ipfw rules??
I run my own small multi-account mailserver here at home for family members. So the "kids" (grown adults that don't live here anymore) tunnel their port 25 and port 143 through secure shell to send/retrieve mail through my server; i.e., on their computers, their imap mail server is "localhost:10143," for example. Also, "client" computers on the home subnet use the mail serving computer name ("quicksilver") as their mail server in Mail Preferences.
Also, I have an MX agent upstream that spam-assassinates and virus scans any incoming to my home domain. Now, the MX agent arrives on a non-standard port to my home router, and is port-forwarded to port 25 on quicksilver. So, at quicksilver, there is incoming smtp traffic from its localhost interface (my tunneled ssh users), 192.168.1.x users (local LAN) and my MX agent (via port forward).
I would like to restrict the IP address of traffic arriving at the non-standard port of the router to only allow my MX agent's smtp servers' IP addresses. But my router is not robust enough to filter on IP address such as 1.2.3.0/28, or, using this example, even as 16 individual entries (by unique IP address) in a router port-forwarding firewall table. Anything, from any external domain, that were to arrive at that port would be forwarded to the quicksilver smtp server. So if I want to restrict inbound traffic on my internet-facing smtp port to just the MX agent, that only leaves the mail server's IPFW firewall as the last filter to block the bad guys, I think.
I'd have to read up on the syntax of the "ipfw add" commands, but generally speaking, these rules are evaluated in order, correct? So I could make three "allow" ipfw commands from localhost to port 25, from 192.168.1.0/24 to port 25, from MX.agent's.IP.pool/28 to port 25 and finish up with a final "deny" rule from "any" to port 25 (since if any of the previous, lower-numbered rules were met first, the "deny" rule would be preempted, right?)?
Message was edited by: j.v.
<Edited by Host>
Also, I have an MX agent upstream that spam-assassinates and virus scans any incoming to my home domain. Now, the MX agent arrives on a non-standard port to my home router, and is port-forwarded to port 25 on quicksilver. So, at quicksilver, there is incoming smtp traffic from its localhost interface (my tunneled ssh users), 192.168.1.x users (local LAN) and my MX agent (via port forward).
I would like to restrict the IP address of traffic arriving at the non-standard port of the router to only allow my MX agent's smtp servers' IP addresses. But my router is not robust enough to filter on IP address such as 1.2.3.0/28, or, using this example, even as 16 individual entries (by unique IP address) in a router port-forwarding firewall table. Anything, from any external domain, that were to arrive at that port would be forwarded to the quicksilver smtp server. So if I want to restrict inbound traffic on my internet-facing smtp port to just the MX agent, that only leaves the mail server's IPFW firewall as the last filter to block the bad guys, I think.
I'd have to read up on the syntax of the "ipfw add" commands, but generally speaking, these rules are evaluated in order, correct? So I could make three "allow" ipfw commands from localhost to port 25, from 192.168.1.0/24 to port 25, from MX.agent's.IP.pool/28 to port 25 and finish up with a final "deny" rule from "any" to port 25 (since if any of the previous, lower-numbered rules were met first, the "deny" rule would be preempted, right?)?
Message was edited by: j.v.
<Edited by Host>
2008 Mac Pro, 2001 Quicksilver, Mac OS X (10.5.7)
