDT)
	(envelope-from bsd@vger.bsdhome.com)
Date: Tue, 18 Jul 2000 00:19:12 -0400 (EDT)
From: Brian Dean <bsd@bsdhome.com>
To: George.Giles@mcmail.vanderbilt.edu
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Firewall allows smtp
In-Reply-To: <OFE3DC20B0.75BE0626-ON8625691C.0069B960@MC.VANDERBILT.EDU>
Message-ID: <Pine.BSF.4.21.0007180012320.48107-100000@vger.bsdhome.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 14 Jul 2000 George.Giles@mcmail.vanderbilt.edu wrote:

> My firewall is below. I thought this would only allow ssh in, and anything
> local out. SMTP still works even though I think it should be denied.
> 
> Please advise.
> 
>     # set these to your outside interface network and netmask and ip
>     oif="mx0"
>     onet="24.2.119.0"
>     omask="255.255.255.0"
>     oip="X.X.X.X" <- hide the guilty
> 
>     # set these to your inside interface network and netmask and ip
>     iif="mx1"
>     inet="10.0.0.0"
>     imask="255.255.255.0"
>     iip="10.0.0.1"
> 
>     # Allow inside out
>     $fwcmd add divert natd all from any to any via ${oif}

>     $fwcmd add pass all from any to any

The above rule seems to be allowing everything in and out.  Turn on
logging and verify that this rule gets used when you connect to port
25 (or any other port for that matter).

-Brian

> 
>     # Stop spoofing
>     $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
>     $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
> 
>     # Stop RFC1918 nets on the outside interface
>     $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}
>     $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
>     $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
>     $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> 
>     # Allow TCP through if setup succeeded
>     #$fwcmd add pass tcp from any to any established
> 
>     # SSH only.
>     $fwcmd add pass tcp from any to ${oip} 22 setup
> 
>     # Allow setup of incoming email
>     #$fwcmd add pass tcp from any to ${oip} 25 setup
> 
>     # Reject&Log all setup of incoming connections from the outside
>     $fwcmd add deny log tcp from any to any in via ${oif} setup



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message