diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
index 3442759459..40017a94e3 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
@@ -1,3127 +1,3127 @@
Joseph J.BarbishContributed by BradDavisConverted to SGML and updated by FirewallsfirewallsecurityfirewallsIntroductionFirewalls make it possible to filter
incoming and outgoing traffic that flows through your system.
A firewall can use one or more sets of rules to
inspect the network packets as they come in or go out of your
network connections and either allows the traffic through or
blocks it. The rules of a firewall can inspect one or more
characteristics of the packets, including but not limited to the
protocol type, the source or destination host address, and the
source or destination port.Firewalls can greatly enhance the security of a host or a
network. They can be used to do one or more of
the following things:To protect and insulate the applications, services and
machines of your internal network from unwanted traffic
coming in from the public Internet.To limit or disable access from hosts of the internal
network to services of the public Internet.To support network address translation
(NAT), which allows your internal network
to use private IP addresses and share a
single connection to the public Internet (either with a
single IP address or by a shared pool of
automatically assigned public addresses).After reading this chapter, you will know:How to properly define packet filtering rules.The differences between the firewalls
built into &os;.How to use and configure the OpenBSD
PF firewall.How to use and configure
IPFILTER.How to use and configure
IPFW.Before reading this chapter, you should:Understand basic &os; and Internet concepts.Firewall ConceptsfirewallrulesetsThere are two basic ways to create firewall rulesets:
inclusive or exclusive. An
exclusive firewall allows all traffic through except for the
traffic matching the ruleset. An inclusive firewall does the
reverse. It only allows traffic matching the rules through and
blocks everything else.Inclusive firewalls are generally safer than exclusive
firewalls because they significantly reduce the risk of allowing
unwanted traffic to pass through the firewall.Security can be tightened further using a stateful
firewall. With a stateful firewall the firewall keeps
track of which connections are opened through the firewall and
will only allow traffic through which either matches an existing
connection or opens a new one. The disadvantage of a stateful
firewall is that it can be vulnerable to Denial of Service
(DoS) attacks if a lot of new connections are
opened very fast. With most firewalls it is possible to use a
combination of stateful and non-stateful behavior to make an
optimal firewall for the site.Firewall Software Applications&os; has three different firewall software products built into
the base system. They are IPFILTER (also known as IPF),
IPFIREWALL (also known as IPFW) and PF (OpenBSD's PacketFilter). IPFIREWALL has the built
in DUMMYNET traffic shaper facilities for controlling bandwidth
usage. IPFILTER does not have a built in traffic shaper facility
for controlling bandwidth usage, but the ALTQ port application
can be used to accomplish the same function. The DUMMYNET
feature and ALTQ is generally useful only to
large ISPs or commercial users. IPF, IPFW and PF use rules to
control the access of packets to and from your system, although
they go about it different ways and have different rule
syntaxes.The IPFW sample rule set (found in
/etc/rc.firewall) delivered in the basic
install is outdated, complicated and does not use stateful rules
on the interface facing the public Internet. It exclusively uses
legacy stateless rules which only have the ability to open or
close the service ports. The IPFW example stateful rules sets
presented here supercede the
/etc/rc.firewall file distributed with the
system.Stateful rules have technically advanced interrogation
abilities capable of defending against the flood of different
methods currently employed by attackers.All of these firewall software solutions IPF, IPFW and PF still
maintain their legacy heritage of their original rule processing
order and reliance on non-stateful rules. These outdated
concepts are not covered here, only the new, modern stateful
rule construct and rule processing order is presented.You should read about both of them and make your own
decision on which one best fits your needs.The author prefers IPFILTER because its stateful rules are
much less complicated to use in a NAT
environment and it has a built in ftp proxy that simplifies the
rules to allow secure outbound FTP usage. It is also more
appropriate to the knowledge level of the inexperienced firewall
user.Since all firewalls are based on interrogating the values of
selected packet control fields, the creator of the firewall
rules must have an understanding of how
TCP/IP works, what the different values in
the packet control fields are and how these values are used in a
normal session conversation. For a good explanation go to:
.The Packet Filter (PF) FirewallfirewallPFAs of July 2003 the OpenBSD firewall software application
known as PF was ported to &os; and was made
available in the &os; Ports Collection; the first release that
contained PF as an integrated part of the
base system was &os; 5.3 in November 2004.
PF is a complete, fully featured firewall
that contains ALTQ for bandwidth usage
management in a way similar to what DUMMYNET provides in
IPFW. The OpenBSD project does an
outstanding job of maintaining the PF users' guide that it will
not be made part of this handbook firewall section as that would
just be duplicated effort.The availability of PF for the various &os; releases and versions is
summarized below:&os; VersionPF AvailabilityPre-4.X versionsPF is not available for any release of &os; older than the
4.X branch.All versions of the 4.X branchPF is available as part of KAME.5.X releases before 5.3-RELEASEThe security/pf
port can be used to install PF on these versions of &os;.
These releases were targeted to developers and people who
wanted a preview of early 5.X versions. Upgrading to
5.3-RELEASE or newer versions of &os; is strongly
recommended.5.3-RELEASE and later versionsPF is part of the base system.
Do not use the
security/pf port
on these versions of &os;. It will not work.
Use the &man.pf.4; support of the base system instead.More info can be found at the PF for &os; web site: .The OpenBSD PF user's guide is here: .PF in &os; 5.X is at the level of OpenBSD version 3.5. The
port from the &os; Ports Collection is at the level of OpenBSD
version 3.4. Keep that in mind when browsing the user's
guide.Enabling PFPF is included in the basic &os; install for versions newer than
5.3 as a separate run time loadable module. The system will dynamically load
the PF kernel loadable module when the rc.conf statement
pf_enable="YES" is used. The
loadable module was created with &man.pflog.4; logging
enabled.Kernel optionskernel optionsdevice pfkernel optionsdevice pflogkernel optionsdevice pfsyncIt is not a mandatory requirement that you enable PF by
compiling the following options into the &os; kernel. It is only
presented here as background information. Compiling PF into the
kernel causes the loadable module to never be used.Sample kernel config PF option statements are in the
/usr/src/sys/conf/NOTES kernel source and are
reproduced here:device pf
device pflog
device pfsyncdevice pf enables support for the
Packet Filter firewall.device pflog enables the optional
&man.pflog.4; pseudo network device which can be used to log traffic
to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon can be used to
store the logging information to disk.device pfsync enables the optional
&man.pfsync.4; pseudo network device that is used to monitor
state changes. As this is not part of the loadable
module one has to build a custom kernel to use it.These settings will take effect only after you have built and
installed a kernel with them set.Available rc.conf OptionsYou need the following statements in /etc/rc.conf
to activate PF at boot time:pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startupIf you have a LAN behind this firewall and have to forward
packets for the computers in the LAN or want to do NAT, you have to
enable the following option as well:gateway_enable="YES" # Enable as Lan gatewayThe IPFILTER (IPF) FirewallfirewallIPFILTERThe author of IPFILTER is Darren Reed. IPFILTER is not
operating system dependent: it is an open source
application and has been ported to &os;, NetBSD, OpenBSD, SunOS,
HP/UX, and Solaris operating systems. IPFILTER is actively being
supported and maintained, with updated versions being released
regularly.IPFILTER is based on a kernel-side firewall and
NAT mechanism that can be controlled and
monitored by userland interface programs. The firewall rules can
be set or deleted with the &man.ipf.8; utility. The
NAT rules can be set or deleted with the
&man.ipnat.1; utility. The &man.ipfstat.8; utility can print
run-time statistics for the kernel parts of IPFILTER. The
&man.ipmon.8; program can log IPFILTER actions to the system log
files.IPF was originally written using a rule processing logic of
the last matching rule wins and used only
stateless type of rules. Over time IPF has been enhanced to
include a quick option and a stateful keep
state option which drastically modernized the rules
processing logic. IPF's official documentation covers the legacy
rule coding parameters and the legacy rule file processing
logic. The modernized functions are only included as additional
options, completely understating their benefits in producing a
far superior secure firewall.The instructions contained in this section are based on
using rules that contain the quick option and the
stateful keep state option. This is the basic
framework for coding an inclusive firewall rule set.An inclusive firewall only allows packets matching the rules
to pass through. This way you can control what services can
originate behind the firewall destined for the public Internet
and also control the services which can originate from the
public Internet accessing your private network. Everything else
is blocked and logged by default design. Inclusive firewalls are
much, much more secure than exclusive firewall rule sets and is
the only rule set type covered herein.For detailed explanation of the legacy rules processing
method see:
and .The IPF FAQ is at .Enabling IPFIPFILTERenablingIPF is included in the basic &os; install as a separate
run time loadable module. The system will dynamically load the IPF kernel
loadable module when the rc.conf statement
ipfilter_enable="YES" is used. The loadable
module was created with logging enabled and the default
pass all options. You do not need to compile IPF into
the &os; kernel just to change the default to block
all, you can do that by just coding a block all rule at
the end of your rule set.Kernel optionskernel optionsIPFILTERkernel optionsIPFILTER_LOGkernel optionsIPFILTER_DEFAULT_BLOCKIPFILTERkernel optionsIt is not a mandatory requirement that you enable IPF by
compiling the following options into the &os; kernel. It is
only presented here as background information. Compiling IPF
into the kernel causes the loadable module to never be used.
