submitting patches home : internet : mail : toaster : FAQ : How do I configure my firewall can I use a signed SSL certificate

How do I configure my firewall to allow email services.

The only truly reliable way is to build your system, enable your firewall, and then begin using your mail system in every conceivable way. When your firewall blocks something it should allow, adjust the rules and proceed. Within a day or two, you should be all set.

Can you be more specific?

Sort of. I can't tell you how to configure your firewall but I can tell you how I configure mine. I use IPFW that's built right into FreeBSD. Technically, I use IPFW2 but, that little fact is largely irrelevant. I configure /etc/rc.firewall and modify the client or simple section, depending on how the machine is configured on my network(s). Here are the parts of my firewall script that are relevant to Mail::Toaster:

  • # Allow TCP through if setup succeeded
  • ${fwcmd} add pass tcp from any to any established
    • Allow access to our DNS
  • ${fwcmd} add pass tcp from any to ${net}:${mask} 53 setup
  • ${fwcmd} add pass udp from any to ${net}:${mask} 53
  • ${fwcmd} add pass udp from ${net}:${mask} 53 to any
    • Allow setup of incoming email
  • ${fwcmd} add pass tcp from any to ${net}:${mask} 25,587 setup
    • Allow access to our WWW
  • ${fwcmd} add pass tcp from any to ${net}:${mask} 80,443 setup
    • Allow access to MAIL clients
  • ${fwcmd} add pass tcp from any to ${net}:${mask} 110,143,993,995 setup
    • Allow DNS queries out in the world
  • ${fwcmd} add pass udp from ${ip} to any 53
  • ${fwcmd} add pass udp from any 53 to ${ip}
    • Allow NTP queries out in the world
  • ${fwcmd} add pass udp from ${ip} to any 123 keep-state
    • Allow DCC & Pyzor
  • ${fwcmd} add allow udp from ${ip} to any 6277,24441
  • ${fwcmd} add allow udp from any 6277,24441 to ${ip} 1024-65535

I use the IFPW_DEFAULT_TO_ACCEPT kernel option and then implicity deny all packets at the end of my firewall ruleset. By doing so I can change my ipfw rules on the fly without worry of disconnecting my SSH connection to the server. (Yes, I know how to get around that, but that doesn't mean I always remember). So, I end up adding the following options to my kernel config file:

  • options IPFIREWALL
  • options IPFIREWALL_VERBOSE
  • options IPFIREWALL_VERBOSE_LIMIT=100
  • options IPFIREWALL_DEFAULT_TO_ACCEPT

Last modified on 5/26/05.