how to get IPFW rules for SMTP server behind NAT server "right"?
OpenMacNews
freebsd-security.20.openmacnews at spamgourmet.com
Fri Nov 21 12:36:37 PST 2003
hi all,
i've been struggling with setting appropriate rules for an SMTP-server
behind by NAT'd firewall.
it's not that there is too little info on the web -- or here, for that
matter -- there's scads of it for seemingly endless configs/req'ts --
none that seem to be exactly my own.
bottom line: i'm a bit confused, and looking for some experienced
advice.
my goals (for now) are to:
(a) setup my firewall as tight as possible -- deny, then allow
(b) log all transactions
(c) keep the firewall as performance efficient as possible.
(yes, i recognize that these may 'tug' at one another ...)
my question: what are the most appropriate ipfw rules for SMTP traffic
to meet my goals above?
here's my environment:
-- i have three machines in this scenario: a gateway, a mail server,
and a client
-- all boxes are running OSX 10.2.8
-- Gateway/Firewall is the kernel's BSD ipfw(8)
-- gateway box has two ethernet interfaces
inif="en1" # internal gateway interface name
exif="en2" # external gateway interface name
innr="10.0.0.0/24" # LOCAL network range
inip="10.0.0.1" # gateway's internal (NAT) IP address
exip="any"
gateway_server="10.0.0.1" # the gateway/firewall box, 2 interfaces
smtp_server="10.0.0.2" # SMTP server behind NAT firewall
client_machine="10.0.0.3" # a client machine inside the NAT firewall
i've launched NATD as follows:
/usr/sbin/natd \
-interface ${exif} -dynamic -port 8668 \
-log -log_denied \
-unregistered_only \
-use_sockets \
-redirect_port tcp ${smtp_server}:25 25
tme SMTP server listens ONLY on port 25, IP address = 10.0.0.2
currently, my SMTP ipfw rules are as follows (snip'd from my startup
script)
=============================================
# allow connections to/from internal smtp_server
ipfw add 7000 allow log tcp from any to ${smtp_server} 25
ipfw add 7001 allow log tcp from ${smtp_server} 25 to any
# allow clients to communicate with external smtp servers
ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25
ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535
=============================================
it seems to me that everything's working. question is, are these too
open, too closed, incomplete, risky, etc?
i appreciate any comments/suggestions y'all may have!
thanks,
richard
More information about the freebsd-security
mailing list