How to block all outgoing port 25 except internal mail server.
Our ISP setup and installed an OpenBSD Firewall at the border doing NAT translation. I知 running a linux mailserver internally. It seems about every six months someone brings an infected laptop into the building that starts sending out spam and gets us blacklisted. I知 looking for something that will block all outgoing port 25 except for the mail server. Notification (email or ?) would be a big bonus.
I have been playing around with pass out quick on $ext_if proto tcp from $emailserver to any port 25 flags S/SA synproxy state block out on $ext_if proto tcp from any to any port 25 however everytime I run that rule the email server returns "no route to host" when I try to ping outside servers. I知 fairly new to the OpenBsd world so any suggestions on an overall monitoring or logging that could be setup on the firewall would be great also. Thank you Randy Something like this from the cisco world. access-list acl_out permit tcp host X.X.X.X any eq 25 access-list acl_out deny tcp any any eq 25 access-list acl_out permit ip any any |
something like
Quote:
|
Could you give me an explanation of that command? I am fairly new to OpenBSD and Linux/UNIX in general. From my research I have found iptables apply to linux. I am using OpenBSD and not sure where that is implemented.
Thank you Randy |
Quote:
Code:
## macros |
For some reason I cannot even get the block to work on the $int_if. I can get it to work on the $ext_if I'm just beating my head going in circles trying to figure this out. Attached is my pf.conf
Have any recommendations? # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="xl0" int_if="xl1" emailserver = "x.x.11.1" spamfirewall = "x.x.11.2" remoteaccess = "x.x.11.13" automation = "x.x.11.21" ftpserver = "x.x.11.29" email = "{ pop3, imap, imap3, imaps, pop3s }" #table <spamd-white> persist set skip on { lo enc0 $int_if } scrub in nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from !($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr pass on $int_if proto tcp from $int_if:network to any port 21 -> \ 127.0.0.1 port 8021 #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd rdr on $ext_if proto tcp from any to $ext_if port \ $email -> $emailserver rdr on $ext_if proto tcp from any to $ext_if port \ 587 -> $emailserver port smtp rdr on $ext_if proto tcp from any to $ext_if port \ smtp -> $spamfirewall rdr on $ext_if proto tcp from any to $ext_if port \ 8080 -> $spamfirewall port 80 rdr on $ext_if proto udp from any to $ext_if port \ 500 -> $automation rdr on $ext_if proto tcp from any to $ext_if port \ 1723 -> $remoteaccess rdr on $ext_if proto tcp from any to $ext_if port \ 1792 -> $remoteaccess rdr on $ext_if proto udp from any to $ext_if port \ 1701 -> $remoteaccess rdr on $ext_if proto udp from any to $ext_if port \ 6502 -> $automation rdr on $ext_if proto tcp from any to $ext_if port \ ftp -> $ftpserver anchor "ftp-proxy/*" block in pass out pass quick on $int_if no state antispoof quick for { lo $int_if } pass in quick inet proto icmp from any to any keep state queue icmp pass out inet proto icmp from any to any keep state queue icmp pass in quick on $ext_if inet proto esp from any to $ext_if:0 keep state pass out quick on $ext_if inet proto esp from $ext_if:0 to any keep state pass in on $ext_if proto tcp to ($ext_if) port ssh pass in quick on $ext_if proto udp from any to $ext_if:0 port isakmp pass out quick on $ext_if proto udp from $ext_if:0 to any port isakmp pass in on $ext_if proto tcp from any to $emailserver port $email \ flags S/SA synproxy state pass in on $ext_if proto tcp from any to $emailserver port 587 \ flags S/SA synproxy state pass in on $ext_if proto tcp from any to $emailserver port smtp \ flags S/SA synproxy state pass in on $ext_if proto tcp from any to $spamfirewall port smtp \ flags S/SA synproxy state pass in on $ext_if proto tcp from any to $spamfirewall port http \ flags S/SA synproxy state pass in on $ext_if proto tcp from any to $remoteaccess port 1723 \ flags S/SA synproxy state pass in on $ext_if proto udp from any to $remoteaccess port 1701 \ keep state pass in on $ext_if proto tcp from any to $remoteaccess port 1792 \ flags S/SA synproxy state # VPN GRE PROTOCALL pass in proto gre all keep state pass out proto gre all keep state # pass in on $ext_if proto udp from any to $remoteaccess port 500 \ keep state pass in on $ext_if proto udp from any to $automation port 6502 \ keep state pass in on $ext_if proto tcp from any to $ftpserver port ftp \ flags S/SA synproxy state |
Quote:
Code:
pass quick on $int_if no state My advice is remove all "quick" keywords and let pf process your rules top to bottom, last matching rule wins. If I get a chance I'll tidy your ruleset although I'm by no means an expert at this either but it's better for you to go through it yourself first. |
This is AWSOME! :) Thank you very much. This is exactly how I learn the best. The config I listed is how my ISP set it up. This will be my first change that I’m making to it and I appreciate all your input. I have removed all the quicks for testing and still cannot get the block to work on the int_if I’m scratching my head at the moment.
I should note this firewall is also doing a branch office vpn connection to another office of ours. |
Quote:
Remove $int_if from your "set skip on ... " rule. Flush your ruleset and restart firewall: Code:
pfctl -F rules |
Thank you VERY MUCH! I started going through the rules one by one so I had a full understanding of what was going on and caught that. Just wasn't sure how it should be handled. More playing I have to do :)
|
sattech2000,
Welcome to LQ. Hope your time here helps you as much as mine has helped me. Please put code, command line output, config files, etc. inside [CODE] tags, aka "Code:" blocks. It will make your posts easier to read, & that will get you more, faster, better answers. -- Help us help you. BTW, You can edit your post(s) to do this retroactively. Thank you, & again, welcome. |
All times are GMT -5. The time now is 09:59 AM. |