# how to block port 25 in



## l2f (May 7, 2010)

Hello,

On my firewall I have the following rules:


```
$fwcmd 6000 $skip tcp from any to any 25 out via $pif setup keep-state
$fwcmd 6100 $skip tcp from any to any 110 out via $pif setup keep-state
```

$pif is my public interface, the one is connected to my isp.

to allow the outgoing mail, but I did an nmap on my firewall and I got the following result:


```
starting Nmap 4.20 ( [url]http://insecure.org[/url] ) at 2010-05-07 09:13 EDT
Warning:  OS detection for 74.59.40.171 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on modemcable171.40-59-74.mc.videotron.ca (74.59.40.171):
Not shown: 1695 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
[color="Red"]25/tcp open  smtp[/color]
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 4.X (89%), Apple Mac OS X 10.3.X|10.4.X (88%)
Aggressive OS guesses: OpenBSD 4.0 (sparc64) (89%), Applie Mac OS X 10.3.9 - 10.4.7 (88%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at [url]http://insecure.org/nmap/submit/[/url] .
Nmap finished: 1 IP address (1 host up) scanned in 40.791 seconds
```

(not bad: no FreeBSD show up in os detection ) )

I did the nmap from one of my freebsd station inside my lan

My firewall is: ipfw, FreeBSD volvo 7.2-RELEASE-p7 FreeBSD 7.2-RELEASE-p7 #0: Mon Mar  1 13:57:18 EST 2010     root@pbsd.muhc.mcgill.ca:/opt2/source/obj-7.2/opt2/source/src/sys/PATRIOTEBSD17  i386

I try the following ipfw rule:

```
ipfw add 5999 drop log logamount 5 all from any to any dst-port 25 in via $pif
```
or

```
ipfw add 5999 drop log logamount 5 all from any to any 25 recv $pif
```
or

```
ipfw add 5999 drop log logamount 5 all from any to any dst-port 25 in recv $pif
```

I did again the nmap and I got the same result ?!

I am lost...

How to block the connexion in (from outside world) to port 25 but I need to send e-mail to outside world ?

Regards,

l2f


----------



## SirDice (May 7, 2010)

Run sendmail in local-submit-only mode. In /etc/rc.conf:

```
sendmail_enable="NO"
```


----------



## l2f (May 7, 2010)

Hello,

I already did it:


```
sendmail_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q15m"
sendmail_submit_flags="-L sm-mta -bd -q15m -ODaemonPortOptions=localhost"
```

May be I mess the rc.conf ?

Regards,

l2f


----------



## anomie (May 7, 2010)

@l2f: Following a default FreeBSD install, sendmail should only be listening on tcp 25 on localhost. That's with _no_ additional rc.conf(5) entries, since the needed directives are already in place in /etc/defaults/rc.conf. 

Let's see the output of `% sockstat -4l`

At this point I'm half suspecting something odd about your nmap scan... 

For example, have you tested doing an SMTP telnet session from another host?


----------



## l2f (May 7, 2010)

Hello,

the output of sockstat -4l


```
# sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     sshd       1296  3  tcp4   *:22                  *:*
[color="Red"]root     sendmail   1242  4  tcp4   *:25                  *:*[/color]
root     syslogd    1015  7  udp4   *:514                 *:*
root     natd       881   4  div4   *:8668                *:*
```

the telnet session from another host on my lan

```
telnet 192.168.0.1 25
Trying 192.168.0.1...
Connected to volvo.maison.org.
Escape character is '^]'.
HELO
220 volvo.maison.org ESMTP Sendmail 8.14.3/8.14.3; Fri, 7 May 2010 11:32:25 GMT
501 5.0.0 HELO requires domain address
```

and from my public ip address from the same pc in my lan


```
telnet xxx.59.40.xxx 25
Trying xxx.59.40.x...
Connected to modemcablexxx.40-59-xxx.mc.xxxxxxxxxx.ca.
Escape character is '^]'.
HELO
220 volvo.maison.org ESMTP Sendmail 8.14.3/8.14.3; Fri, 7 May 2010 11:34:08 GMT
501 5.0.0 HELO requires domain address
```

Very strange !

Regards,

l2f


----------



## anomie (May 7, 2010)

Did you install a new MTA (other than sendmail) from ports? 