Sample kernel config IPF option statements are in the
/usr/src/sys/conf/NOTES kernel source
(/usr/src/sys/arch/conf/LINT
for &os; 4.X) and are reproduced here:options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCKoptions IPFILTER enables support for the
IPFILTER firewall.options IPFILTER_LOG enables the
option to have IPF log traffic by writing to the ipl packet
logging pseudo—device for every rule that has the log
keyword.options IPFILTER_DEFAULT_BLOCK
changes the default behavior so any packet not matching a
firewall pass rule gets blocked.These settings will take effect only after you have built
and installed a kernel with them set.Available rc.conf OptionsYou need the following statements in /etc/rc.conf
to activate IPF at boot time:ipfilter_enable="YES" # Start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
ipmon_enable="YES" # Start IP monitor log
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to namesIf you have a LAN behind this firewall that uses the
reserved private IP address ranges, then you need to add the
following to enable NAT functionality:gateway_enable="YES" # Enable as Lan gateway
ipnat_enable="YES" # Start ipnat function
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnatIPFipfThe ipf command is used to load your rules file. Normally
you create a file containing your custom rules and use this
command to replace in mass the currently running firewall
internal rules:&prompt.root; ipf -Fa -f /etc/ipf.rules means flush all internal rules tables. means this is the file to read for the rules to load.This gives you the ability to make changes to your custom
rules file, run the above IPF command, and thus update the running
firewall with a fresh copy of all the rules without having to
reboot the system. This method is very convenient for testing new
rules as the procedure can be executed as many times as needed.
See the &man.ipf.8; manual page for details on the other flags
available with this command.The &man.ipf.8; command expects the rules file to be a
standard text file. It will not accept a rules file written as a
script with symbolic substitution.There is a way to build IPF rules that utilizes the power of
script symbolic substitution. For more information, see .IPFSTATipfstatIPFILTERstatisticsThe default behavior of &man.ipfstat.8; is to retrieve and
display the totals of the accumulated statistics gathered as a
result of applying the user coded rules against packets going
in and out of the firewall since it was last started, or since
the last time the accumulators were reset to zero by the
ipf -Z command.See the &man.ipfstat.8; manual page for details.The default &man.ipfstat.8; command output will look
something like this:input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
input packets logged: blocked 99286 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 3898 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 169364 lost 0
packet state(out): kept 431395 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Result cache hits(in): 1215208 (out): 1098963
IN Pullups succeeded: 2 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)When supplied with either for inbound
or for outbound,
it will retrieve and display the appropriate list of filter
rules currently installed and in use by the kernel.ipfstat -in displays the inbound internal
rules table with rule number.ipfstat -on displays the outbound
internal rules table with the rule number.The output will look something like this:@1 pass out on xl0 from any to any
@2 block out on dc0 from any to any
@3 pass out quick on dc0 proto tcp/udp from any to any keep stateipfstat -ih displays the inbound internal
rules table, prefixing each rule with a count of how many times the
rule was matched.ipfstat -oh displays the outbound
internal rules table, prefixing each rule with a count of how many
times the rule was matched.The output will look something like this:2451423 pass out on xl0 from any to any
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep stateOne of the most important functions of the
ipfstat command is the
flag which displays the state table in a way
similar to the way &man.top.1; shows the &os; running process
table. When your firewall is under attack this function gives
you the ability to identify, drill down to, and see the
attacking packets. The optional sub-flags give the ability to
select the destination or source IP, port, or protocol that you want to
monitor in real time. See the &man.ipfstat.8; manual page for
details.IPMONipmonIPFILTERloggingIn order for ipmon to work properly, the
kernel option IPFILTER_LOG must be turned on. This command has
two different modes that it can be used in. Native mode is the default
mode when you type the command on the command line without the
flag.Daemon mode is for when you want to have a continuous
system log file available so that you can review logging of past
events. This is how &os; and IPFILTER are configured to work
together. &os; has a built in facility to automatically
rotate system logs. That is why outputting the log information to
syslogd is better than the default of outputting to a regular
file. In the default rc.conf file you see the
ipmon_flags statement uses the flags:ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to namesThe benefits of logging are obvious. It provides the
ability to review, after the fact, information such as which
packets had been dropped, what addresses they came from and
where they were going. These all give you a significant edge in
tracking down attackers.Even with the logging facility enabled, IPF will not
generate any rule logging on its own. The firewall
administrator decides what rules in the rule set he wants to
log and adds the log keyword to those rules. Normally only
deny rules are logged.It is very customary to include a default deny everything
rule with the log keyword included as your last rule in the
rule set. This way you get to see all the packets that did not
match any of the rules in the rule set.IPMON LoggingSyslogd uses its own special method for segregation of log
data. It uses special groupings called facility
and level. IPMON in mode uses local0 as the
facility name. All IPMON logged data goes to
local0. The following levels can be used to further segregate
the logged data if desired:LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered shortTo setup IPFILTER to log all data to
/var/log/ipfilter.log, you will need to create the
file. The following command will do that:&prompt.root; touch /var/log/ipfilter.logThe syslog function is controlled by definition statements
in the /etc/syslog.conf file. The syslog.conf file offers
considerable flexibility in how syslog will deal with system
messages issued by software applications like IPF.Add the following statement to /etc/syslog.conf:local0.* /var/log/ipfilter.logThe local0.* means to write all the logged messages to the
coded file location.To activate the changes to /etc/syslog.conf
you can reboot or bump the syslog task into
re-reading /etc/syslog.conf by running
/etc/rc.d/syslogd reload
(killall -HUP syslogd in &os; 4.X).Do not forget to change /etc/newsyslog.conf
to rotate the new log you just created above.
The Format of Logged MessagesMessages generated by ipmon consist of data fields
separated by white space. Fields common to all messages are:
The date of packet receipt.The time of packet receipt. This is in the form
HH:MM:SS.F, for hours, minutes, seconds, and fractions of a
second (which can be several digits long).The name of the interface the packet was processed on,
e.g. dc0.The group and rule number of the rule, e.g. @0:17.
These can be viewed with ipfstat -in.The action: p for passed, b for blocked, S for a short
packet, n did not match any rules, L for a log rule. The
order of precedence in showing flags is: S, p, b, n, L. A
capital P or B means that the packet has been logged due to
a global logging setting, not a particular rule.The addresses. This is actually three fields: the
source address and port (separated by a comma), the ->
symbol, and the destination address and port.
209.53.17.22,80 -> 198.73.220.17,1722.PR followed by the protocol name or number, e.g. PR
tcp.len followed by the header length and total length of
the packet, e.g. len 20 40.If the packet is a TCP packet, there will be an additional
field starting with a hyphen followed by letters corresponding
to any flags that were set. See the &man.ipmon.8; manual page
for a list of letters and their flags.If the packet is an ICMP packet, there will be two fields
at the end, the first always being ICMP, and
the next being the ICMP message and sub-message type,
separated by a slash, e.g. ICMP 3/3 for a port unreachable
message.Building the Rule Script with Symbolic SubstitutionSome experienced IPF users create a file containing the
rules and code them in a manner compatible with running them
as a script with symbolic substitution. The major benefit of
doing this is that you only have to change the value associated
with the symbolic name and when the script is run all the rules
containing the symbolic name will have the value substituted in
the rules. Being a script, you can use symbolic substitution to
code frequently used values and substitute them in multiple
rules. You will see this in the following example.The script syntax used here is compatible with the sh, csh,
and tcsh shells.Symbolic substitution fields are prefixed with a dollar
sign: $.Symbolic fields do not have the $ prefix.The value to populate the symbolic field must be enclosed
with double quotes (").Start your rule file with something like this:############# Start of IPF rules script ########################
oif="dc0" # name of the outbound interface
odns="192.0.2.11" # ISP's DNS server IP address
myip="192.0.2.7" # my static IP address from ISP
ks="keep state"
fks="flags S keep state"
# You can choose between building /etc/ipf.rules file
# from this script or running this script "as is".
#
# Uncomment only one line and comment out another.
#
# 1) This can be used for building /etc/ipf.rules:
#cat > /etc/ipf.rules << EOF
#
# 2) This can be used to run script "as is":
/sbin/ipf -Fa -f - << EOF
# Allow out access to my ISP's Domain name server.
pass out quick on $oif proto tcp from any to $odns port = 53 $fks
pass out quick on $oif proto udp from any to $odns port = 53 $ks
# Allow out non-secure standard www function
pass out quick on $oif proto tcp from $myip to any port = 80 $fks
# Allow out secure www function https over TLS SSL
pass out quick on $oif proto tcp from $myip to any port = 443 $fks
EOF
################## End of IPF rules script ########################That is all there is to it. The rules are not important in
this example; how the symbolic substitution fields are populated
and used are. If the above example was in a file named /etc/ipf.rules.script,
you could reload these rules by entering the following
command:&prompt.root; sh /etc/ipf.rules.scriptThere is one problem with using a rules file with embedded
symbolics: IPF does not understand symbolic substitution, and
cannot read such scripts directly.This script can be used in one of two ways:Uncomment the line that begins with cat,
and comment out the line that begins with
/sbin/ipf. Place
ipfilter_enable="YES" into
/etc/rc.conf as usual, and run
script once after each modification to create or update
/etc/ipf.rules.Disable IPFILTER in system startup scripts by
adding ipfilter_enable="NO" (this is
default value) into
/etc/rc.conf file.Add a script like the following to your
/usr/local/etc/rc.d/ startup
directory. The script should have an obvious name like
ipf.loadrules.sh.
