how to block port 25 in

l2f · May 7, 2010

Hello,

On my firewall I have the following rules:

Code:

$fwcmd 6000 $skip tcp from any to any 25 out via $pif setup keep-state
$fwcmd 6100 $skip tcp from any to any 110 out via $pif setup keep-state

$pif is my public interface, the one is connected to my isp.

to allow the outgoing mail, but I did an nmap on my firewall and I got the following result:

Code:

starting Nmap 4.20 ( [url]http://insecure.org[/url] ) at 2010-05-07 09:13 EDT
Warning:  OS detection for 74.59.40.171 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on modemcable171.40-59-74.mc.videotron.ca (74.59.40.171):
Not shown: 1695 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
[color="Red"]25/tcp open  smtp[/color]
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 4.X (89%), Apple Mac OS X 10.3.X|10.4.X (88%)
Aggressive OS guesses: OpenBSD 4.0 (sparc64) (89%), Applie Mac OS X 10.3.9 - 10.4.7 (88%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at [url]http://insecure.org/nmap/submit/[/url] .
Nmap finished: 1 IP address (1 host up) scanned in 40.791 seconds

(not bad: no FreeBSD show up in os detection

) )

I did the nmap from one of my freebsd station inside my lan

My firewall is: ipfw, FreeBSD volvo 7.2-RELEASE-p7 FreeBSD 7.2-RELEASE-p7 #0: Mon Mar 1 13:57:18 EST 2010 root@pbsd.muhc.mcgill.ca:/opt2/source/obj-7.2/opt2/source/src/sys/PATRIOTEBSD17 i386

I try the following ipfw rule:

Code:

ipfw add 5999 drop log logamount 5 all from any to any dst-port 25 in via $pif

or

Code:

ipfw add 5999 drop log logamount 5 all from any to any 25 recv $pif

or

Code:

ipfw add 5999 drop log logamount 5 all from any to any dst-port 25 in recv $pif

I did again the nmap and I got the same result ?!

I am lost...

How to block the connexion in (from outside world) to port 25 but I need to send e-mail to outside world ?

Regards,

l2f

SirDice · May 7, 2010

Run sendmail in local-submit-only mode. In /etc/rc.conf:

Code:

sendmail_enable="NO"

l2f · May 7, 2010

Hello,

I already did it:

Code:

sendmail_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q15m"
sendmail_submit_flags="-L sm-mta -bd -q15m -ODaemonPortOptions=localhost"

May be I mess the rc.conf ?

Regards,

l2f

anomie · May 7, 2010

@l2f: Following a default FreeBSD install, sendmail should only be listening on tcp 25 on localhost. That's with no additional rc.conf(5) entries, since the needed directives are already in place in /etc/defaults/rc.conf.

Let's see the output of % sockstat -4l

At this point I'm half suspecting something odd about your nmap scan...

For example, have you tested doing an SMTP telnet session from another host?

l2f · May 7, 2010

Hello,

the output of sockstat -4l

Code:

# sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sshd       1296  3  tcp4   *:22                  *:*
[color="Red"]root     sendmail   1242  4  tcp4   *:25                  *:*[/color]
root     syslogd    1015  7  udp4   *:514                 *:*
root     natd       881   4  div4   *:8668                *:*

the telnet session from another host on my lan

Code:

telnet 192.168.0.1 25
Trying 192.168.0.1...
Connected to volvo.maison.org.
Escape character is '^]'.
HELO
220 volvo.maison.org ESMTP Sendmail 8.14.3/8.14.3; Fri, 7 May 2010 11:32:25 GMT
501 5.0.0 HELO requires domain address

and from my public ip address from the same pc in my lan

Code:

 telnet xxx.59.40.xxx 25
Trying xxx.59.40.x...
Connected to modemcablexxx.40-59-xxx.mc.xxxxxxxxxx.ca.
Escape character is '^]'.
HELO
220 volvo.maison.org ESMTP Sendmail 8.14.3/8.14.3; Fri, 7 May 2010 11:34:08 GMT
501 5.0.0 HELO requires domain address

Very strange !

Regards,

l2f

anomie · May 7, 2010

Did you install a new MTA (other than sendmail) from ports?