Also, could you post your entire /etc/rc.conf?


----------



## l2f (May 7, 2010)

Hello

others MTA:
 fetchmail-6.3.9
 ssmtp-2.61.11.1_2

My /etc/mail/mailer.conf

```
# $FreeBSD: src/etc/mail/mailer.conf,v 1.3.30.1 2008/10/02 02:57:24 kensmith Exp $
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail        /usr/libexec/sendmail/sendmail
send-mail       /usr/libexec/sendmail/sendmail
mailq           /usr/libexec/sendmail/sendmail
newaliases      /usr/libexec/sendmail/sendmail
hoststat        /usr/libexec/sendmail/sendmail
purgestat       /usr/libexec/sendmail/sendmail
```

To be sure:

```
# ll /usr/libexec/sendmail/sendmail 
-r-xr-sr-x  1 root  smmsp   650K Mar 10 14:20 /usr/libexec/sendmail/sendmail
```


My (raw) /etc/rc.conf 


```
# -- sysinstall generated deltas -- # Tue Dec 13 17:21:16 2005
# Created: Tue Dec 13 17:21:15 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

arpproxy_all="YES"

# ro fs
tmpmfs="YES"
tmpsize="4M"
tmpmfs_flags="-S"
varmfs="YES"
varmfs_flags="-S"
varsize="16M"
populate_var="YES"

# special pbsd
change_su_enable="YES"
change_su_fichier="/etc/progsuid.lst"

clear_tmp_enable="YES"
# mef exec script qui lui regarde si enable
# alors que devrait etre rc qui regarde quoi demarrer
# trop long au demarrage
pflog_enable="NO"
[color="Red"]# enlever /etc/rc.d/sendmail => prend trop de temps pour verifier
# qu'il ne demarre pas en inbound
sendmail_enable="NO"
# oui par defaut: sendmail_msp_queue_enable="NO"
# aucun courriel exterieur
sendmail_outbound_enable="NO"

# change flag pour local
# 15 minutes au lieu de 30
sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q15m"

# change flag submit pour 15 minutes au lieu de 30
sendmail_submit_flags="-L sm-mta -bd -q15m -ODaemonPortOptions=localhost"
# peut envoyer courriel
# oui par defaut: sendmail_submit_enable="YES"
#sendmail_msp_queue_enable="NO"
#sendmail_rebuild_aliases="NO"
postfix_enable="NO"
[/color]

#extra firewalling options
tcp_extensions="YES"    # si pb mettre NO
tcp_keepalive="YES"     # verif si conn active
log_in_vain="YES"
tcp_drop_synfin="YES"   #change to NO if create webserver
tcp_restrict_rst="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"

# natd
natd_enable="YES"
natd_interface="rl0"
natd_flags="-dynamic -m -u -s"
#" -redirect_port tcp 192.168.1.1:80 80 -redirect_port tcp 192.168.1.1:443 443"
# -f /etc/natd.conf"
# root fs: ro
root_rw_mount="NO"

# script de demarrage firewall
firewall_enable="YES"
# regles du pare-feu
# avec sshguard patriotebsdfirewall v101
firewall_script="/etc/ipfw.rules.8"

# script de regles
#firewall_type="/etc/ipfw.rules"

firewall_quiet="NO" #change to YES once happy with rules
firewall_logging_enable="YES"

update_motd="NO"
gateway_enable="YES"
hostname="volvo"
ifconfig_xl0="inet 192.168.0.1  netmask 255.255.255.0"
ifconfig_rl0="DHCP"
#ifconfig_rl0="inet 192.168.1.1 netmask 255.255.252.0"

ifpolling_enable="YES"
ifpolling_liste="rl0 xl0"

static_routes="reseauwifi"
route_reseauwifi="-net 192.168.1.0/24 192.168.0.2"

inetd_enable="NO"
# pb /etc ro
linux_enable="NO"
moused_enable="NO"
nfs_server_enable="NO"
rpcbind_enable="NO"
saver="patriotebsd"
sshd_enable="YES"

# denyhosts
#denyhosts_enable="YES"
usbd_enable="YES"
syslog_flags="-ss -4"

# noyau
kern_securelevel_enable="YES"
# niveau max avec ipfw operationel
kern_securelevel=2

# ntpd
ntpd_enable="YES"
#ntpd_program="/usr/sbin/ntpd"
ntpd_flags="-p /var/run/ntpd.pid -l /var/log/ntp.log"

# sshdefence
cloned_interfaces="disc0"
ifconfig_disc0="inet 0.0.0.1 netmask 255.0.0.0"

# crontab
cronutil_enable="YES"
cronutil_liste="/root/root.cron /home/patriotebsd/patriotebsd.cron"

# pour faire un swapfile
faireswap_enable="NO"
faireswap_taillemax="64"

# detection swap
detectswap_enable="NO"

# sshdefencefifo
sshdefencefifo_enable="YES"
accounting_enable="YES"

# dhcpd
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="xl0"
dhcpd_withumask="022"
dhcpd_withuser="dhcpd"
dhcpd_withgroup="dhcpd"
dhcpd_chuser_enable="YES"

# speaker si non compiler dans noyau
speaker_enable="NO"

# c'est livecd => no savecore
dumpdev="NO"

# junkbuster
junkbuster_enable="NO"
```