The .sh extension is mandatory.#!/bin/sh
sh /etc/ipf.rules.scriptThe permissions on this script file must be read, write,
execute for owner root.&prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.shNow, when your system boots, your IPF rules will be
loaded.IPF Rule SetsA rule set is a group of ipf rules coded to pass or block
packets based on the values contained in the packet. The
bi-directional exchange of packets between hosts comprises a
session conversation. The firewall rule set processes the
packet two times, once on its arrival from the public Internet
host and again as it leaves for its return trip back to the
public Internet host. Each TCP/IP service (i.e. telnet, www,
mail, etc.) is predefined by its protocol, source and
destination IP address, or the source and destination port
number. This is the basic selection criteria used to create
rules which will pass or block services.IPFILTERrule processing orderIPF was originally written using a rules processing logic
of the last matching rule wins and used only stateless
rules. Over time IPF has been enhanced to include a quick
option and a stateful keep state option which drastically
modernized the rule processing logic.The instructions contained in this section are based on
using rules that contain the quick option and the stateful
keep state option. This is the basic framework for coding an
inclusive firewall rule set.An inclusive firewall only allows services matching the
rules through. This way you can control what services can
originate behind the firewall destined for the public Internet
and also control the services which can originate from the
public Internet accessing your private network. Everything
else is blocked and logged by default design. Inclusive
firewalls are much, much securer than exclusive firewall rule
sets and is the only rule set type covered herein.When working with the firewall rules, be
very careful. Some configurations
will lock you out of the server.
To be on the safe side, you may wish to consider performing
the initial firewall configuration from the local console
rather than doing it remotely e.g. via
ssh.Rule SyntaxIPFILTERrule syntaxThe rule syntax presented here has been simplified to only
address the modern stateful rule context and first matching
rule wins logic. For the complete legacy rule syntax
description see the &man.ipf.8; manual page.A # character is used to mark the
start of a comment and may appear at
the end of a rule line or on its own line. Blank lines are
ignored.Rules contain keywords. These keywords have to be coded in
a specific order from left to right on the line. Keywords are
identified in bold type. Some keywords have sub-options which
may be keywords themselves and also include more sub-options.
Each of the headings in the below syntax has a bold section
header which expands on the content.ACTION IN-OUT OPTIONS SELECTION STATEFUL
PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG STATEFUL
ACTION = block | passIN-OUT = in | outOPTIONS = log | quick | on
interface-nameSELECTION = proto value |
source/destination IP | port = number | flags flag-valuePROTO = tcp/udp | udp | tcp |
icmpSRC_ADD,DST_ADDR = all | from
object to objectOBJECT = IP address | anyPORT_NUM = port numberTCP_FLAG = SSTATEFUL = keep stateACTIONThe action indicates what to do with the packet if it
matches the rest of the filter rule. Each rule must have a
action. The following actions are recognized:block indicates that the packet should be dropped if
the selection parameters match the packet.pass indicates that the packet should exit the firewall
if the selection parameters match the packet.IN-OUTA mandatory requirement is that each filter rule
explicitly state which side of the I/O it is to be used on.
The next keyword must be either in or out and one or the
other has to be coded or the rule will not pass syntax
checks.in means this rule is being applied against an inbound
packet which has just been received on the interface
facing the public Internet.out means this rule is being applied against an
outbound packet destined for the interface facing the public
Internet.OPTIONSThese options must be used in the order shown here.
log indicates that the packet header will be written to
the ipl log (as described in the LOGGING section below) if
the selection parameters match the packet.quick indicates that if the selection parameters match
the packet, this rule will be the last rule checked,
allowing a "short-circuit" path to avoid processing any
following rules for this packet. This option is a mandatory
requirement for the modernized rules processing logic.
on indicates the interface name to be incorporated into
the selection parameters. Interface names are as displayed
by &man.ifconfig.8;. Using this option, the rule will only match if
the packet is going through that interface in the specified
direction (in/out). This option is a mandatory requirement
for the modernized rules processing logic.When a packet is logged, the headers of the packet are
written to the IPL packet logging pseudo-device.
Immediately following the log keyword, the following
qualifiers may be used (in this order):body indicates that the first 128 bytes of the packet
contents will be logged after the headers.first If the log keyword is being used in conjunction
with a keep state option, it is recommended that this
option is also applied so that only the triggering packet
is logged and not every packet which thereafter matches
the keep state information.SELECTIONThe keywords described in this section are used to
describe attributes of the packet to be interrogated when
determining whether rules match or not. There is a
keyword subject, and it has sub-option keywords, one of
which has to be selected. The following general-purpose
attributes are provided for matching, and must be used in
this order:PROTOproto is the subject keyword and must be coded along
with one of its corresponding keyword sub-option values.
The value allows a specific protocol to be matched against.
This option is a mandatory requirement for the modernized
rules processing logic.tcp/udp | udp | tcp | icmp or any protocol names found
in /etc/protocols are recognized and may be used. The
special protocol keyword tcp/udp may be used to match
either a TCP or a UDP packet, and has been added as a
convenience to save duplication of otherwise identical
rules.SRC_ADDR/DST_ADDRThe all keyword is essentially a synonym for from
any to any with no other match parameters.from src to dst: the from and to keywords are used to
match against IP addresses. Rules must specify BOTH source
and destination parameters. any is a special keyword that
matches any IP address. Examples of use: from any to any or from
0.0.0.0/0 to any or from any to 0.0.0.0/0 or from
0.0.0.0 to any or from any to 0.0.0.0.IP addresses may be specified as a dotted IP address
numeric form/mask-length, or as single dotted IP address
numeric form.There is no way to match ranges of IP addresses which
do not express themselves easily as mask-length. See this
web page for help on writing mask-length:
.PORTIf a port match is included, for either or both of
source and destination, then it is only applied to TCP and
UDP packets. When composing port comparisons, either the
service name from /etc/services or an integer port number
may be used. When the port appears as part of the from
object, it matches the source port number; when it appears
as part of the to object, it matches the destination port
number. The use of the port option with the to object is
a mandatory requirement for the modernized rules processing
logic. Example of use: from any to any port = 80Port comparisons may be done in a number of forms, with
a number of comparison operators, or port ranges may be
specified.port "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne"
| "lt" | "gt" | "le" | "ge".To specify port ranges, port "<>" | "><"Following the source and destination matching
parameters, the following two parameters are mandatory
requirements for the modernized rules processing logic.
TCP_FLAGFlags are only effective for TCP filtering. The letters
represents one of the possible flags that can be
interrogated in the TCP packet header.The modernized rules processing logic uses the flags
S parameter to identify the tcp session start request.
STATEFULkeep state indicates that on a pass rule, any packets
that match the rules selection parameters should activate
the stateful filtering facility.This option is a mandatory requirement for the
modernized rules processing logic.Stateful FilteringIPFILTERstateful filteringStateful filtering treats traffic as a bi-directional
exchange of packets comprising a session conversation. When
activated, keep-state dynamically generates internal rules for
each anticipated packet being exchanged during the
bi-directional session conversation. It has the interrogation
abilities to determine if the session conversation between the
originating sender and the destination are following the valid
procedure of bi-directional packet exchange. Any packets that
do not properly fit the session conversation template are
automatically rejected as impostors.Keep state will also allow ICMP packets related to a TCP
or UDP session through. So if you get ICMP type 3 code 4 in
response to some web surfing allowed out by a keep state rule,
they will be automatically allowed in. Any packet that IPF can
be certain is part of an active session, even if it is a
different protocol, will be let in.What happens is:Packets destined to go out the interface connected to the
public Internet are first checked against the dynamic state
table, if the packet matches the next expected packet
comprising in a active session conversation, then it exits
the firewall and the state of the session conversation flow
is updated in the dynamic state table, the remaining packets
get checked against the outbound rule set.Packets coming in to the interface connected to the public
Internet are first checked against the dynamic state table, if
the packet matches the next expected packet comprising a
active session conversation, then it exits the firewall and
the state of the session conversation flow is updated in the
dynamic state table, the remaining packets get checked against
the inbound rule set.When the conversation completes it is removed from the
dynamic state table.Stateful filtering allows you to focus on blocking/passing
new sessions. If the new session is passed, all its subsequent
packets will be allowed through automatically and any
impostors automatically rejected. If a new session is blocked,
none of its subsequent packets will be allowed through.
