View Full Version : [Solved] how to block port 25 in
Hello,
On my firewall I have the following rules:
$fwcmd 6000 $skip tcp from any to any 25 out via $pif setup keep-state
$fwcmd 6100 $skip tcp from any to any 110 out via $pif setup keep-state
$pif is my public interface, the one is connected to my isp.
to allow the outgoing mail, but I did an nmap on my firewall and I got the following result:
starting Nmap 4.20 ( http://insecure.org ) at 2010-05-07 09:13 EDT
Warning: OS detection for 74.59.40.171 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on modemcable171.40-59-74.mc.videotron.ca (74.59.40.171):
Not shown: 1695 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 4.X (89%), Apple Mac OS X 10.3.X|10.4.X (88%)
Aggressive OS guesses: OpenBSD 4.0 (sparc64) (89%), Applie Mac OS X 10.3.9 - 10.4.7 (88%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 40.791 seconds
(not bad: no FreeBSD show up in os detection :)) )
I did the nmap from one of my freebsd station inside my lan
My firewall is: ipfw, FreeBSD volvo 7.2-RELEASE-p7 FreeBSD 7.2-RELEASE-p7 #0: Mon Mar 1 13:57:18 EST 2010 root@pbsd.muhc.mcgill.ca:/opt2/source/obj-7.2/opt2/source/src/sys/PATRIOTEBSD17 i386
I try the following ipfw rule:
ipfw add 5999 drop log logamount 5 all from any to any dst-port 25 in via $pif
or
ipfw add 5999 drop log logamount 5 all from any to any 25 recv $pif
or
ipfw add 5999 drop log logamount 5 all from any to any dst-port 25 in recv $pif
I did again the nmap and I got the same result ?!
I am lost...
How to block the connexion in (from outside world) to port 25 but I need to send e-mail to outside world ?
Regards,
l2f
SirDice
May 7th, 2010, 14:57
Run sendmail in local-submit-only mode. In /etc/rc.conf:
sendmail_enable="NO"
Hello,
I already did it:
sendmail_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q15m"
sendmail_submit_flags="-L sm-mta -bd -q15m -ODaemonPortOptions=localhost"
May be I mess the rc.conf ?
Regards,
l2f
anomie
May 7th, 2010, 16:49
@l2f: Following a default FreeBSD install, sendmail should only be listening on tcp 25 on localhost. That's with no additional rc.conf entries, since the needed directives are already in place in /etc/defaults/rc.conf.
Let's see the output of sockstat -4l
At this point I'm half suspecting something odd about your nmap scan...
For example, have you tested doing an SMTP telnet session (http://www.netadmintools.com/art276.html) from another host?
Hello,
the output of sockstat -4l
# sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 1296 3 tcp4 *:22 *:*
root sendmail 1242 4 tcp4 *:25 *:*
root syslogd 1015 7 udp4 *:514 *:*
root natd 881 4 div4 *:8668 *:*
the telnet session from another host on my lan
telnet 192.168.0.1 25
Trying 192.168.0.1...
Connected to volvo.maison.org.
Escape character is '^]'.
HELO
220 volvo.maison.org ESMTP Sendmail 8.14.3/8.14.3; Fri, 7 May 2010 11:32:25 GMT
501 5.0.0 HELO requires domain address
and from my public ip address from the same pc in my lan
telnet xxx.59.40.xxx 25
Trying xxx.59.40.x...
Connected to modemcablexxx.40-59-xxx.mc.xxxxxxxxxx.ca.
Escape character is '^]'.
HELO
220 volvo.maison.org ESMTP Sendmail 8.14.3/8.14.3; Fri, 7 May 2010 11:34:08 GMT
501 5.0.0 HELO requires domain address
Very strange !
Regards,
l2f
anomie
May 7th, 2010, 17:55
Did you install a new MTA (other than sendmail) from ports?
Also, could you post your entire /etc/rc.conf?
