ipfw rules for email on email server

[amylichti]

Hello,
I am using FreeBSD 9.1 on a box used for an email server. I have ipfw running and when the firewall is on I can NOT get email from the outside no matter what rules I put in.
Right now here are the rules that I have ( I have tried many):

$IPF 150 allow tcp from me to me 25 in via $prif keep-state
$IPF 151 allow tcp from me to any 25 out via $prif keep-state
$IPF 152 allow tcp from me to me 25 in via $pif keep-state
$IPF 153 allow tcp from me to any 25 out via $pif keep-state
$IPF 211 allow tcp from me to me 110 in via $prif keep-state
$IPF 212 allow tcp from me to any 110 out via $prif keep-state
$IPF 213 allow tcp from me to me 110 in via $pif keep-state
$IPF 214 allow tcp from me to any 110 out via $pif keep-state

I have 2 interface / 1 internet / 1 Ethernet.
Please help me figure this out. I have googled many sites with no luck.
Thank you,
Amy

 

[wblock@]

Where is the rule that allows outside systems to connect to your port 25 for mail?

 

[amylichti]

This is what I have now and it still doesn't work.

$IPF 81 allow tcp from any to any via $prif keep-state
$IPF 82 allow tcp from any to any 25 via $pif keep-state
$IPF 83 allow tcp from any to any 110 via $pif keep-state
$IPF 84 allow tcp from any to any 143 via $pif keep-state
$IPF 85 allow tcp from any to any 465 via $pif keep-state
$IPF 86 allow tcp from any to any 585 via $pif keep-state
$IPF 87 allow tcp from any to any 993 via $pif keep-state
$IPF 88 allow tcp from any to any 995 via $pif keep-state

 

[wblock@]

What are $prif and $pif? Mostly, it looks like the rules are too specific. Beyond that, I don't recall the IPFW syntax well enough to say if via is the right word.

 

[amylichti]

I have 2 interfaces. prif is private and pif is public

Here is what I have now:

$IPF 80 allow tcp from any to any via $prif keep-state
$IPF 81 allow tcp from any to any 22 setup keep-state
$IPF 82 allow tcp from any to any 25 setup keep-state
$IPF 83 allow tcp from any to any 53 setup keep-state
$IPF 84 allow udp from any to any 53 keep-state
$IPF 85 allow tcp from any to any 80 setup keep-state
$IPF 86 allow tcp from any to any 110 setup keep-state
$IPF 87 allow tcp from any to any 161 setup keep-state
$IPF 89 allow tcp from any to any 465 setup keep-state
$IPF 90 allow tcp from any to any 585 setup keep-state
$IPF 91 allow tcp from any to any 587 setup keep-state
$IPF 92 allow tcp from any to any 993 setup keep-state
$IPF 93 allow tcp from any to any 995 setup keep-state

 

[amylichti]

via is used to specify the interface.

 

[trh411]

Maybe you should show us your entire IPFW ruleset? It could be that an earlier rule is discarding mail packets before you even get to rule #80. Place on pastebin and post a link here if it is a really big ruleset.

 

[amylichti]

Here you go:

IPF="ipfw -q add"
ipfw -q -f flush
pif="em1"        # public interface name of interface
prif="em0"       # private ethernet name of interface

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 75 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 80 allow tcp from any to any via $prif keep-state
$IPF 81 allow tcp from any to any 22 setup keep-state
$IPF 82 allow tcp from any to any 25 setup keep-state
$IPF 83 allow tcp from any to any 53 setup keep-state
$IPF 84 allow udp from any to any 53 keep-state
$IPF 85 allow tcp from any to any 80 setup keep-state
$IPF 86 allow tcp from any to any 110 setup keep-state
$IPF 87 allow tcp from any to any 161 setup keep-state
$IPF 89 allow tcp from any to any 465 setup keep-state
$IPF 90 allow tcp from any to any 585 setup keep-state
$IPF 91 allow tcp from any to any 587 setup keep-state
$IPF 92 allow tcp from any to any 993 setup keep-state
$IPF 93 allow tcp from any to any 995 setup keep-state

# deny and log everything
$IPF 500 deny log all from any to any

 

[wblock@]

@amylichti, please start formatting your posts.

 

[wblock@]

via is used to specify the interface.

No, I'm pretty sure it means more than that. However, it's been years since I switched to PF, and I never did find IPFW's rules very clear.

 

[amylichti]

I do not know how to format my posts.. can you help me with that..
ok
Is PF better??????????? and what is PF

 

[wblock@]

I do not know how to format my posts.. can you help me with that..

You have about five PMs with links to instructions.

Is PF better?

Easier to configure, I would say. Many people still use IPFW, though.

 

[amylichti]

But you didn't tell me how to format them..

 

[trh411]

Does it make any difference if you change:

$IPF 82 allow tcp from any to any 25 setup keep-state

to

$IPF 82 allow tcp from any to any 25 keep-state

 

[amylichti]

Nope...

 

[wblock@]

But you didn't tell me how to format them..

Each Private Message had two important links with instructions:

Using tags to format posts
Spelling, capitalization, and punctuation

 

[trh411]

Please paste the contents of /etc/rc.conf.

 

[amylichti]

hostname="my domain name"
keymap="us.iso.kbd"
ifconfig_em1=" inet x.x.x.x netmask 0xfffffff8"
defaultrouter="x.x.x.x"
ifconfig_em0="inet x.x.x.x netmask 255.255.255.0"
defaultrouter="x.x.x.x"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

### Disable Sendmail ###
sendmail_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"

apache22_enable="YES"
mysql_enable="YES"
postfix_enable="YES"

### Courier-Imap Stuff ###
courier_authdaemond_enable="YES"
courier_imap_pop3d_enable="YES"
courier_imap_imapd_enable="YES"

webmin_enable="YES"

inetd_enable="YES"

### nmbd_enable="YES"
### smbd_enable="YES"

firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

 

[amylichti]

But you didn't tell me how to format them..

Each Private Message had two important links with instructions:

Using tags to format posts
Spelling, capitalization, and punctuation

Okay, will try to remember all that

 

[amylichti]

I think that maybe my rc.conf file does not like the second interface.. but I still do not think that it would have anything to do with email??? What do you think???

 

[amylichti]

Okay.. I took the 2 interface out of the

rc.conf

and here is what my ipfw.rules file looks like now..
I now need to do some more tweaking of it.

IPF="ipfw -q add"
ipfw -q -f flush
pif="em1"        # public interface name of interface
# $prif="em0"    # private ethernet name of interface

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 75 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 80 allow tcp from me to any 22 keep-state
$IPF 82 allow tcp from any to any 25 in keep-state
$IPF 83 allow tcp from any to any 25 out keep-state
$IPF 84 allow tcp from any to any 53 keep-state
$IPF 85 allow udp from any to any 53 keep-state
$IPF 86 allow tcp from any to any 80 keep-state
$IPF 87 allow tcp from any to any 110 in keep-state
$IPF 88 allow tcp from any to any 110 out keep-state
$IPF 89 allow tcp from any to any 161 keep-state
$IPF 90 allow tcp from any to any 465 keep-state
$IPF 91 allow tcp from any to any 585 keep-state
$IPF 92 allow tcp from any to any 587 keep-state
$IPF 93 allow tcp from any to any 993 keep-state
$IPF 94 allow tcp from any to any 995 keep-state

# deny and log everything
$IPF 500 deny log all from any to any

And it works...