how to get IPFW rules for SMTP server behind NAT server "right"? (freebsd-security: message 1 of 20)

Fri Nov 21 13:01:34 PST 2003

-- On Friday, November 21, 2003 12:48 PM -0800  "David Wolfskill  - david at catwhisker.org" 
<+freebsd-security+openmacnews+0459602105.david#catwhisker.org at spamgourmet.com> wrote:

David,

thanks for your reply!

>> i've been struggling with setting appropriate rules for an SMTP-server
>> behind by NAT'd firewall.
>
> OK....

<snip>

>
>> currently, my SMTP ipfw rules are as follows (snip'd from my startup
>> script)
>
>> =============================================
>># allow connections to/from internal smtp_server
>>   ipfw add 7000 allow log tcp from any to ${smtp_server} 25
>
> I suggest appending " setup" to that.  Unless I'm very confused, you
> don't really want to see *every* incoming SMTP packet -- just those that
> initiate an SMTP conversation.  (Note that -- at least in FreeBSD -- the
> mail traffic gets logged to /var/log/maillog anyway.)
>
>>   ipfw add 7001 allow log tcp from ${smtp_server} 25 to any
>
> Again, you may wish to append " setup" to that, for the same reasons.
>
> In conjunction with the above, you'd likely want to (silently) permit
> "established" connections.

hadn't dawned on me to this, so:

ipfw add 7000 allow log tcp from any to ${smtp_server} 25 setup
ipfw add 7001 allow tcp from any to ${smtp_server} 25 established
ipfw add 7002 allow log tcp from ${smtp_server} 25 to any setup
ipfw add 7003 allow tcp from ${smtp_server} 25 to any established

right?

>># allow clients to communicate with external smtp servers
>>   ipfw add 7002 allow log tcp from ${innr} 1024-65535 to ${exip} 25
>>   ipfw add 7003 allow log tcp from ${exip} 25 to ${innr} 1024-65535
>
> Why?  Wouldn't you want them to send their mail to your internal mail
> server, which would then send it out?

usually, yes

BUT, sometimes i want to be able to use a local LAN mail client to directly access on offsite SMTP server.

my understanding is that usually a client uses "high ports" to communicate to those servers at THEIR port 25 -- just 
like to my internal svr, but internal lan traffic is "all open"

in this case would you recommend the "setup & established" approach as above?

>> it seems to me that everything's working.  question is, are these too
>> open, too closed, incomplete, risky, etc?
>
> Have you actually looked at your security log?

yes i have

of course, i've had little DENIED on port 25 ( and a LOT of entries ....)

other than servers/connection attempts that clearly are failing SMTP 'transactions', i'm frankly not sure what to look 
for for 'unauthorized' access to port25/my server ...

because of its "open" nature, what are the legit triggers for "suspicious" activity for SMTP?

> Peace,
> david
> --
cheers,

richard