LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices



Reply
 
Search this Thread
Old 04-13-2011, 04:55 PM   #1
sattech2000
LQ Newbie
 
Registered: Apr 2011
Posts: 5

Rep: Reputation: 0
How to block all outgoing port 25 except internal mail server.


Our ISP setup and installed an OpenBSD Firewall at the border doing NAT translation. I知 running a linux mailserver internally. It seems about every six months someone brings an infected laptop into the building that starts sending out spam and gets us blacklisted. I知 looking for something that will block all outgoing port 25 except for the mail server. Notification (email or ?) would be a big bonus.

I have been playing around with
pass out quick on $ext_if proto tcp from $emailserver to any port 25 flags S/SA synproxy state
block out on $ext_if proto tcp from any to any port 25
however everytime I run that rule the email server returns "no route to host" when I try to ping outside servers.

I知 fairly new to the OpenBsd world so any suggestions on an overall monitoring or logging that could be setup on the firewall would be great also.
Thank you
Randy


Something like this from the cisco world.
access-list acl_out permit tcp host X.X.X.X any eq 25
access-list acl_out deny tcp any any eq 25
access-list acl_out permit ip any any
 
Old 04-14-2011, 09:58 AM   #2
tizzef
Member
 
Registered: Jan 2005
Location: Nice, France
Distribution: Ubuntu,RHES, Mandriva, RHAS, AIX 4.3.3, 5.2 & 5.3, Debian,Solaris8/10
Posts: 119

Rep: Reputation: 20
something like
Quote:
iptables -A output-o eth0 sport 25 -j DROP
will certainly do the job
 
Old 04-14-2011, 11:26 AM   #3
sattech2000
LQ Newbie
 
Registered: Apr 2011
Posts: 5

Original Poster
Rep: Reputation: 0
Could you give me an explanation of that command? I am fairly new to OpenBSD and Linux/UNIX in general. From my research I have found iptables apply to linux. I am using OpenBSD and not sure where that is implemented.

Thank you
Randy
 
Old 04-14-2011, 11:56 AM   #4
gezley
Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware-64, Crux-64, NetBSD-64
Posts: 558

Rep: Reputation: 270Reputation: 270Reputation: 270
Quote:
Originally Posted by sattech2000 View Post
Our ISP setup and installed an OpenBSD Firewall at the border doing NAT translation. I’m running a linux mailserver internally. It seems about every six months someone brings an infected laptop into the building that starts sending out spam and gets us blacklisted. I’m looking for something that will block all outgoing port 25 except for the mail server. Notification (email or ?) would be a big bonus.

I have been playing around with
pass out quick on $ext_if proto tcp from $emailserver to any port 25 flags S/SA synproxy state
block out on $ext_if proto tcp from any to any port 25
however everytime I run that rule the email server returns "no route to host" when I try to ping outside servers.
What I would do is block on the internal interface, as follows:
Code:
## macros
int_if = "192.168.1.100/32"
lan = "192.168.1.0/24"
mail_ports = { 25 465 587 }
mail_server = "192.168.1.50/32"

## filtering - block traffic on all interfaces
block log all

## let traffic out on all interfaces
pass out keep state

## block in all traffic on internal interface
## destined for mail ports
block in on $int_if from $lan to any port $mail_ports

## pass in traffic on internal interface from mail server
## destined for mail ports
pass in on $int_if from $mail_server to any port $mail_ports

## pass all other traffic coming in on
## internal interface
pass in on $int_if from $lan to any

Last edited by gezley; 04-14-2011 at 12:02 PM.
 
Old 04-14-2011, 02:31 PM   #5
sattech2000
LQ Newbie
 
Registered: Apr 2011
Posts: 5

Original Poster
Rep: Reputation: 0
For some reason I cannot even get the block to work on the $int_if. I can get it to work on the $ext_if I'm just beating my head going in circles trying to figure this out. Attached is my pf.conf
Have any recommendations?



# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="xl0"
int_if="xl1"
emailserver = "x.x.11.1"
spamfirewall = "x.x.11.2"
remoteaccess = "x.x.11.13"
automation = "x.x.11.21"
ftpserver = "x.x.11.29"

email = "{ pop3, imap, imap3, imaps, pop3s }"


#table <spamd-white> persist

set skip on { lo enc0 $int_if }

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -> \
127.0.0.1 port 8021

#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd

rdr on $ext_if proto tcp from any to $ext_if port \
$email -> $emailserver
rdr on $ext_if proto tcp from any to $ext_if port \
587 -> $emailserver port smtp

rdr on $ext_if proto tcp from any to $ext_if port \
smtp -> $spamfirewall
rdr on $ext_if proto tcp from any to $ext_if port \
8080 -> $spamfirewall port 80

rdr on $ext_if proto udp from any to $ext_if port \
500 -> $automation
rdr on $ext_if proto tcp from any to $ext_if port \
1723 -> $remoteaccess
rdr on $ext_if proto tcp from any to $ext_if port \
1792 -> $remoteaccess
rdr on $ext_if proto udp from any to $ext_if port \
1701 -> $remoteaccess

rdr on $ext_if proto udp from any to $ext_if port \
6502 -> $automation

rdr on $ext_if proto tcp from any to $ext_if port \
ftp -> $ftpserver

anchor "ftp-proxy/*"
block in
pass out

pass quick on $int_if no state
antispoof quick for { lo $int_if }

pass in quick inet proto icmp from any to any keep state queue icmp
pass out inet proto icmp from any to any keep state queue icmp

pass in quick on $ext_if inet proto esp from any to $ext_if:0 keep state
pass out quick on $ext_if inet proto esp from $ext_if:0 to any keep state

pass in on $ext_if proto tcp to ($ext_if) port ssh

pass in quick on $ext_if proto udp from any to $ext_if:0 port isakmp
pass out quick on $ext_if proto udp from $ext_if:0 to any port isakmp

pass in on $ext_if proto tcp from any to $emailserver port $email \
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $emailserver port 587 \
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $emailserver port smtp \
flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $spamfirewall port smtp \
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $spamfirewall port http \
flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $remoteaccess port 1723 \
flags S/SA synproxy state
pass in on $ext_if proto udp from any to $remoteaccess port 1701 \
keep state
pass in on $ext_if proto tcp from any to $remoteaccess port 1792 \
flags S/SA synproxy state

# VPN GRE PROTOCALL
pass in proto gre all keep state
pass out proto gre all keep state
#
pass in on $ext_if proto udp from any to $remoteaccess port 500 \
keep state

pass in on $ext_if proto udp from any to $automation port 6502 \
keep state

pass in on $ext_if proto tcp from any to $ftpserver port ftp \
flags S/SA synproxy state
 
Old 04-14-2011, 04:41 PM   #6
gezley
Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware-64, Crux-64, NetBSD-64
Posts: 558

Rep: Reputation: 270Reputation: 270Reputation: 270
Quote:
Originally Posted by sattech2000 View Post
For some reason I cannot even get the block to work on the $int_if. I can get it to work on the $ext_if I'm just beating my head going in circles trying to figure this out. Attached is my pf.conf
Have any recommendations?



# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="xl0"
int_if="xl1"
emailserver = "x.x.11.1"
spamfirewall = "x.x.11.2"
remoteaccess = "x.x.11.13"
automation = "x.x.11.21"
ftpserver = "x.x.11.29"

email = "{ pop3, imap, imap3, imaps, pop3s }"


#table <spamd-white> persist

set skip on { lo enc0 $int_if }

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $int_if proto tcp from $int_if:network to any port 21 -> \
127.0.0.1 port 8021

#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd

rdr on $ext_if proto tcp from any to $ext_if port \
$email -> $emailserver
rdr on $ext_if proto tcp from any to $ext_if port \
587 -> $emailserver port smtp

rdr on $ext_if proto tcp from any to $ext_if port \
smtp -> $spamfirewall
rdr on $ext_if proto tcp from any to $ext_if port \
8080 -> $spamfirewall port 80

rdr on $ext_if proto udp from any to $ext_if port \
500 -> $automation
rdr on $ext_if proto tcp from any to $ext_if port \
1723 -> $remoteaccess
rdr on $ext_if proto tcp from any to $ext_if port \
1792 -> $remoteaccess
rdr on $ext_if proto udp from any to $ext_if port \
1701 -> $remoteaccess

rdr on $ext_if proto udp from any to $ext_if port \
6502 -> $automation

rdr on $ext_if proto tcp from any to $ext_if port \
ftp -> $ftpserver

anchor "ftp-proxy/*"
block in
pass out

pass quick on $int_if no state
antispoof quick for { lo $int_if }

pass in quick inet proto icmp from any to any keep state queue icmp
pass out inet proto icmp from any to any keep state queue icmp

pass in quick on $ext_if inet proto esp from any to $ext_if:0 keep state
pass out quick on $ext_if inet proto esp from $ext_if:0 to any keep state

pass in on $ext_if proto tcp to ($ext_if) port ssh

pass in quick on $ext_if proto udp from any to $ext_if:0 port isakmp
pass out quick on $ext_if proto udp from $ext_if:0 to any port isakmp

pass in on $ext_if proto tcp from any to $emailserver port $email \
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $emailserver port 587 \
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $emailserver port smtp \
flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $spamfirewall port smtp \
flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $spamfirewall port http \
flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $remoteaccess port 1723 \
flags S/SA synproxy state
pass in on $ext_if proto udp from any to $remoteaccess port 1701 \
keep state
pass in on $ext_if proto tcp from any to $remoteaccess port 1792 \
flags S/SA synproxy state