Hello
others MTA:
fetchmail-6.3.9
ssmtp-2.61.11.1_2
My /etc/mail/mailer.conf
# $FreeBSD: src/etc/mail/mailer.conf,v 1.3.30.1 2008/10/02 02:57:24 kensmith Exp $
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail
newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmail
To be sure:
# ll /usr/libexec/sendmail/sendmail
-r-xr-sr-x 1 root smmsp 650K Mar 10 14:20 /usr/libexec/sendmail/sendmail
My (raw) /etc/rc.conf
# -- sysinstall generated deltas -- # Tue Dec 13 17:21:16 2005
# Created: Tue Dec 13 17:21:15 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
arpproxy_all="YES"
# ro fs
tmpmfs="YES"
tmpsize="4M"
tmpmfs_flags="-S"
varmfs="YES"
varmfs_flags="-S"
varsize="16M"
populate_var="YES"
# special pbsd
change_su_enable="YES"
change_su_fichier="/etc/progsuid.lst"
clear_tmp_enable="YES"
# mef exec script qui lui regarde si enable
# alors que devrait etre rc qui regarde quoi demarrer
# trop long au demarrage
pflog_enable="NO"
# enlever /etc/rc.d/sendmail => prend trop de temps pour verifier
# qu'il ne demarre pas en inbound
sendmail_enable="NO"
# oui par defaut: sendmail_msp_queue_enable="NO"
# aucun courriel exterieur
sendmail_outbound_enable="NO"
# change flag pour local
# 15 minutes au lieu de 30
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q15m"
# change flag submit pour 15 minutes au lieu de 30
sendmail_submit_flags="-L sm-mta -bd -q15m -ODaemonPortOptions=localhost"
# peut envoyer courriel
# oui par defaut: sendmail_submit_enable="YES"
#sendmail_msp_queue_enable="NO"
#sendmail_rebuild_aliases="NO"
postfix_enable="NO"
#extra firewalling options
tcp_extensions="YES" # si pb mettre NO
tcp_keepalive="YES" # verif si conn active
log_in_vain="YES"
tcp_drop_synfin="YES" #change to NO if create webserver
tcp_restrict_rst="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
# natd
natd_enable="YES"
natd_interface="rl0"
natd_flags="-dynamic -m -u -s"
#" -redirect_port tcp 192.168.1.1:80 80 -redirect_port tcp 192.168.1.1:443 443"
# -f /etc/natd.conf"
# root fs: ro
root_rw_mount="NO"
# script de demarrage firewall
firewall_enable="YES"
# regles du pare-feu
# avec sshguard patriotebsdfirewall v101
firewall_script="/etc/ipfw.rules.8"
# script de regles
#firewall_type="/etc/ipfw.rules"
firewall_quiet="NO" #change to YES once happy with rules
firewall_logging_enable="YES"
update_motd="NO"
gateway_enable="YES"
hostname="volvo"
ifconfig_xl0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_rl0="DHCP"
#ifconfig_rl0="inet 192.168.1.1 netmask 255.255.252.0"
ifpolling_enable="YES"
ifpolling_liste="rl0 xl0"
static_routes="reseauwifi"
route_reseauwifi="-net 192.168.1.0/24 192.168.0.2"
inetd_enable="NO"
# pb /etc ro
linux_enable="NO"
moused_enable="NO"
nfs_server_enable="NO"
rpcbind_enable="NO"
saver="patriotebsd"
sshd_enable="YES"
# denyhosts
#denyhosts_enable="YES"
usbd_enable="YES"
syslog_flags="-ss -4"
# noyau
kern_securelevel_enable="YES"
# niveau max avec ipfw operationel
kern_securelevel=2
# ntpd
ntpd_enable="YES"
#ntpd_program="/usr/sbin/ntpd"
ntpd_flags="-p /var/run/ntpd.pid -l /var/log/ntp.log"
# sshdefence
cloned_interfaces="disc0"
ifconfig_disc0="inet 0.0.0.1 netmask 255.0.0.0"
# crontab
cronutil_enable="YES"
cronutil_liste="/root/root.cron /home/patriotebsd/patriotebsd.cron"
# pour faire un swapfile
faireswap_enable="NO"
faireswap_taillemax="64"
# detection swap
detectswap_enable="NO"
