Sereciya :: Quick IPFW Question Concerning Sendmail

Sereciya Kurdistani sereciya at kurdistan.ath.cx
Fri Apr 4 10:14:31 PST 2003 

Hello Steve, Hello Everybody,

  I was having some trouble earlier with my firewall setup w/
  sendmail (original question/posting below);  I believe I
  have -- more-or-less -- solved the problem.

> > Hello,
> >
> >   I have a quick question for you ipfw/firewall experts out there.
> >
> >   I've have set up an elaborate firewall only to have trouble with
> >   Sendmail.
> >
> >   I have opened port 25 incoming, and also allow outgoing to another
> >   port 25, but I always find stuck mail when I use "mailq".
> >
> >   Using tcpdump -- and no firewall -- I've found that between the
> >   dns lookups and smtp connections there are in fact some auth
> >   lookups too.
> >
> >   I opened incoming port 113 and outgoing to 113 but I still have
> >   stuck mail!
> >
> >   Any help would be greately appreciated, many thanks in advance!
> >
> > -Sereciya Kurdistani
> >
> > PS
> > My basic rules look like:
> >
> > ipfw add NNNN allow \{ tcp or udp \}     from any to any smtp,smtps out
> > ipfw add NNNN allow \{ tcp \}        log from any to any smtp,smtps in
> >
> > ipfw add NNNN allow \{ tcp or udp \}     from any to any auth out
> > ipfw add NNNN allow \{ tcp \}        log from any to any auth in
> >
> > and yes, this is ipfw2 on 4.8-STABLE

  Here is what happens...

  Your mail client, on a high port 1024-65535, makes a connection to the remote
  server on port 25, Sendmail.

  Various connections are made back to your orignation high ports from the remote
  server, port 25.

  I'll toss in a dns lookup or two here... (outgoing)

  Somewhere here, you make a connection to the remote server, port 113, auth.

  ( I've noticed that the remote server does *not* need to connect to your
    auth port, you do not need to open it;  this is a perfect canidate for a
    stateful rule... )

  Then... the remote server makes a connection from a low port 1-1024 to your
  high port 1024-65535.


  The following rules seem to work:
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  allow log { udp or tcp } from any to any dst-port 25,113,465 out via tun0
  allow log tcp from any to any dst-port 25,113,465 in via tun0
  check-state
  allow log tcp from any 1-1024,1024-65535 to any dst-port 1024-65535,1-1024 out via tun0 keep-state
  allow log tcp from any 1-1024 to any dst-port 1024-65535 in via tun0

  vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
  If anybody has a better explanation, please let me know.  I'm working on trial-and-error
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  here, mostly error ;)

TIA
-Sereciya Kurdistani

PS
Who says "count" is not a useful feature in ipfw?

More information about the freebsd-ipfw mailing list