[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Blocking SMTP

To: klug@xxxxxxxxxxxxxxxx
Subject: Re: Blocking SMTP
From: Shawn Mattingly <smattin@xxxxxxxxxxxx>
Date: Tue, 07 Apr 1998 23:19:01 -0400
Organization: NetLink Systems L.L.C.
References: <Pine.LNX.3.96.980407213535.3818B-100000@masquerade.deepthought.dyndns.com>

Here's what the NET-3-HOWTO has to say about IPFWADM (a much better example than
what's in the Masquerading or Firewalling HOWTOs methinks)

 #!/bin/sh

  # Flush the 'Forwarding' rules table
  # Change the default policy to 'accept'
  #
  /sbin/ipfwadm -F -f
  /sbin/ipfwadm -F -p accept
  #
  # .. and for 'Incoming'
  #
  /sbin/ipfwadm -I -f
  /sbin/ipfwadm -I -p accept

  # First off, seal off the PPP interface
  # I'd love to use '-a deny' instead of '-a reject -y' but then it
  # would be impossible to originate connections on that interface too.
  # The -o causes all rejected datagrams to be logged. This trades
  # disk space against knowledge of an attack of configuration error.
  #
  /sbin/ipfwadm -I -a reject -y -o -P tcp -S 0/0 -D 172.16.174.30

  # Throw away certain kinds of obviously forged packets right away:
  # Nothing should come from multicast/anycast/broadcast addresses
  #
  /sbin/ipfwadm -F -a deny -o -S 224.0/3 -D 172.16.37.0/24
  #
  # and nothing coming from the loopback network should ever be
  # seen on a wire
  #
  /sbin/ipfwadm -F -a deny -o -S 127.0/8 -D 172.16.37.0/24

  # accept incoming SMTP and DNS connections, but only
  # to the Mail/Name Server
  #
  /sbin/ipfwadm -F -a accept -P tcp -S 0/0 -D 172.16.37.19 25 53

* N.B.  That you can specify a specific host and specific ports *

  #
  # DNS uses UDP as well as TCP, so allow that too
  # for questions to our name server
  #
  /sbin/ipfwadm -F -a accept -P udp -S 0/0 -D 172.16.37.19 53
  #
  # but not "answers" coming to dangerous ports like NFS and
  # Larry McVoy's NFS extension.  If you run squid, add its port here.
  #
  /sbin/ipfwadm -F -a deny -o -P udp -S 0/0 53 \
          -D 172.16.37.0/24 2049 2050

  # answers to other user ports are okay
  #
  /sbin/ipfwadm -F -a accept -P udp -S 0/0 53 \
          -D 172.16.37.0/24 53 1024:65535

  # Reject incoming connections to identd
  # We use 'reject' here so that the connecting host is told
  # straight away not to bother continuing, otherwise we'd experience
  # delays while ident timed out.
  #
  /sbin/ipfwadm -F -a reject -o -P tcp -S 0/0 -D 172.16.37.0/24 113

  # Accept some common service connections from the 192.168.64 and
  # 192.168.65 networks, they are friends that we trust.
  #
  /sbin/ipfwadm -F -a accept -P tcp -S 192.168.64.0/23 \
          -D 172.16.37.0/24 20:23

  # accept and pass through anything originating inside
  #
  /sbin/ipfwadm -F -a accept -P tcp -S 172.16.37.0/24 -D 0/0

  # deny most other incoming TCP connections and log them
  # (append 1:1023 if you have problems with ftp not working)
  #
  /sbin/ipfwadm -F -a deny -o -y -P tcp -S 0/0 -D 172.16.37.0/24

  # ... for UDP too
  #
  /sbin/ipfwadm -F -a deny -o -P udp -S 0/0 -D 172.16.37.0/24

References:
- Re: Blocking SMTP
  - From: Scott Yellig

Prev by Date: Re: Blocking SMTP
Next by Date: The keeper of the topics list spreads it all around.....
Prev by thread: Re: Blocking SMTP
Next by thread: X Term Oddity (resource issue?)
Index(es):
- Date
- Thread