Re: problem in smtp server

From: Nick Withers (nick_at_nickwithers.com)
Date: 11/17/05 

Date: Thu, 17 Nov 2005 23:30:57 +1100

On Thu, 17 Nov 2005 12:20:24 +0100
Leo <bjl@freemail.it> wrote:

> >>
> >>############# IPFW Rules ##########
> >>#Flush before begin
> >>ipfw -q -f flush
> >>
> >>#Set rules command
> >>cmd="ipfw -q add"
> >>pif="rl0"
> >>
> >>#No restriction on loopback
> >>$cmd 00010 allow all from any to any via lo0
> >>
> >>#allow packet through
> >>$cmd 00015 check-state
> >>
> >>#Allow DNS
> >>$cmd 00110 allow tcp from any to any 53 out via $pif setup keep-state
> >>$cmd 00111 allow udp from any to any 53 out via $pif keep-state
> >>
> >>#Allow Bind to exit
> >>$cmd 00112 allow udp from any to any 53 out via $pif keep-state
> >
> >
> > This is a double-up of rule 00111, above.
>
> Ok, I remove it...
>
> >
> >
> >>#Allow DHCP
> >>$cmd 00120 allow log udp from any to 216.55.178.161 67 out via $pif
> >>keep-state
> >>
> >>#Allow www
> >>$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
> >>
> >>#Allow secure www
> >>$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
> >>#Allow Plesk
> >>$cmd 00221 allow tcp from any to any 8443 out via $pif setup keep-state
> >>
> >>#Allow FTP out
> >>$cmd 00222 allow tcp from any to any 21 out via $pif setup keep-state
> >>$cmd 00223 allow tcp from any to any 23 out via $pif setup keep-state
> >
> >
> > Port 23 is used by telnet, not FTP. FTP's actually a bit of a
> > nightmare. If you're using passive FTP, I believe that you need
> > to allow tcp ports 20,21,1024-65535 - a tad scary, no?
>
> yes, this is a mistake in configuration... Can you post to me the right
> configuration for FTP server?
> I'm trying to set a rule but doesn't work and it send to me a time out
> error on directory listing

I believe that replacing rules 00222 and 00223 above with the
following line (ake sure you "unbreak" it :-)) would do the
trick:
$cmd 00222 allow tcp from any to any 20,21,1024-65535 out via
$pif setup keep-state

> >
> >
> >>#Allow Pop out
> >>$cmd 00224 allow tcp from any to any 110 out via $pif setup keep-state
> >>#Allow SMTP OUT
> >>$cmd 00225 allow tcp from any to any 25 out via $pif setup keep-state
> >>#Allow IMAP out
> >>$cmd 00226 allow tcp from any to any 143 out via $pif setup keep-state
> >>
> >>#Allow Mysql out
> >>$cmd 00227 allow tcp from any to any 3306 out via $pif setup keep-state
> >>
> >>#Allow FBSD function
> >>$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root
> >
> >
> > Not really sure if you want to do this - I certainly wouldn't
> > recommend it.
>
> thanks, i removed this line
>
> >
> >
> >>#Allow out ping
> >>$cmd 00250 allow icmp from any to any out via $pif keep-state
> >
> >
> > Can you do stateful rules in IPFW for icmp requests? I may well
> > have learned something new here...
>
> My error... keep-state is an error...

You may well have been right though, I haven't looked into this
for a while. From memory you couldn't do it on 5.1-RELEASE
though (but this doesn't mean a lot).

Keep in mind: You'll need to allow at least some ICMP packets in
the other direction (i.e.: Coming back into your network).
Something like the following should (I think) do it:
        $cmd allow icmp from any to any icmptypes 0,3 in via
$pif

