On Sat, Oct 10, 1998 at 12:25:40PM +0200, H. Eckert wrote:
> I have a pop3 service running on my server for which I want access
> only from the inside. OTOH I want to access a remote pop3 server
> from an internal machine. Without ipfw restriction anybody can get
> at my server while the dialup is active. This is especially bad as
> my popper is quite old and could easily be abused. There is no use
> in hunting down security fixes for pop3 as there is no public access
> anyway so I rather close that hole permanently. What I needed to
> accomplish is this:
> [Net] <--- pop3 ok
> [Net] ---> pop3 denied
> So I tried a rule like "ipfw deny tcp from any pop3 to any in ipi0"
> Trouble was, this effectively denied me from getting mail from the
> remote server :-(
Wouldn't something like the following work:
ipfw add reset tcp from any to nostromo pop3 establish via ipi0
Replacing nostromo of course for the host your pop3d is running
All this would deny is the establishing of TCP connections to
nostromo's pop3d from connections coming over ipi0-interface,
everything else would be allowed.
In fact, this rule would even reset the connection, so the
"outside world" would see nostromo's pop3d-port as if there was
no service running on it.
As I don't know your setup (private/real IPs etc.) you might have
to change the ruleset a little according to it.
<Shabby> Sleep is an abstinence syndrome wich occurs due to lack of caffein.
Wed Mar 4 04:53:33 CET 1998 #unix, ircnet
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message