Stateful filtering has technically advanced interrogation
abilities capable of defending against the flood of different
attack methods currently employed by attackers.Inclusive Rule Set ExampleThe following rule set is an example of how to code a very
secure inclusive type of firewall. An inclusive firewall only
allows services matching pass rules through and blocks all
other by default. All firewalls have at the minimum two
interfaces which have to have rules to allow the firewall to
function.All &unix; flavored systems including &os; are designed to
use interface lo0 and IP address 127.0.0.1 for internal
communication within the operating system. The firewall
rules must contain rules to allow free unmolested movement of
these special internally used packets.The interface which faces the public Internet is the one
where you place your rules to authorize and control access out
to the public Internet and access requests arriving from the
public Internet. This can be your user PPP tun0 interface or
your NIC that is connected to your DSL or cable modem.In cases where one or more NICs are cabled to
private LANs behind the firewall, those
interfaces must have a rule coded to allow free unmolested
movement of packets originating from those LAN interfaces.The rules should be first organized into three major
sections: all the free unmolested interfaces, the public interface
outbound, and the public interface inbound.The rules in each of the public interface
sections should have the most frequently matched rules
placed before less commonly matched rules, with the last rule in the
section blocking and logging all packets on that interface and
direction.The Outbound section in the following rule set only
contains 'pass' rules which contain selection values that
uniquely identify the service that is authorized for public
Internet access. All the rules have the 'quick', 'on',
'proto', 'port', and 'keep state' option coded. The 'proto
tcp' rules have the 'flag' option included to identify the
session start request as the triggering packet to activate the
stateful facility.The Inbound section has all the blocking of undesirable
packets first, for two different reasons. The first is that these things
being blocked may be part of an otherwise valid packet which
may be allowed in by the later authorized service rules.
The second reason is that by having a rule that explicitly blocks
selected packets that I receive on an infrequent basis and
that I do not want to see in the log, they will not be
caught by the last rule in the section which blocks and logs
all packets which have fallen through the rules. The last rule
in the section which blocks and logs all packets is how you
create the legal evidence needed to prosecute the people who
are attacking your system.Another thing you should take note of, is there is no
response returned for any of the undesirable stuff, their
packets just get dropped and vanish. This way the attacker
has no knowledge if his packets have reached your system. The
less the attackers can learn about your system the more secure
it is. The inbound 'nmap OS fingerprint' attempts rule I log
the first occurrence because this is something a attacker
would do.Any time you see log messages on a rule with 'log first'.
You should do an ipfstat -hio command to
see the number of times the rule has been matched so you know
if you are being flooded, i.e. under attack.When you log packets with port numbers you do not
recognize, look it up in /etc/services or go to
and do a port number lookup to find what the purpose of that
port number is.Check out this link for port numbers used by Trojans
.The following rule set is a complete very secure
'inclusive' type of firewall rule set that I have used on my
system. You can not go wrong using this rule set for your own.
Just comment out any pass rules for services that you do not want to
authorize.If you see messages in your log that you want to stop
seeing just add a block rule in the inbound section.You have to change the dc0
interface name in every rule to the interface name of the Nic
card that connects your system to the public Internet. For
user PPP it would be tun0.Add the following statements to
/etc/ipf.rules:#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#################################################################
#pass out quick on xl0 all
#pass in quick on xl0 all
#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# xxx must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state
pass out quick on dc0 proto udp from any to xxx port = 53 keep state
# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for 'user ppp' type connection to the
# public Internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out log quick on dc0 proto udp from any to any port = 67 keep state
#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state
# Allow out non-secure standard www function
pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow out secure www function https over TLS SSL
pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state
# Allow out send & get email function
pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state
pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state
# Allow out Time
pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state
# Allow out nntp news
pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state
# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Allow out non-secure Telnet
pass out quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow out FBSD CVSUP function
pass out quick on dc0 proto tcp from any to any port = 5999 flags S keep state
# Allow out ping to public Internet
pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
# Allow out whois for LAN PC to public Internet
pass out quick on dc0 proto tcp from any to any port = 43 flags S keep state
# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on dc0 all
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in quick on dc0 from 127.0.0.0/8 to any #loopback
block in quick on dc0 from 0.0.0.0/8 to any #loopback
block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config
block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs
block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast
##### Block a bunch of different nasty things. ############
-# That I don't want to see in the log
+# That I do not want to see in the log
# Block frags
block in quick on dc0 all with frags
# Block short tcp packets
block in quick on dc0 proto tcp all with short
# block source routed packets
block in quick on dc0 all with opt lsrr
block in quick on dc0 all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on dc0 proto tcp from any to any flags FUP
# Block anything with special options
block in quick on dc0 all with ipopts
# Block public pings
block in quick on dc0 proto icmp all icmp-type 8
# Block ident
block in quick on dc0 proto tcp from any to any port = 113
# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on dc0 proto tcp/udp from any to any port = 137
block in log first quick on dc0 proto tcp/udp from any to any port = 138
block in log first quick on dc0 proto tcp/udp from any to any port = 139
block in log first quick on dc0 proto tcp/udp from any to any port = 81
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# 'user ppp' type connection to the public Internet.
# This is the same IP address you captured and
# used in the outbound section.
pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state
# Allow in standard www function because I have apache server
pass in quick on dc0 proto tcp from any to any port = 80 flags S keep state
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on dc0 proto tcp from any to any port = 23 flags S keep state
# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on dc0 proto tcp from any to any port = 22 flags S keep state
# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on dc0 all
################### End of rules file #####################################
NATNATIP masqueradingNATnetwork address translationNATNAT stands for Network Address
Translation. To those familiar with Linux, this concept is
called IP Masquerading; NAT and IP
Masquerading are the same thing. One of the many things the
IPF NAT function enables is the ability to
have a private Local Area Network (LAN) behind the firewall
sharing a single ISP assigned IP address on the public
Internet.You may ask why would someone want to do this. ISPs normally
assign a dynamic IP address to their non-commercial users.