I did not modified the /etc/default/rc.conf

```
# ll /etc/defaults/rc.conf 
-r--r--r--  1 root  wheel    35K Sep 23  2009 /etc/defaults/rc.conf
# wc  /etc/defaults/rc.conf
     666    4470   35336 /etc/defaults/rc.conf
```

I use mail to send my e-mail

```
# ll `which mail`
-r-xr-xr-x  3 root  wheel    77K Mar 10 14:19 /usr/bin/mail
```


Regards,

l2f


----------



## anomie (May 7, 2010)

ssmtp is likely the offending program that is listening. See this FreeBSD wiki entry on ssmtp, and this quick guide (from our old friend _scottro_, BTW).


----------



## anomie (May 7, 2010)

And getting back to your original question (I realize this is a firewall thread), there is nothing syntactically or logically wrong with a rule like: 

```
# ipfw -q add 00500 deny tcp from any to any 25 in via interface_here
```

If you're not able to make that work, then you must be matching some other prior rule. Use `# ipfw show` to view counters to help troubleshoot.


----------



## l2f (May 7, 2010)

Hello,

When I put the following options in my /etc/rc.conf sendmail does not start at all, so my /etc/default/rc.conf is good


```
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
```

I find (after googling: http://www.macosxhints.com/article.php?story=20030522162520409) the following trick: remove the -bd flag from /etc/rc.conf
in my case:

```
sendmail_submit_flags="[color="Red"]-bd[/color] -L sm-mta -q15m -ODaemonPortOptions=localhost"
to
sendmail_submit_flags="-L sm-mta -q15m -ODaemonPortOptions=localhost"
```

And it's ok, my nmap scan did not report the 25 port open and I tried to send mail to my yahoo account and it works 

I tried the other solution from the above url (/etc/mail/themachine_hostname.mc)

```
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Family=inet, address=127.0.0.1, Port=587, Name=MSA, M=E')dnl
CLIENT_OPTIONS(`Family=inet, Address=0.0.0.0')dnl
```

with the -bd flag in my /etc/rc.conf

it does not work, my nmap scan report the port 25 is open and I am able to telnet it within my lan or from outside so keep (in fact remove) the -bd flag.

As usual, sendmail is still a mystery for me

But I am wondering why the ipfw rule does not work ?

Regards,

l2f


----------



## l2f (May 7, 2010)

Hello,

I will investiguate this way.

Thanks you for your help and time

l2f


----------



## l2f (May 8, 2010)

*good news ans solved*

Hello,

I investiguated the ipfw rule and it does not work from inside my lan because I use the divert keyword.  So the packet is divert before reaching the deny rule.

I did a nmap scan from outside my lan, friend's wifi, and the scan saw only the ssh port.

```
1st scan os detection: 
Running (JUST GUESSING) : Avaya embedded (86%), NetworkAlchemy embedded (86%)
Aggressive OS guesses: Avaya Office IP403 VoIP gateway (86%), NetworkAlchemy ArgentBranch PBX (86%).
No exact OS matches for host (test conditions non-ideal).

2nd scan os detection: nothing
```

So you can use the -bd flag with sendmail and the ipfw rule above.

Thanks to everyone to helping me and taking your time to try to resolved this problem (special thanks to anomie)

Regards,

l2f


----------