> >
> >
> >>#Aloow out time
> >>$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
> >>
> >>#Allow secureftp telnet and scp
> >>$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
> >
> >
> > Assuming you mean SSH instead of telnet, yep.
>
> yes, this is SSH... ;-)
>
> >
> >
> >>#allow out whois
> >>ipfw.rules: unmodified: line 1
> >
> >
>
> error in cut & paste from vi... This line appear as the follow:
>
> #allow out whois
> $cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
>
>
> >>
> >>#deny and log anything else trying to get out
> >>$cmd 00299 deny log all from any to any out via $pif
> >>
> >>#Public Internet
> >>
> >>#Deny all inbound traffic for reserved networks
> >>#$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif
> >>$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif
> >>$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif
> >>$cmd 00303 deny all from 0.0.0.0/8 to any in via $pif
> >>$cmd 00304 deny all from 127.0.0.1/8 to any in via $pif
> >>$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif
> >>$cmd 00306 deny all from 204.152.64.0/23 to any in via $pif
> >>$cmd 00307 deny all from 192.0.2.0/24 to any in via $pif
> >>$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif
> >>
> >>#Deny ident
> >>$cmd 00315 deny tcp from any to any 113 in via $pif
> >>
> >>#Deny late arriving packet
> >>$cmd 00330 deny all from any to any frag in via $pif
> >>
> >>#Deny ACK packet
> >>$cmd 00332 deny tcp from any to any established in via $pif
> >>
> >>#Allow in www conn
> >>$cmd 00400 allow tcp from any to me 80 in via $pif setup keep-state
> >>
> >>#Allow Plesk
> >>$cmd 00401 allow tcp from any to me 8443 in via $pif setup keep-state
> >>
> >>#Allow FTP
> >>$cmd 00402 allow tcp from any to me 21 in via $pif setup keep-state
> >>$cmd 00403 allow tcp from any to me 23 in via $pif setup keep-state
> >
> >
> > See comments re: FTP above.
> >
> >
> >>#Allow POP connection
> >>$cmd 00404 allow tcp from any to me 110 in via $pif setup keep-state
> >>
> >>#Allow Bind
> >>$cmd 00405 allow udp from any to me 53 in via $pif keep-state
> >>$cmd 00406 allow tcp from any to me 53 in via $pif setup keep-state
> >>
> >>#Allow SMTP in
> >>$cmd 00407 allow tcp from any to me 25 in via $pif setup keep-state
> >>
> >>#Allow mysql
> >>$cmd 00408 allow tcp from any to me 3306 in via $pif setup keep-state
> >
> >
> > Do you REALLY want to allow remote users to connect to your SQL
> > server?
>
> yes, we need to connect to mysql... When we have a fixed ip we change
> this rule...

Fair 'nuff - just wanted to be sure!

> >
> >
> >>#Allow in secure ftp, telnet and scp
> >>$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
> >
> >
> > See comments re: Rule 00280, above.
> >
> >
> >>#Reject and log all incoming connection from outside
> >>$cmd 00499 deny log all from any to any via $pif
> >
> >
> > Are you really running all the services you're allowing
> > connections to and (probably more importantly) do you really
> > want people from the outside world getting at them (e.g.:
> > DNS, SQL)?
>
>
> THank you very much for your help, but now I can't connect to my ftp
> server... I'm testing if the problem with mail is solved...

You know what? I failed to see it properly before (sorry!) but
you'll want to do a "reset" on incoming TCP port 113 rather than
a "deny". That is, make the line for rule 00315:
        $cmd 00315 reset tcp from any to any 113 in via $pif

The "reset" option instructs IPFW to return a TCP RST packet to
an incoming request on the port (ident), rather than just
dropping it. This is effectively necessary (unless you want to
run an ident server, which I'd be pretty certain you don't!) as
some mail servers do an ident lookup on the user account on the
(to them) foreign SMTP server when receiving mail from it. If
the request is dropped, the connection'll likely time out
(hence, I'd wager, the protocol timeout messages in your
maillog, mentioned earlier), whereas if the connection is
rejected, the querying mail server generally just accepts that
it can't do the look up and carries on as normal.

(Sorry, that spiel is a tad confusing!)

RE: The FTP server. I'd hazard a guess that it's now not
working becuase you're serving active FTP requests (rather than
passive FTP requests) and you've now removed the former rule
00240. If you were to replace the line for rule 00402 with
something like the following and ensured that you are serving
only passive FTP requests, I think you'd be right:
        $cmd 00402 allow tcp from any to me 20,21,1024-65535 in
via $pif setup keep-state

NOTE: I think by default ftpd on FreeBSD is configured to offer
only ports way above 1024 for passive data connections, but I'm
not sure. As *** Hoogendijk pointed out in another message in
this thread, it's configurable on the server.

Have fun, hope I haven't totally confused you! 

-- 
Nick Withers
email: nick@nickwithers.com