Dynamic means that the IP address can be different each time you
dial in and log on to your ISP, or for cable and DSL modem
users when you power off and then power on your modems you can
get assigned a different IP address. This IP address is how
you are known to the public Internet.Now lets say you have five PCs at home and each one needs
Internet access. You would have to pay your ISP for an
individual Internet account for each PC and have five phone
lines.With NAT you only need a single account
with your ISP, then cable your other four PCs to a switch and
the switch to the NIC in your &os; system which is going to
service your LAN as a gateway. NAT will
automatically translate the private LAN IP address for each
separate PC on the LAN to the single public IP address as it
exits the firewall bound for the public Internet. It also does
the reverse translation for returning packets.NAT is most often accomplished without
the approval, or knowledge, of your ISP and in most cases is
grounds for your ISP terminating your account if found
out. Commercial users pay a lot more for their Internet
connection and usually get assigned a block of static IP
address which never change. The ISP also expects and consents
to their Commercial customers using NAT for
their internal private LANs.There is a special range of IP addresses reserved for
NATed private LAN IP address. According to
RFC 1918, you can use the following IP ranges for private nets
which will never be routed directly to the public
Internet:Start IP 10.0.0.0-Ending IP 10.255.255.255
Start IP 172.16.0.0-Ending IP 172.31.255.255
Start IP 192.168.0.0-Ending IP 192.168.255.255
IPNATNATand IPFILTERipnatNAT rules are loaded by using the ipnat
command. Typically the NAT rules are stored
in /etc/ipnat.rules. See &man.ipnat.1;
for details.When changing the NAT rules after
NAT has been started, make your changes to
the file containing the NAT rules, then run ipnat command with
the flags to delete the internal in use
NAT rules and flush the contents of the
translation table of all active entries.To reload the NAT rules issue a command
like this:&prompt.root; ipnat -CF -f /etc/ipnat.rulesTo display some statistics about your
NAT, use this command:&prompt.root; ipnat -sTo list the NAT table's current
mappings, use this command:&prompt.root; ipnat -lTo turn verbose mode on, and display information relating
to rule processing and active rules/table entries:&prompt.root; ipnat -vIPNAT RulesNAT rules are very flexible and can
accomplish many different things to fit the needs of
commercial and home users.The rule syntax presented here has been simplified to what
is most commonly used in a non-commercial environment. For a
complete rule syntax description see the &man.ipnat.5; manual
page.The syntax for a NAT rule looks
something like this:map IFLAN_IP_RANGE -> PUBLIC_ADDRESSThe keyword map starts the rule.Replace IF with the external
interface.The LAN_IP_RANGE is what your
internal clients use for IP Addressing, usually this is
something like 192.168.1.0/24.The PUBLIC_ADDRESS can either
be the external IP address or the special keyword 0/32,
which means to use the IP address assigned to
IF.How NAT worksA packet arrives at the firewall from the LAN with a
public destination. It passes through the outbound filter
rules, NAT gets his turn at the packet and
applies its rules top down, first matching rule
wins. NAT tests each of its rules against
the packets interface name and source IP address. When a
packets interface name matches a NAT rule
then the [source IP address, i.e. private Lan IP address] of
the packet is checked to see if it falls within the IP address
range specified to the left of the arrow symbol on the
NAT rule. On a match the packet has its
source IP address rewritten with the public IP address
obtained by the 0/32 keyword. NAT posts a
entry in its internal NAT table so when the
packet returns from the public Internet it can be mapped back
to its original private IP address and then passed to the
filter rules for processing.Enabling IPNATTo enable IPNAT add these statements to
/etc/rc.conf.To enable your machine to route traffic between
interfaces:gateway_enable="YES"To start IPNAT automatically each time:ipnat_enable="YES"To specify where to load the IPNAT
rules from:ipnat_rules="/etc/ipnat.rules"NAT for a very large LANFor networks that have large numbers of PC's on the LAN or
networks with more than a single LAN, the process of funneling
all those private IP addresses into a single public IP address
becomes a resource problem that may cause problems with the same
port numbers being used many times across many
NATed LAN PC's, causing collisions. There
are two ways to relieve this resource problem.Assigning Ports to UseA normal NAT rule would look like:map dc0 192.168.1.0/24 -> 0/32In the above rule the packet's source port is unchanged
as the packet passes through IPNAT. By
adding the portmap keyword you can tell
IPNAT to only use source ports in a
range. For example the following rule will tell
IPNAT to modify the source port to be
within that range:map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000Additionally we can make things even easier by using the
auto keyword to tell IPNAT to determine
by itself which ports are available to use:map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp autoUsing a pool of public addressesIn very large LANs there comes a point where there are
just too many LAN addresses to fit into a single public
address. By changing the following rule:map dc0 192.168.1.0/24 -> 204.134.75.1Currently this rule maps all connections through 204.134.75.1. This can be changed to
specify a range:map dc0 192.168.1.0/24 -> 204.134.75.1-10Or a subnet using CIDR notation such as:map dc0 192.168.1.0/24 -> 204.134.75.0/24Port RedirectionA very common practice is to have a web server, email
server, database server and DNS server each segregated to a
different PC on the LAN. In this case the traffic from these
servers still have to be NATed, but there
has to be some way to direct the inbound traffic to the
correct LAN PCs. IPNAT has the redirection
facilities of NAT to solve this problem.
Lets say you have your web server on LAN address 10.0.10.25 and your single public IP
address is 20.20.20.5 you would
code the rule like this:map dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80or:map dc0 0/32 port 80 -> 10.0.10.25 port 80or for a LAN DNS Server on LAN address of 10.0.10.33 that needs to receive
public DNS requests:map dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udpFTP and NATFTP is a dinosaur left over from the time before the
Internet as it is known today, when research universities were
leased lined together and FTP was used to share files among
research Scientists. This was a time when data security was
not a consideration. Over the years the FTP protocol became
buried into the backbone of the emerging Internet and its
username and password being sent in clear text was never
changed to address new security concerns. FTP has two flavors,
it can run in active mode or passive mode. The difference is
in how the data channel is acquired. Passive mode is more
secure as the data channel is acquired be the ordinal ftp
session requester. For a real good explanation of FTP and the
different modes see .IPNAT RulesIPNAT has a special built in FTP
proxy option which can be specified on the
NAT map rule. It can monitor all outbound
packet traffic for FTP active or passive start session
requests and dynamically create temporary filter rules
containing only the port number really in use for the data
channel. This eliminates the security risk FTP normally
exposes the firewall to from having large ranges of high
order port numbers open.This rule will handle all the traffic for the internal
LAN:map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcpThis rule handles the FTP traffic from the gateway:map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcpThis rule handles all non-FTP traffic from the internal
LAN:map dc0 10.0.10.0/29 -> 0/32The FTP map rule goes before our regular map rule. All
packets are tested against the first rule from the top.
Matches on interface name, then private LAN source IP
address, and then is it a FTP packet. If all that matches
then the special FTP proxy creates temp filter rules to let
the FTP session packets pass in and out, in addition to also
NATing the FTP packets. All LAN packets
that are not FTP do not match the first rule and fall
through to the third rule and are tested, matching on
interface and source IP, then are
NATed.IPNAT FTP Filter RulesOnly one filter rule is needed for FTP if the
NAT FTP proxy is used.Without the FTP Proxy you will need the following three
rules:# Allow out LAN PC client FTP to public Internet
# Active and passive modes
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state
# Allow out passive mode data channel high order port numbers
pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state
# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep stateFTP NAT Proxy BugAs of &os; 4.9 which includes IPFILTER version 3.4.31
the FTP proxy works as documented during the FTP session
until the session is told to close. When the close happens
packets returning from the remote FTP server are blocked and
logged coming in on port 21. The NAT
FTP/proxy appears to remove its temp rules prematurely,
before receiving the response from the remote FTP server
acknowledging the close. A problem report was posted to the
IPF mailing list.The solution is to add a filter rule to get rid
of these unwanted log messages or do nothing and ignore FTP
inbound error messages in your log. Most people do not use
outbound FTP too often.block in quick on rl0 proto tcp from any to any port = 21IPFWfirewallIPFWThe IPFIREWALL (IPFW) is a &os; sponsored firewall software
application authored and maintained by &os; volunteer staff
members. It uses the legacy stateless rules and a legacy rule
coding technique to achieve what is referred to as Simple
Stateful logic.The IPFW stateless rule syntax is empowered with technically
sophisticated selection capabilities which far surpasses the
knowledge level of the customary firewall installer. IPFW is
targeted at the professional user or the advanced technical
computer hobbyist who have advanced packet selection
requirements. A high degree of detailed knowledge into how
different protocols use and create their unique packet header
information is necessary before the power of the IPFW rules can
be unleashed. Providing that level of explanation is out of the
scope of this section of the handbook.IPFW is composed of seven components, the primary component is
the kernel firewall filter rule processor and its integrated
packet accounting facility, the logging facility, the 'divert'
rule which triggers the NAT facility, and the
advanced special purpose facilities, the dummynet traffic shaper
facilities, the 'fwd rule' forward facility, the bridge
facility, and the ipstealth facility.Enabling IPFWIPFWenablingIPFW is included in the basic &os; install as a separate
run time loadable module. The system will dynamically load the
kernel module when the rc.conf statement
firewall_enable="YES" is used. You do not
need to compile IPFW into the &os; kernel unless you want
NAT function enabled.After rebooting your system with
firewall_enable="YES" in
rc.conf the following white highlighted
message is displayed on the screen as part of the boot
process:IP packet filtering initialized, divert disabled,
rule-based forwarding enabled, default to deny, logging
disabledYou can disregard this message as it is out dated and no
longer is the true status of the IPFW loadable module. The
loadable module really does have logging ability compiled in.To set the verbose logging limit, There is a knob you can
set in /etc/sysctl.conf by adding this
statement, logging will be enabled on future reboots.net.inet.ip.fw.verbose_limit=5Kernel Optionskernel optionsIPFIREWALLkernel optionsIPFIREWALL_VERBOSEkernel optionsIPFIREWALL_VERBOSE_LIMITIPFWkernel optionsIt is not a mandatory requirement that you enable IPFW by
compiling the following options into the &os; kernel unless
you need NAT function. It is presented here
as background information.options IPFIREWALLThis option enables IPFW as part of the kerneloptions IPFIREWALL_VERBOSEEnables logging of packets that pass through IPFW and have
the 'log' keyword specified in the rule set.options IPFIREWALL_VERBOSE_LIMIT=5This specifies the default number of packets from a
particular rule is to be logged. Without this option, each
repeated occurrences of the same packet will be logged, and
eventually consuming all the free disk space resulting in
services being denied do to lack of resources. The number 5 is the
number of consecutive times to log evidence of this unique
occurrence.kernel optionsIPFIREWALL_DEFAULT_TO_ACCEPToptions IPFIREWALL_DEFAULT_TO_ACCEPTThis option will allow everything to pass through the
firewall by default, which is a good idea when you are first
setting up your firewall.options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT
options IPV6FIREWALL_DEFAULT_TO_ACCEPTThese options are exactly the same as the IPv4 options but
they are for IPv6. If you do not use IPv6 you might want to use
IPV6FIREWALL without any rules to block all IPv6kernel optionsIPDIVERToptions IPDIVERTThis enables the use of NAT
functionality.If you do not include IPFIREWALL_DEFAULT_TO_ACCEPT or set
your rules to allow incoming packets you will block all
packets going to and from this machine./etc/rc.conf OptionsIf you do not have IPFW compiled into your kernel you will
need to load it with the following statement in your
/etc/rc.conf:firewall_enable="YES"Set the script to run to activate your rules:firewall_script="/etc/ipfw.rules"Enable logging:firewall_logging="YES"The IPFW CommandipfwThe ipfw command is the normal vehicle for making manual
single rule additions or deletions to the firewall active
internal rules while it is running. The problem with using
this method is once your system is shutdown or halted all the
rules you added or changed or deleted are lost. Writing all
your rules in a file and using that file to load the rules at
boot time, or to replace in mass the currently running
firewall rules with changes you made to the files content is
the recommended method used here.The ipfw command is still a very useful to display the
running firewall rules to the console screen. The IPFW
accounting facility dynamically creates a counter for each
rule that counts each packet that matches the rule. During the
process of testing a rule, listing the rule with its counter
is the only way of determining if the rule is functioning.To list all the rules in sequence:&prompt.root; ipfw listTo list all the rules with a time stamp of when the last
time the rule was matched:&prompt.root; ipfw -t listTo list the accounting information, packet count for
matched rules along with the rules themselves. The first
column is the rule number, followed by the number of outgoing
matched packets, followed by the number of incoming matched
packets, and then the rule itself.&prompt.root; ipfw -a listList the dynamic rules in addition to the static
rules:&prompt.root; ipfw -d listAlso show the expired dynamic rules:&prompt.root; ipfw -d -e listZero the counters:&prompt.root; ipfw zeroZero the counters for just rule NUM
:&prompt.root; ipfw zero NUMIPFW Rule SetsA rule set is a group of ipfw rules coded to allow or deny
packets based on the values contained in the packet. The
bi-directional exchange of packets between hosts comprises a
session conversation. The firewall rule set processes the
packet twice: once on its arrival from the public Internet
host and again as it leaves for its return trip back to the
public Internet host. Each tcp/ip service (i.e. telnet, www,
mail, etc.) is predefined by its protocol, and port number.
