From owner-freebsd-security@FreeBSD.ORG Fri Nov 21 12:36:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D660116A4CE for ; Fri, 21 Nov 2003 12:36:37 -0800 (PST) Received: from presence-group.net (c-67-161-75-31.client.comcast.net [67.161.75.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id F412F43FE3 for ; Fri, 21 Nov 2003 12:36:36 -0800 (PST) (envelope-from freebsd-security.20.openmacnews@spamgourmet.com) X-VirusScan: SUBMITTED Received: by presence-group.net (CommuniGate Pro PIPE 4.1.8) with PIPE id 30511; Fri, 21 Nov 2003 12:36:27 -0800 Received: from [172.30.11.6] (HELO tiedgar.internal.presence-group.net) by presence-group.net (CommuniGate Pro SMTP 4.1.8) with SMTP id 30510; Fri, 21 Nov 2003 12:36:14 -0800 Date: Fri, 21 Nov 2003 12:36:13 -0800 From: OpenMacNews To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 8bit User-Agent: Thoth/1.7.1 (Carbon/OS X) Message-ID: Subject: how to get IPFW rules for SMTP server behind NAT server "right"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-security.20.openmacnews@spamgourmet.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 20:36:37 -0000 hi all, i've been struggling with setting appropriate rules for an SMTP-server behind by NAT'd firewall. it's not that there is too little info on the web -- or here, for that matter -- there's scads of it for seemingly endless configs/req'ts -- none that seem to be exactly my own. bottom line: i'm a bit confused, and looking for some experienced advice. my goals (for now) are to: (a) setup my firewall as tight as possible -- deny, then allow (b) log all transactions (c) keep the firewall as performance efficient as possible. (yes, i recognize that these may 'tug' at one another ...) my question: what are the most appropriate ipfw rules for SMTP traffic to meet my goals above? here's my environment: -- i have three machines in this scenario: a gateway, a mail server, and a client -- all boxes are running OSX 10.2.8 -- Gateway/Firewall is the kernel's BSD ipfw(8) -- gateway box has two ethernet interfaces inif="en1" # internal gateway interface name exif="en2" # external gateway interface name innr="10.0.0.0/24" # LOCAL network range inip="10.0.0.1" # gateway's internal (NAT) IP address exip="any" gateway_server="10.0.0.1" # the gateway/firewall box, 2 interfaces smtp_server="10.0.0.2" # SMTP server behind NAT firewall client_machine="10.0.0.3" # a client machine inside the NAT firewall i've launched NATD as follows: /usr/sbin/natd \ -interface ${exif} -dynamic -port 8668 \ -log -log_denied \ -unregistered_only \ -use_sockets \ -redirect_port tcp ${smtp_server}:25 25 tme SMTP server listens ONLY on port 25, IP address = 10.0.0.2 currently, my SMTP ipfw rules are as follows (snip'd from my startup script) ============================================= # allow connections to/from internal smtp_server ipfw add 7000 allow log tcp from any to ${smtp_server} 25 ipfw add 7001 allow log tcp from ${smtp_server} 25 to any # allow clients to communicate with external smtp servers ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25 ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535 ============================================= it seems to me that everything's working. question is, are these too open, too closed, incomplete, risky, etc? i appreciate any comments/suggestions y'all may have! thanks, richard