# VPN GRE PROTOCALL
pass in proto gre all keep state
pass out proto gre all keep state
#
pass in on $ext_if proto udp from any to $remoteaccess port 500 \
keep state

pass in on $ext_if proto udp from any to $automation port 6502 \
keep state

pass in on $ext_if proto tcp from any to $ftpserver port ftp \
flags S/SA synproxy state
You can't get block to work on $int_if because you're using a "pass quick" rule which means none of the rules following the "pass quick" rule are applied:

Code:
pass quick on $int_if no state
Rules relating to $int_if after this simply aren't processed.

My advice is remove all "quick" keywords and let pf process your rules top to bottom, last matching rule wins. If I get a chance I'll tidy your ruleset although I'm by no means an expert at this either but it's better for you to go through it yourself first.

Last edited by gezley; 04-14-2011 at 07:27 PM.
 
Old 04-15-2011, 12:16 PM   #7
sattech2000
LQ Newbie
 
Registered: Apr 2011
Posts: 5

Original Poster
Rep: Reputation: 0
This is AWSOME! Thank you very much. This is exactly how I learn the best. The config I listed is how my ISP set it up. This will be my first change that I’m making to it and I appreciate all your input. I have removed all the quicks for testing and still cannot get the block to work on the int_if I’m scratching my head at the moment.

I should note this firewall is also doing a branch office vpn connection to another office of ours.
 
Old 04-15-2011, 04:04 PM   #8
gezley
Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware-64, Crux-64, NetBSD-64
Posts: 558

Rep: Reputation: 270Reputation: 270Reputation: 270
Quote:
Originally Posted by sattech2000 View Post
This is AWSOME! Thank you very much. This is exactly how I learn the best. The config I listed is how my ISP set it up. This will be my first change that I知 making to it and I appreciate all your input. I have removed all the quicks for testing and still cannot get the block to work on the int_if I知 scratching my head at the moment.

I should note this firewall is also doing a branch office vpn connection to another office of ours.
I've just spotted the reason blocking on $int_if doesn't work: your ISP in their wisdom set up your pf ruleset to skip the internal interface, and enc0 as well, which I suspect is the VPN interface. Skipping on enc0 should be fine (it is a trusted VPN after all) but not on $int_if.

Remove $int_if from your "set skip on ... " rule. Flush your ruleset and restart firewall:

Code:
pfctl -F rules
pfctl -d
pfctl -e
Then your firewall will process rules on the internal interface.
 
Old 04-15-2011, 05:34 PM   #9
sattech2000
LQ Newbie
 
Registered: Apr 2011
Posts: 5

Original Poster
Rep: Reputation: 0
Thank you VERY MUCH! I started going through the rules one by one so I had a full understanding of what was going on and caught that. Just wasn't sure how it should be handled. More playing I have to do
 
Old 04-25-2011, 10:23 AM   #10
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 231Reputation: 231Reputation: 231
sattech2000,

Welcome to LQ. Hope your time here helps you as much as mine has helped me.

Please put code, command line output, config files, etc. inside [CODE] tags, aka "Code:" blocks.

It will make your posts easier to read, & that will get you more, faster, better answers. -- Help us help you.
BTW, You can edit your post(s) to do this retroactively.

Thank you, & again, welcome.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
with iptables, how-to redirect outgoing mail from port 25 to port 587 thumbelina Linux - Networking 12 03-19-2012 09:26 AM
[SOLVED] ipTables rule to block a port for all internal IP Addresses except one pranaysharmadelhi Linux - Security 8 07-08-2009 08:57 AM
Which qmail log file details outgoing mail? (have huge outgoing mail volume) hilljockey Linux - Server 2 12-08-2008 05:26 PM
Send outgoing mail to a specific IP address and port starkhorn Linux - Software 1 01-31-2008 06:20 PM
internal mail server not receiving port 25 brian1978 Suse/Novell 1 02-22-2006 07:53 AM


All times are GMT -5. The time now is 09:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration