how to get IPFW rules for SMTP server behind NAT server "right"?

OpenMacNews freebsd-security.20.openmacnews at
Fri Nov 21 12:36:37 PST 2003

hi all,

i've been struggling with setting appropriate rules for an SMTP-server
behind by NAT'd firewall.

it's not that there is too little info on the web -- or here, for that
matter -- there's scads of it for seemingly endless configs/req'ts --
none that seem to be exactly my own.

bottom line: i'm a bit confused, and looking for some experienced

my goals (for now) are to:

    (a) setup my firewall as tight as possible -- deny, then allow
    (b) log all transactions
    (c) keep the firewall as performance efficient as possible.

        (yes, i recognize that these may 'tug' at one another ...)

my question:  what are the most appropriate ipfw rules for SMTP traffic
to meet my goals above?

here's my environment:

-- i have three machines in this scenario: a gateway, a mail server,
and a client
-- all boxes are running OSX 10.2.8
-- Gateway/Firewall is the kernel's BSD ipfw(8)
-- gateway box has two ethernet interfaces

inif="en1"                 # internal gateway interface name
exif="en2"                 # external gateway interface name
innr=""            # LOCAL network range
inip=""               # gateway's internal (NAT) IP address

gateway_server=""     # the gateway/firewall box, 2 interfaces
smtp_server=""        # SMTP server behind NAT firewall
client_machine=""     # a client machine inside the NAT firewall

i've launched NATD as follows:

/usr/sbin/natd \
   -interface ${exif} -dynamic -port 8668 \
   -log -log_denied \
   -unregistered_only \
   -use_sockets \
   -redirect_port tcp ${smtp_server}:25 25

tme SMTP server listens ONLY on port 25, IP address =

currently, my SMTP ipfw rules are as follows (snip'd from my startup

# allow connections to/from internal smtp_server
   ipfw add 7000 allow log tcp from any to ${smtp_server} 25
   ipfw add 7001 allow log tcp from ${smtp_server} 25 to any

# allow clients to communicate with external smtp servers
   ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25
   ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535

it seems to me that everything's working.  question is, are these too
open, too closed, incomplete, risky, etc?

i appreciate any comments/suggestions y'all may have!


More information about the freebsd-security mailing list