# sshdefencefifo
sshdefencefifo_enable="YES"
accounting_enable="YES"
# dhcpd
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="xl0"
dhcpd_withumask="022"
dhcpd_withuser="dhcpd"
dhcpd_withgroup="dhcpd"
dhcpd_chuser_enable="YES"
# speaker si non compiler dans noyau
speaker_enable="NO"
# c'est livecd => no savecore
dumpdev="NO"
# junkbuster
junkbuster_enable="NO"
I did not modified the /etc/default/rc.conf
# ll /etc/defaults/rc.conf
-r--r--r-- 1 root wheel 35K Sep 23 2009 /etc/defaults/rc.conf
# wc /etc/defaults/rc.conf
666 4470 35336 /etc/defaults/rc.conf
I use mail to send my e-mail
# ll `which mail`
-r-xr-xr-x 3 root wheel 77K Mar 10 14:19 /usr/bin/mail
Regards,
l2f
anomie
May 7th, 2010, 19:28
ssmtp is likely the offending program that is listening. See this FreeBSD wiki entry on ssmtp (http://wiki.freebsd.org/SecureSSMTP), and this quick guide (http://www.scottro.net/qnd/qnd-ssmtp.html) (from our old friend scottro, BTW).
anomie
May 7th, 2010, 19:41
And getting back to your original question (I realize this is a firewall thread), there is nothing syntactically or logically wrong with a rule like:
# ipfw -q add 00500 deny tcp from any to any 25 in via interface_here
If you're not able to make that work, then you must be matching some other prior rule. Use ipfw show to view counters to help troubleshoot.
Hello,
When I put the following options in my /etc/rc.conf sendmail does not start at all, so my /etc/default/rc.conf is good
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
I find (after googling: http://www.macosxhints.com/article.php?story=20030522162520409 (http://http://www.macosxhints.com/article.php?story=20030522162520409)) the following trick: remove the -bd flag from /etc/rc.conf
in my case:
sendmail_submit_flags="-bd -L sm-mta -q15m -ODaemonPortOptions=localhost"
to
sendmail_submit_flags="-L sm-mta -q15m -ODaemonPortOptions=localhost"
And it's ok, my nmap scan did not report the 25 port open and I tried to send mail to my yahoo account and it works :)
I tried the other solution from the above url (/etc/mail/themachine_hostname.mc)
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Port=587, Name=MSA, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
with the -bd flag in my /etc/rc.conf
it does not work, my nmap scan report the port 25 is open and I am able to telnet it within my lan or from outside so keep (in fact remove) the -bd flag.
As usual, sendmail is still a mystery for me
But I am wondering why the ipfw rule does not work ?
Regards,
l2f
Hello,
I will investiguate this way.
Thanks you for your help and time
l2f
Hello,
I investiguated the ipfw rule and it does not work from inside my lan because I use the divert keyword. So the packet is divert before reaching the deny rule.
I did a nmap scan from outside my lan, friend's wifi, and the scan saw only the ssh port.
1st scan os detection:
Running (JUST GUESSING) : Avaya embedded (86%), NetworkAlchemy embedded (86%)
Aggressive OS guesses: Avaya Office IP403 VoIP gateway (86%), NetworkAlchemy ArgentBranch PBX (86%).
No exact OS matches for host (test conditions non-ideal).
2nd scan os detection: nothing
So you can use the -bd flag with sendmail and the ipfw rule above.
Thanks to everyone to helping me and taking your time to try to resolved this problem (special thanks to anomie)
Regards,
l2f
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.
0