This is the basic selection criteria used to create rules
which will allow or deny services.IPFWrule processing orderWhen a packet enters the firewall it is compared against
the first rule in the rule set and progress one rule at a time
moving from top to bottom of the set in ascending rule number
sequence order. When the packet matches a rule selection
parameters, the rules action field value is executed and the
search of the rule set terminates for that packet. This is
referred to as the first match wins search method. If the
packet does not match any of the rules, it gets caught by the
mandatory ipfw default rule, number 65535 which denies all
packets and discards them without any reply back to the
originating destination.The instructions contained here are based on using rules
that contain the stateful 'keep state', 'limit', 'in'/'out',
and via options. This is the basic framework for coding an
inclusive type firewall rule set.An inclusive firewall only allows services matching the
rules through. This way you can control what services can
originate behind the firewall destine for the public Internet
and also control the services which can originate from the
public Internet accessing your private network. Everything
else is denied by default design. Inclusive firewalls are
much, much more secure than exclusive firewall rule sets and
is the only rule set type covered here in.When working with the firewall rules be careful, you can
end up locking your self out.Rule SyntaxIPFWrule syntaxThe rule syntax presented here has been simplified to
what is necessary to create a standard inclusive type
firewall rule set. For a complete rule syntax description
see the &man.ipfw.8; manual page.Rules contain keywords: these keywords have to be coded
in a specific order from left to right on the line. Keywords
are identified in bold type. Some keywords have sub-options
which may be keywords them selves and also include more
sub-options.# is used to mark the start of a
comment and may appear at the end of a rule line or on its
own lines. Blank lines are ignored.CMD RULE# ACTION LOGGING SELECTION
STATEFULCMDEach rule has to be prefixed with 'add' to add the
rule to the internal table.RULE#Each rule has to have a rule number to go with it.ACTIONA rule can be associated with one of the following
actions, which will be executed when the packet matches
the selection criterion of the rule.allow | accept | pass |
permitThese all mean the same thing which is to allow
packets that match the rule to exit the firewall rule
processing. The search terminates at this rule.check-stateChecks the packet against the dynamic rules table. If
a match is found, execute the action associated with the
rule which generated this dynamic rule, otherwise move to
the next rule. The check-state rule does not have
selection criterion. If no check-state rule is present in
the rule set, the dynamic rules table is checked at the
first keep-state or limit rule.deny | dropBoth words mean the same thing which is to discard
packets that match this rule. The search terminates.Logginglog or
logamountWhen a packet matches a rule with the log keyword, a
message will be logged to syslogd with a facility name of
SECURITY. The logging only occurs if the number of
packets logged so far for that particular rule does not
exceed the logamount parameter. If no logamount is
specified, the limit is taken from the sysctl variable
net.inet.ip.fw.verbose_limit. In both cases, a value of
zero removes the logging limit. Once the limit is
reached, logging can be re-enabled by clearing the
logging counter or the packet counter for that rule, see
the ipfw reset log command. Note: logging is done after
all other packet matching conditions have been
successfully verified, and before performing the final
action (accept, deny) on the packet. It is up to you to
decide which rules you want to enable logging on.SelectionThe keywords described in this section are used to
describe attributes of the packet to be interrogated when
determining whether rules match the packet or not.
The following general-purpose attributes are provided for
matching, and must be used in this order:udp | tcp | icmpor any protocol names found in /etc/protocols are
recognized and may be used. The value specified is
protocol to be matched against. This is a mandatory
requirement.from src to dstThe from and to keywords are used to match against IP
addresses. Rules must specify BOTH source and destination
parameters. any is a special keyword that matches any IP
address. me is a special keyword that matches any IP
address configured on an interface in your &os; system to
represent the PC the firewall is running on (i.e. this
box) as in 'from me to any' or 'from any to me' or 'from
0.0.0.0/0 to any' or 'from any to 0.0.0.0/0' or 'from 0.0.0.0
to any' or 'from any to 0.0.0.0' or 'from me to 0.0.0.0'. IP
addresses are specified as a dotted IP address numeric
form/mask-length, or as single dotted IP address numeric
form. This is a mandatory requirement. See this link for
help on writing mask-lengths. port numberFor protocols which support port numbers (such as
TCP and UDP). It is mandatory that you
code the port number of the service you want to match
on. Service names (from
/etc/services) may be used instead of
numeric port values.in | outMatches incoming or outgoing packets,
respectively. The in and out are keywords and it is
mandatory that you code one or the other as part of your
rule matching criterion.via IFMatches packets going through the interface specified
by exact name. The via keyword causes the interface to
always be checked as part of the match process.setupThis is a mandatory keyword that identifies the
session start request for TCP
packets.keep-stateThis is a mandatory> keyword. Upon a match, the
firewall will create a dynamic rule, whose default
behavior is to match bidirectional traffic between source
and destination IP/port using the same protocol.limit {src-addr | src-port | dst-addr |
dst-port}The firewall will only allow
N connections with the same set
of parameters as specified in the rule. One or more of
source and destination addresses and ports can be
specified. The 'limit' and 'keep-state' can not be used on
same rule. Limit provides the same stateful function as
'keep-state' plus its own functions.Stateful Rule OptionIPFWstateful filteringStateful filtering treats traffic as a bi-directional
exchange of packets comprising a session conversation. It
has the interrogation abilities to determine if the session
conversation between the originating sender and the
destination are following the valid procedure of
bi-directional packet exchange. Any packets that do not
properly fit the session conversation template are
automatically rejected as impostors.'check-state' is used to identify where in the IPFW
rules set the packet is to be tested against the dynamic
rules facility. On a match the packet exits the firewall to
continue on its way and a new rule is dynamic created for
the next anticipated packet being exchanged during this
bi-directional session conversation. On a no match the
packet advances to the next rule in the rule set for
testing.The dynamic rules facility is vulnerable to resource
depletion from a SYN-flood attack which would open a huge
number of dynamic rules. To counter this attack, &os;
version 4.5 added another new option named limit. This
option is used to limit the number of simultaneous session
conversations by interrogating the rules source or
destinations fields as directed by the limit option and
using the packet's IP address found there, in a search of
the open dynamic rules counting the number of times this
rule and IP address combination occurred, if this count is
greater that the value specified on the limit option, the
packet is discarded.Logging Firewall MessagesIPFWloggingThe benefits of logging are obvious: it provides the
ability to review after the fact the rules you activated
logging on which provides information like, what packets had
been dropped, what addresses they came from, where they were
going, giving you a significant edge in tracking down
attackers.Even with the logging facility enabled, IPFW will not
generate any rule logging on it's own. The firewall
administrator decides what rules in the rule set he wants
to log and adds the log verb to those rules. Normally only
deny rules are logged, like the deny rule for incoming
ICMP pings. It is very customary to
duplicate the ipfw default deny everything rule with the
log verb included as your last rule in the rule set. This
way you get to see all the packets that did not match any
of the rules in the rule set.Logging is a two edged sword, if you are not careful, you
can lose yourself in the over abundance of log data and fill
your disk up with growing log files. DoS attacks that fill
up disk drives is one of the oldest attacks around. These
log message are not only written to syslogd, but also are
displayed on the root console screen and soon become very
annoying.The IPFIREWALL_VERBOSE_LIMIT=5
kernel option limits the number of consecutive messages
sent to the system logger syslogd, concerning the packet
matching of a given rule. When this option is enabled in
the kernel, the number of consecutive messages concerning
a particular rule is capped at the number specified. There
is nothing to be gained from 200 log messages saying the
same identical thing. For instance, five consecutive messages
concerning a particular rule would be logged to syslogd,
the remainder identical consecutive messages would be
counted and posted to the syslogd with a phrase like
this:last message repeated 45 timesAll logged packets messages are written by default to
/var/log/security file, which is
defined in the /etc/syslog.conf file.
