On Thu, Oct 08, 1998 at 01:26:35PM +1300, Andrew McNaughton wrote:
> On Wed, 7 Oct 1998, Alejandro Galindo Chairez AGALINDO wrote:
> > can you help to me in establish the rule for permit the pop3 port access?
> > i only need to permit the network 220.127.116.11 (mask 0xffffff00)
> > or can you indicate to me where can i find some rule samples for this?
> I'm not quite clear on your setup (where is the firewall?) but your
> network can be defined as 18.104.22.168:255.255.255.0
How about 208.195.117/24 ?
I had some slight trouble about pop3 access and ipfw rules lately, too.
My setup is quite simple:
[Internet]<--Dialup IP(ipi0)-->[FreeBSD Server]<--Ethernet-->[internal net]
I have a pop3 service running on my server for which I want access
only from the inside. OTOH I want to access a remote pop3 server
from an internal machine. Without ipfw restriction anybody can get
at my server while the dialup is active. This is especially bad as
my popper is quite old and could easily be abused. There is no use
in hunting down security fixes for pop3 as there is no public access
anyway so I rather close that hole permanently. What I needed to
accomplish is this:
[Net] <--- pop3 ok
[Net] ---> pop3 denied
So I tried a rule like "ipfw deny tcp from any pop3 to any in ipi0"
Trouble was, this effectively denied me from getting mail from the
remote server :-(
The solution is actually really simple, I installed tcp_wrapper.
Now I can freely let pop3 through my ipfw ruleset and access to
the pop3 service on my server machine from the outside is blocked.
No machine on my internal net runs pop3 and they're unreachable
due to nat, anyway.
pop3 stream tcp nowait root /usr/local/libexec/tcpd /usr/local/libexec/popper -s
# Wed Oct 7 03:00:00 CEST 1998
popper : LOCAL 10.175. : allow
#popper : UNKNOWN PARANOID : deny
popper : ALL : deny
ALL : ALL
(the commented out line didn't work; does anybody know why ?)
"You don't say what kind of CD drive or hard disks you have, but since it is
causing you trouble I'll assume it is IDE." -- comp.unix.bsd.freebsd.misc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message