Re: [suse-security] Suse 8.2 firewall configuration: blocking port 25 from the internal network
Arjen de Korte
2004-03-22 20:22:00 >>> On Monday 22 March 2004 09:05, Wilfred van Velzen wrote: Our policy is to let anything go out. ;-)
That's not a policy. That's unrestricted access by default and trying to plug all the holes you leave open. Rest assured, your users will find ways around your blockade in no time (there are plenty forwarders available). In time you'll find that closing everything by default and opening what's allowed to be far easier (and secure) to administrate.
This blockage was just to prevent accidental virus contaminations to bother the outside internet, not to prevent users to do certain things.
I changed this to:
iptables -A forward_int -s 192.168.0.1 -p tcp --dport 25 -j ACCEPT iptables -A forward_int -p tcp --dport 25 -j REJECT
Because our email server needs to be able to go through!
Since you have left everything wide open, you could put all of this in one line:
iptables -A forward_int -s ! 192.168.0.1/32 -p tcp --dport 25 -j DROP
It is almost always better to DROP connections, than to REJECT them. Since the SuSEfirewall2 scripts provides a pretty CPU intensive set of rules by default, it makes sense to keep your own additions as limited as
Ok. Do I need to specify the interface here? Or won't this prevent smtp connections from the outside to reach the mailserver on the inside? possible. On the outside sure, but on the inside of a firewall? I want to keep the machine's on the inside running as fast as possible. Dropping might slow them down a bit... Met vriendelijke groet / Best regards, Wilfred van Velzen -- SERCOM Regeltechniek b.v. Heereweg 9 2161 AB Lisse Nederland +31 (0)252 416530 (voice) +31 (0)252 419481 (fax) http://www.sercom.nl/ Op al onze offertes, op alle opdrachten aan ons en op alle met ons gesloten overeenkomsten zijn toepasselijk de METAALUNIEVOORWAARDEN, gedeponeerd ter Griffie van de Rechtbank te Rotterdam, zoals deze luiden volgens de laatstelijk aldaar neergelegde tekst. De leveringsvoorwaarden worden u op verzoek toegezonden.
possibly one of the niftiest features of SuSEfirewall2 wrapper is the FW_REDIRECT= string. I use this at all my sites, making sure that ANYONE internal that tries to send data via port 25 to ANYWHERE gets redirected to the firewall on port 25. I then set up postfix to allow OPEN_RELAY for all interfaces and set up some very strict header and sender and recipeint checks. This has cut my virus infiltration (without antivirus) down to almost never. (I do of course run anti virus, but I prefer to let the lightweight postfix app pre-process before asking the anti-vir to do anything) Having the redirect set up also allows me to set up laptop users smtp account settings to be whatever ISP's smtp server they will use when they dial up, without having to change any settings when they get into the office, much simpler and less troublesome than running pop before smtp or other flavours of smtp auth. Another nice thing about this redirect, is that you can easily check your logs for redirect entries to see who is trying to send data out directly, a most marvelous way of telling your users to piss off when they whine about why they can't misuse company resource any more.
participants (2)
-
Barry Gill
-
Wilfred van Velzen