Building a Rule ScriptMost experienced IPFW users create a file containing the
rules and code them in a manner compatible with running them
as a script. The major benefit of doing this is the firewall
rules can be refreshed in mass without the need of
rebooting the system to activate the new rules. This method
is very convenient in testing new rules as the procedure can
be executed as many times as needed. Being a script, you can
use symbolic substitution to code frequent used values and
substitution them in multiple rules. You will see this in
the following example.The script syntax used here is compatible with the 'sh',
'csh', 'tcsh' shells. Symbolic substitution fields are
prefixed with a dollar sign $. Symbolic fields do not have
the $ prefix. The value to populate the Symbolic field must
be enclosed to "double quotes".Start your rules file like this:############### start of example ipfw rules script #############
#
ipfw -q -f flush # Delete all rules
# Set defaults
oif="tun0" # out interface
odns="192.0.2.11" # ISP's DNS server IP address
cmd="ipfw -q add " # build rule prefix
ks="keep-state" # just too lazy to key this each time
$cmd 00500 check-state
$cmd 00502 deny all from any to any frag
$cmd 00501 deny tcp from any to any established
$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks
$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks
$cmd 00611 allow udp from any to $odns 53 out via $oif $ks
################### End of example ipfw rules script ############That is all there is to it. The rules are not important
in this example, how the Symbolic substitution field are
populated and used are.If the above example was in
/etc/ipfw.rules file, you could reload
these rules by entering on the command line.&prompt.root; sh /etc/ipfw.rulesThe /etc/ipfw.rules file could be
located anywhere you want and the file could be named any
thing you would like.The same thing could also be accomplished by running
these commands by hand:&prompt.root; ipfw -q -f flush
&prompt.root; ipfw -q add check-state
&prompt.root; ipfw -q add deny all from any to any frag
&prompt.root; ipfw -q add deny tcp from any to any established
&prompt.root; ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state
&prompt.root; ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state
&prompt.root; ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-stateStateful RulesetThe following non-NATed rule set is a example of how to
code a very secure 'inclusive' type of firewall. An
inclusive firewall only allows services matching pass rules
through and blocks all other by default. All firewalls have
at the minimum two interfaces which have to have rules to
allow the firewall to function.All &unix; flavored operating systems, &os; included, are designed to
use interface lo0 and IP address
127.0.0.1 for internal
communication with in the operating system. The firewall rules must contain
rules to allow free unmolested movement of these special
internally used packets.The interface which faces the public Internet, is the
one which you code your rules to authorize and control
access out to the public Internet and access requests
arriving from the public Internet. This can be your ppp tun0
interface or your NIC that is connected to your DSL or cable
modem.In cases where one or more than one NIC are connected to
a private LANs behind the firewall, those interfaces must
have rules coded to allow free unmolested movement of
packets originating from those LAN interfaces.The rules should be first organized into three major
sections, all the free unmolested interfaces, public
interface outbound, and the public interface inbound.
The order of the rules in each of the public interface
sections should be in order of the most used rules being
placed before less often used rules with the last rule in
the section being a block log all packets on that interface
and direction.The Outbound section in the following rule set only
contains 'allow' rules which contain selection values that
uniquely identify the service that is authorized for public
Internet access. All the rules have the, proto, port,
in/out, via and keep state option coded. The 'proto tcp'
rules have the 'setup' option included to identify the start
session request as the trigger packet to be posted to the
keep state stateful table.The Inbound section has all the blocking of undesirable
packets first for two different reasons. First is these things
being blocked may be part of an otherwise valid packet which
may be allowed in by the later authorized service rules.
Second reason is that by having a rule that explicitly
blocks selected packets that I receive on an infrequent
bases and do not want to see in the log, this keeps them from
being caught by the last rule in the section which blocks
and logs all packets which have fallen through the rules.
The last rule in the section which blocks and logs all
packets is how you create the legal evidence needed to
prosecute the people who are attacking your system.Another thing you should take note of, is there is no
response returned for any of the undesirable stuff, their
packets just get dropped and vanish. This way the attackers
has no knowledge if his packets have reached your system.
The less the attackers can learn about your system the more
secure it is. When you log packets with port numbers you do
not recognize, look the numbers up in /etc/services/ or go to
and do a port number lookup to find what the purpose of that
port number is. Check out this link for port numbers used by
Trojans:
.An Example Inclusive RulesetThe following non-NATed rule set is a complete inclusive
type ruleset. You can not go wrong using this rule set for
you own. Just comment out any pass rules for services you
do not want. If you see messages in your log that you want to
stop seeing just add a deny rule in the inbound section. You
have to change the 'dc0' interface name in every rule to the
interface name of the NIC that connects your system to the
public Internet. For user ppp it would be 'tun0'.You will see a pattern in the usage of these rules.
All statements that are a request to start a session
to the public Internet use keep-state.All the authorized services that originate from the
public Internet have the limit option to stop flooding.
All rules use in or out to clarify direction.
All rules use via interface name to specify the
interface the packet is traveling over.The following rules go into
/etc/ipfw.rules.################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # public interface name of NIC
# facing the public Internet
#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN.
# Change xl0 to your LAN NIC interface name
#################################################################
#$cmd 00005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 00015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP.s DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
# This rule is not needed for .user ppp. connection to the public Internet.
# so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 00240 allow tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 00250 allow icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 00260 allow tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 00270 allow tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 00290 allow tcp from any to any 43 out via $pif setup keep-state
# deny and log everything else that.s trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif
# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for .user ppp. type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state
# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################
An Example NAT and Stateful RulesetNATand IPFWThere are some additional configuration statements that
need to be enabled to activate the NAT function of IPFW. The
kernel source needs 'option divert' statement added to the
other IPFIREWALL statements compiled into a custom kernel.
In addition to the normal IPFW options in
/etc/rc.conf, the following are needed.
natd_enable="YES" # Enable NATD function
natd_interface="rl0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possibleUtilizing stateful rules with divert natd rule (Network
Address Translation) greatly complicates the rule set coding
logic. The positioning of the check-state, and 'divert natd'
rules in the rule set becomes very critical. This is no
longer a simple fall-through logic flow. A new action type
is used, called 'skipto'. To use the skipto command it is
mandatory that you number each rule so you know exactly
where the skipto rule number is you are really jumping to.
The following is an uncommented example of one coding
method, selected here to explain the sequence of the packet
flow through the rule sets.The processing flow starts with the first rule from the
top of the rule file and progress one rule at a time deeper
into the file until the end is reach or the packet being
tested to the selection criteria matches and the packet is
released out of the firewall. It is important to take notice
of the location of rule numbers 100 101, 450, 500, and 510.
These rules control the translation of the outbound and
inbound packets so their entries in the keep-state dynamic
table always register the private Lan IP address. Next
notice that all the allow and deny rules specified the
direction the packet is going (IE outbound or inbound) and
the interface. Also notice that all the start outbound
session requests all skipto rule 500 for the network address
translation.Lets say a LAN user uses their web browser to get a web
page. Web pages use port 80 to communicate over. So the
packet enters the firewall, It does not match 100 because
it is headed out not in. It passes rule 101 because this is
the first packet so it has not been posted to the keep-state
dynamic table yet. The packet finally comes to rule 125 a
matches. It is outbound through the NIC facing the public
Internet. The packet still has it's source IP address as a
private Lan IP address. On the match to this rule, two
actions take place. The keep-state option will post this rule
into the keep-state dynamic rules table and the specified
action is executed. The action is part of the info posted to
the dynamic table. In this case it is "skipto rule 500". Rule
500 NATs the packet IP address and out it goes. Remember
this, this is very important. This packet makes its way to
the destination and returns and enters the top of the rule
set. This time it does match rule 100 and has it destination
IP address mapped back to its corresponding Lan IP address.