Also, could you post your entire /etc/rc.conf?

l2f · May 7, 2010

Hello

others MTA:
fetchmail-6.3.9
ssmtp-2.61.11.1_2

My /etc/mail/mailer.conf

Code:

# $FreeBSD: src/etc/mail/mailer.conf,v 1.3.30.1 2008/10/02 02:57:24 kensmith Exp $
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail        /usr/libexec/sendmail/sendmail
send-mail       /usr/libexec/sendmail/sendmail
mailq           /usr/libexec/sendmail/sendmail
newaliases      /usr/libexec/sendmail/sendmail
hoststat        /usr/libexec/sendmail/sendmail
purgestat       /usr/libexec/sendmail/sendmail

To be sure:

Code:

# ll /usr/libexec/sendmail/sendmail 
-r-xr-sr-x  1 root  smmsp   650K Mar 10 14:20 /usr/libexec/sendmail/sendmail

My (raw) /etc/rc.conf

Code:

# -- sysinstall generated deltas -- # Tue Dec 13 17:21:16 2005
# Created: Tue Dec 13 17:21:15 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

arpproxy_all="YES"

# ro fs
tmpmfs="YES"
tmpsize="4M"
tmpmfs_flags="-S"
varmfs="YES"
varmfs_flags="-S"
varsize="16M"
populate_var="YES"

# special pbsd
change_su_enable="YES"
change_su_fichier="/etc/progsuid.lst"

clear_tmp_enable="YES"
# mef exec script qui lui regarde si enable
# alors que devrait etre rc qui regarde quoi demarrer
# trop long au demarrage
pflog_enable="NO"
[color="Red"]# enlever /etc/rc.d/sendmail => prend trop de temps pour verifier
# qu'il ne demarre pas en inbound
sendmail_enable="NO"
# oui par defaut: sendmail_msp_queue_enable="NO"
# aucun courriel exterieur
sendmail_outbound_enable="NO"

# change flag pour local
# 15 minutes au lieu de 30
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q15m"

# change flag submit pour 15 minutes au lieu de 30
sendmail_submit_flags="-L sm-mta -bd -q15m -ODaemonPortOptions=localhost"
# peut envoyer courriel
# oui par defaut: sendmail_submit_enable="YES"
#sendmail_msp_queue_enable="NO"
#sendmail_rebuild_aliases="NO"
postfix_enable="NO"
[/color]

#extra firewalling options
tcp_extensions="YES"    # si pb mettre NO
tcp_keepalive="YES"     # verif si conn active
log_in_vain="YES"
tcp_drop_synfin="YES"   #change to NO if create webserver
tcp_restrict_rst="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"

# natd
natd_enable="YES"
natd_interface="rl0"
natd_flags="-dynamic -m -u -s"
#" -redirect_port tcp 192.168.1.1:80 80 -redirect_port tcp 192.168.1.1:443 443"
# -f /etc/natd.conf"
# root fs: ro
root_rw_mount="NO"

# script de demarrage firewall
firewall_enable="YES"
# regles du pare-feu
# avec sshguard patriotebsdfirewall v101
firewall_script="/etc/ipfw.rules.8"

# script de regles
#firewall_type="/etc/ipfw.rules"

firewall_quiet="NO" #change to YES once happy with rules
firewall_logging_enable="YES"

update_motd="NO"
gateway_enable="YES"
hostname="volvo"
ifconfig_xl0="inet 192.168.0.1  netmask 255.255.255.0"
ifconfig_rl0="DHCP"
#ifconfig_rl0="inet 192.168.1.1 netmask 255.255.252.0"

ifpolling_enable="YES"
ifpolling_liste="rl0 xl0"

static_routes="reseauwifi"
route_reseauwifi="-net 192.168.1.0/24 192.168.0.2"

inetd_enable="NO"
# pb /etc ro
linux_enable="NO"
moused_enable="NO"
nfs_server_enable="NO"
rpcbind_enable="NO"
saver="patriotebsd"
sshd_enable="YES"

# denyhosts
#denyhosts_enable="YES"
usbd_enable="YES"
syslog_flags="-ss -4"

# noyau
kern_securelevel_enable="YES"
# niveau max avec ipfw operationel
kern_securelevel=2

# ntpd
ntpd_enable="YES"
#ntpd_program="/usr/sbin/ntpd"
ntpd_flags="-p /var/run/ntpd.pid -l /var/log/ntp.log"

# sshdefence
cloned_interfaces="disc0"
ifconfig_disc0="inet 0.0.0.1 netmask 255.0.0.0"

# crontab
cronutil_enable="YES"
cronutil_liste="/root/root.cron /home/patriotebsd/patriotebsd.cron"

# pour faire un swapfile
faireswap_enable="NO"
faireswap_taillemax="64"

# detection swap
detectswap_enable="NO"

# sshdefencefifo
sshdefencefifo_enable="YES"
accounting_enable="YES"

# dhcpd
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="xl0"
dhcpd_withumask="022"
dhcpd_withuser="dhcpd"
dhcpd_withgroup="dhcpd"
dhcpd_chuser_enable="YES"

# speaker si non compiler dans noyau
speaker_enable="NO"

# c'est livecd => no savecore
dumpdev="NO"

# junkbuster
junkbuster_enable="NO"

I did not modified the /etc/default/rc.conf

Code:

# ll /etc/defaults/rc.conf 
-r--r--r--  1 root  wheel    35K Sep 23  2009 /etc/defaults/rc.conf
# wc  /etc/defaults/rc.conf
     666    4470   35336 /etc/defaults/rc.conf

I use mail to send my e-mail

Code:

# ll `which mail`
-r-xr-xr-x  3 root  wheel    77K Mar 10 14:19 /usr/bin/mail

Regards,

l2f

anomie · May 7, 2010

ssmtp is likely the offending program that is listening. See this FreeBSD wiki entry on ssmtp, and this quick guide (from our old friend scottro, BTW).

anomie · May 7, 2010

And getting back to your original question (I realize this is a firewall thread), there is nothing syntactically or logically wrong with a rule like:

Code:

# ipfw -q add 00500 deny tcp from any to any 25 in via interface_here

If you're not able to make that work, then you must be matching some other prior rule. Use # ipfw show to view counters to help troubleshoot.

l2f · May 7, 2010

Hello,

When I put the following options in my /etc/rc.conf sendmail does not start at all, so my /etc/default/rc.conf is good

Code:

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

I find (after googling: http://www.macosxhints.com/article.php?story=20030522162520409) the following trick: remove the -bd flag from /etc/rc.conf
in my case:

Code:

sendmail_submit_flags="[color="Red"]-bd[/color] -L sm-mta -q15m -ODaemonPortOptions=localhost"
to
sendmail_submit_flags="-L sm-mta -q15m -ODaemonPortOptions=localhost"

And it's ok, my nmap scan did not report the 25 port open and I tried to send mail to my yahoo account and it works

I tried the other solution from the above url (/etc/mail/themachine_hostname.mc)

Code:

FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Port=587, Name=MSA, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl

with the -bd flag in my /etc/rc.conf

it does not work, my nmap scan report the port 25 is open and I am able to telnet it within my lan or from outside so keep (in fact remove) the -bd flag.

As usual, sendmail is still a mystery for me

But I am wondering why the ipfw rule does not work ?

Regards,

l2f

l2f · May 7, 2010

Hello,

I will investiguate this way.

Thanks you for your help and time

l2f

l2f · May 8, 2010

good news ans solved

Hello,

I investiguated the ipfw rule and it does not work from inside my lan because I use the divert keyword. So the packet is divert before reaching the deny rule.

I did a nmap scan from outside my lan, friend's wifi, and the scan saw only the ssh port.

Code:

 1st scan os detection: 
Running (JUST GUESSING) : Avaya embedded (86%), NetworkAlchemy embedded (86%)
Aggressive OS guesses: Avaya Office IP403 VoIP gateway (86%), NetworkAlchemy ArgentBranch PBX (86%).
No exact OS matches for host (test conditions non-ideal).

2nd scan os detection: nothing

So you can use the -bd flag with sendmail and the ipfw rule above.

Thanks to everyone to helping me and taking your time to try to resolved this problem (special thanks to anomie)

Regards,

l2f

how to block port 25 in

Administrator