# ipfw rules for email on email server



## amylichti (Feb 16, 2014)

Hello, 
I am using FreeBSD 9.1 on a box used for an email server. I have ipfw running and when the firewall is on I can NOT get email from the outside no matter what rules I put in.
Right now here are the rules that I have ( I have tried many):

```
$IPF 150 allow tcp from me to me 25 in via $prif keep-state
$IPF 151 allow tcp from me to any 25 out via $prif keep-state
$IPF 152 allow tcp from me to me 25 in via $pif keep-state
$IPF 153 allow tcp from me to any 25 out via $pif keep-state
$IPF 211 allow tcp from me to me 110 in via $prif keep-state
$IPF 212 allow tcp from me to any 110 out via $prif keep-state
$IPF 213 allow tcp from me to me 110 in via $pif keep-state
$IPF 214 allow tcp from me to any 110 out via $pif keep-state
```

I have 2 interface / 1 internet / 1 Ethernet.
Please help me figure this out. I have googled many sites with no luck.
Thank you,
Amy


----------



## wblock@ (Feb 16, 2014)

Where is the rule that allows outside systems to connect to your port 25 for mail?


----------



## amylichti (Feb 16, 2014)

This is what I have now and it still doesn't work.

```
$IPF 81 allow tcp from any to any via $prif keep-state
$IPF 82 allow tcp from any to any 25 via $pif keep-state
$IPF 83 allow tcp from any to any 110 via $pif keep-state
$IPF 84 allow tcp from any to any 143 via $pif keep-state
$IPF 85 allow tcp from any to any 465 via $pif keep-state
$IPF 86 allow tcp from any to any 585 via $pif keep-state
$IPF 87 allow tcp from any to any 993 via $pif keep-state
$IPF 88 allow tcp from any to any 995 via $pif keep-state
```


----------



## wblock@ (Feb 16, 2014)

What are $prif and $pif?  Mostly, it looks like the rules are too specific.  Beyond that, I don't recall the IPFW syntax well enough to say if via is the right word.


----------



## amylichti (Feb 16, 2014)

I have 2 interfaces. prif is private and pif is public

Here is what I have now:


```
$IPF 80 allow tcp from any to any via $prif keep-state
$IPF 81 allow tcp from any to any 22 setup keep-state
$IPF 82 allow tcp from any to any 25 setup keep-state
$IPF 83 allow tcp from any to any 53 setup keep-state
$IPF 84 allow udp from any to any 53 keep-state
$IPF 85 allow tcp from any to any 80 setup keep-state
$IPF 86 allow tcp from any to any 110 setup keep-state
$IPF 87 allow tcp from any to any 161 setup keep-state
$IPF 89 allow tcp from any to any 465 setup keep-state
$IPF 90 allow tcp from any to any 585 setup keep-state
$IPF 91 allow tcp from any to any 587 setup keep-state
$IPF 92 allow tcp from any to any 993 setup keep-state
$IPF 93 allow tcp from any to any 995 setup keep-state
```


----------



## amylichti (Feb 16, 2014)

via is used to specify the interface.


----------



## trh411 (Feb 16, 2014)

Maybe you should show us your entire IPFW ruleset? It could be that an earlier rule is discarding mail packets before you even get to rule #80. Place on pastebin and post a link here if it is a really big ruleset.


----------



## amylichti (Feb 16, 2014)

Here you go:


```
IPF="ipfw -q add"
ipfw -q -f flush
pif="em1"        # public interface name of interface
prif="em0"       # private ethernet name of interface

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 75 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 80 allow tcp from any to any via $prif keep-state
$IPF 81 allow tcp from any to any 22 setup keep-state
$IPF 82 allow tcp from any to any 25 setup keep-state
$IPF 83 allow tcp from any to any 53 setup keep-state
$IPF 84 allow udp from any to any 53 keep-state
$IPF 85 allow tcp from any to any 80 setup keep-state
$IPF 86 allow tcp from any to any 110 setup keep-state
$IPF 87 allow tcp from any to any 161 setup keep-state
$IPF 89 allow tcp from any to any 465 setup keep-state
$IPF 90 allow tcp from any to any 585 setup keep-state
$IPF 91 allow tcp from any to any 587 setup keep-state
$IPF 92 allow tcp from any to any 993 setup keep-state
$IPF 93 allow tcp from any to any 995 setup keep-state

# deny and log everything
$IPF 500 deny log all from any to any
```


----------



## wblock@ (Feb 16, 2014)

@amylichti, please start formatting your posts.


----------



## wblock@ (Feb 16, 2014)

amylichti said:
			
		

> via is used to specify the interface.



No, I'm pretty sure it means more than that.  However, it's been years since I switched to PF, and I never did find IPFW's rules very clear.


----------



## amylichti (Feb 16, 2014)

I do not know how to format my posts.. can you help me with that.. 
ok
Is PF better??????????? and what is PF


----------



## wblock@ (Feb 16, 2014)

amylichti said:
			
		

> I do not know how to format my posts.. can you help me with that..



You have about five PMs with links to instructions.



> Is PF better?



Easier to configure, I would say.  Many people still use IPFW, though.


----------



## amylichti (Feb 16, 2014)

But you didn't tell me how to format them..


----------



## trh411 (Feb 16, 2014)

Does it make any difference if you change:

```
$IPF 82 allow tcp from any to any 25 setup keep-state
```
to

```
$IPF 82 allow tcp from any to any 25 keep-state
```


----------



## amylichti (Feb 16, 2014)

Nope...


----------



## wblock@ (Feb 16, 2014)

amylichti said:
			
		

> But you didn't tell me how to format them..



Each Private Message had two important links with instructions:

Using tags to format posts
Spelling, capitalization, and punctuation


----------



## trh411 (Feb 16, 2014)

Please paste the contents of /etc/rc.conf.


----------



## amylichti (Feb 16, 2014)

```
hostname="my domain name"
keymap="us.iso.kbd"
ifconfig_em1=" inet x.x.x.x netmask 0xfffffff8"
defaultrouter="x.x.x.x"
ifconfig_em0="inet x.x.x.x netmask 255.255.255.0"
defaultrouter="x.x.x.x"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"

### Disable Sendmail ###
sendmail_enable="NO"
sendmail_msp_queue_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"

apache22_enable="YES"
mysql_enable="YES"
postfix_enable="YES"

### Courier-Imap Stuff ###
courier_authdaemond_enable="YES"
courier_imap_pop3d_enable="YES"
courier_imap_imapd_enable="YES"

webmin_enable="YES"

inetd_enable="YES"

### nmbd_enable="YES"
### smbd_enable="YES"

firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
```


----------



## amylichti (Feb 16, 2014)

wblock@ said:
			
		

> amylichti said:
> 
> 
> 
> ...




Okay, will try to remember all that


----------



## amylichti (Feb 16, 2014)

I think that maybe my rc.conf file does not like the second interface.. but I still do not think that it would have anything to do with email??? What do you think???


----------



## amylichti (Feb 16, 2014)

Okay.. I took the 2 interface out of the 
	
	



```
rc.conf
```
 and here is what my ipfw.rules file looks like now.. 
I now need to do some more tweaking of it.


```
IPF="ipfw -q add"
ipfw -q -f flush
pif="em1"        # public interface name of interface
# $prif="em0"    # private ethernet name of interface

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 75 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 80 allow tcp from me to any 22 keep-state
$IPF 82 allow tcp from any to any 25 in keep-state
$IPF 83 allow tcp from any to any 25 out keep-state
$IPF 84 allow tcp from any to any 53 keep-state
$IPF 85 allow udp from any to any 53 keep-state
$IPF 86 allow tcp from any to any 80 keep-state
$IPF 87 allow tcp from any to any 110 in keep-state
$IPF 88 allow tcp from any to any 110 out keep-state
$IPF 89 allow tcp from any to any 161 keep-state
$IPF 90 allow tcp from any to any 465 keep-state
$IPF 91 allow tcp from any to any 585 keep-state
$IPF 92 allow tcp from any to any 587 keep-state
$IPF 93 allow tcp from any to any 993 keep-state
$IPF 94 allow tcp from any to any 995 keep-state

# deny and log everything
$IPF 500 deny log all from any to any
```


And it works...


----------