It then is processed by the check-state rule, it's found in
the table as an existing session conversation and released
to the LAN. It goes to the LAN PC that sent it and a new
packet is sent requesting another segment of the data from
the remote server. This time it gets checked by the
check-state rule and its outbound entry is found, the
associated action, 'skipto 500', is executed. The packet
jumps to rule 500 gets NATed and released on it's way out.
On the inbound side, everything coming in that is part
of an existing session conversation is being automatically
handled by the check-state rule and the properly placed
divert natd rules. All we have to address is denying all the
bad packets and only allowing in the authorized services.
Lets say there is a apache server running on the firewall
box and we want people on the public Internet to be able to
access the local web site. The new inbound start request
packet matches rule 100 and its IP address is mapped to LAN
IP for the firewall box. The packet is them matched against
all the nasty things we want to check for and finally
matches against rule 425. On a match two things occur
The packet rule
is posted to the keep-state dynamic table but this time any
new session requests originating from that source IP address
is limited to 2. This defends against DoS attacks of service
running on the specified port number. The action is allow so
the packet is released to the LAN. On return the check-state
rule recognizes the packet as belonging to an existing
session conversation sends it to rule 500 for NATing and
released to outbound interface.Example Ruleset #1:#!/bin/sh
cmd="ipfw -q add"
skip="skipto 500"
pif=rl0
ks="keep-state"
good_tcpo="22,25,37,43,53,80,443,110,119"
ipfw -q -f flush
$cmd 002 allow all from any to any via xl0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state
# Authorized outbound packets
$cmd 120 $skip udp from any to xx.168.240.2 53 out via $pif $ks
$cmd 121 $skip udp from any to xx.168.240.5 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
$cmd 135 $skip udp from any to any 123 out via $pif $ks
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Authorized inbound packets
$cmd 400 allow udp from xx.70.207.54 to any 68 in $ks
$cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1
$cmd 450 deny log ip from any to any
# This is skipto location for outbound stateful rules
$cmd 500 divert natd ip from any to any out via $pif
$cmd 510 allow ip from any to any
######################## end of rules ##################
The following is pretty much the same as above, but uses
a self documenting coding style full of description comments
to help the inexperienced IPFW rule writer to better
understand what the rules are doing.Example Ruleset #2:
#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="rl0" # public interface name of NIC
# facing the public Internet
#################################################################
# No restrictions on Inside LAN Interface for private network
# Change xl0 to your LAN NIC interface name
#################################################################
$cmd 005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
$cmd 030 $skip udp from any to x.x.x.x 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Allow out FreeBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (i.e. news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
# Allow in standard www function because I have Apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
$cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################
diff --git a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
index 9743e1e230..779236ef3c 100644
--- a/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mail/chapter.sgml
@@ -1,2294 +1,2294 @@
BillLloydOriginal work by JimMockRewritten by Electronic MailSynopsisemailElectronic Mail, better known as email, is one of the
most widely used forms of communication today. This chapter provides
a basic introduction to running a mail server on &os;, as well as an
introduction to sending and receiving email using &os;; however,
it is not a complete reference and in fact many important
considerations are omitted. For more complete coverage of the
subject, the reader is referred to the many excellent books listed
in .After reading this chapter, you will know:What software components are involved in sending and receiving
electronic mail.Where basic sendmail configuration
files are located in FreeBSD.The difference between remote and
local mailboxes.How to block spammers from illegally using your mail server as a
relay.How to install and configure an alternate Mail Transfer Agent on
your system, replacing sendmail.How to troubleshoot common mail server problems.How to use SMTP with UUCP.How to set up the system to send mail only.How to use mail with a dialup connection.How to configure SMTP Authentication for added security.How to install and use a Mail User Agent, such as
mutt to send and receive email.How to download your mail from a remote POP
or IMAP server.How to automatically apply filters and rules to incoming
email.Before reading this chapter, you should:Properly set up your network connection
().Properly set up the DNS information for your mail host
().Know how to install additional third-party software
().Using Electronic MailPOPIMAPDNSThere are five major parts involved in an email exchange. They
are: the user program, the server daemon, DNS, a
remote or local mailbox, and of course, the
mailhost itself.The User ProgramThis includes command line programs such as
mutt,
pine, elm,
and mail, and GUI programs such as
balsa,
xfmail to name a few, and something
more sophisticated like a WWW browser. These
programs simply pass off the email transactions to the local
mailhost, either
by calling one of the server
daemons available, or delivering it over TCP.Mailhost Server Daemonmail server daemonssendmailmail server daemonspostfixmail server daemonsqmailmail server daemonsexim&os; ships with sendmail by
default, but also support numerous other mail server daemons,
just some of which include:exim;postfix;qmail.The server daemon usually has two functions—it is responsible
for receiving incoming mail as well as delivering outgoing mail. It is
not responsible for the collection of mail using protocols
such as POP or IMAP to
read your email, nor does it allow connecting to local
mbox or Maildir mailboxes. You may require
an additional daemon for
that.Older versions of sendmail
have some serious security issues which may result in an
attacker gaining local and/or remote access to your machine.
Make sure that you are running a current version to avoid
these problems. Optionally, install an alternative
MTA from the &os;
Ports Collection.Email and DNSThe Domain Name System (DNS) and its daemon
named play a large role in the delivery of
email. In order to deliver mail from your site to another, the
server daemon will look up the remote site in the DNS to determine the
host that will receive mail for the destination. This process
also occurs when mail is sent from a remote host to your mail
server.MX recordDNS is responsible for mapping
hostnames to IP addresses, as well as for storing information
specific to mail delivery, known as MX records. The MX (Mail
eXchanger) record specifies which host, or hosts, will receive
mail for a particular domain. If you do not have an MX record
for your hostname or domain, the mail will be delivered
directly to your host provided you have an A record pointing
your hostname to your IP address.You may view the MX records for any domain by using the
&man.host.1; command, as seen in the example below:&prompt.user; host -t mx FreeBSD.org
FreeBSD.org mail is handled (pri=10) by mx1.FreeBSD.orgReceiving MailemailreceivingReceiving mail for your domain is done by the mail host. It
will collect all mail sent to your domain and store it
either in mbox (the default method for storing mail) or Maildir format, depending
on your configuration.
Once mail has been stored, it may either be read locally using
applications such as &man.mail.1; or
mutt, or remotely accessed and
collected using protocols such as
POP or IMAP.
This means that should you only
wish to read mail locally, you are not required to install a
POP or IMAP server.Accessing remote mailboxes using POP and IMAPPOPIMAPIn order to access mailboxes remotely, you are required to
have access to a POP or IMAP
server. These protocols allow users to connect to their mailboxes from
remote locations with ease. Though both
POP and IMAP allow users
to remotely access mailboxes, IMAP offers
many advantages, some of which are:IMAP can store messages on a remote
server as well as fetch them.IMAP supports concurrent updates.IMAP can be extremely useful over
low-speed links as it allows users to fetch the structure
of messages without downloading them; it can also
perform tasks such as searching on the server in
order to minimize data transfer between clients and
servers.In order to install a POP or
IMAP server, the following steps should be
performed:Choose an IMAP or
POP server that best suits your needs.
The following POP and
IMAP servers are well known and serve
as some good examples:qpopper;teapop;imap-uw;courier-imap;Install the POP or
IMAP daemon of your choosing from the
ports
collection.Where required, modify /etc/inetd.conf
to load the POP or
IMAP server.It should be noted that both POP and
IMAP transmit information, including
username and password credentials in clear-text. This means
that if you wish to secure the transmission of information
across these protocols, you should consider tunneling
sessions over &man.ssh.1;. Tunneling sessions is
described in .Accessing local mailboxesMailboxes may be accessed locally by directly utilizing
MUAs on the server on which the mailbox
resides. This can be done using applications such as
mutt or &man.mail.1;.
The Mail Hostmail hostThe mail host is the name given to a server that is
responsible for delivering and receiving mail for your host, and
possibly your network.ChristopherShumwayContributed by sendmail Configurationsendmail&man.sendmail.8; is the default Mail Transfer Agent (MTA) in
FreeBSD. sendmail's job is to accept
mail from Mail User Agents (MUA) and deliver it
to the appropriate mailer as defined by its configuration file.
sendmail can also accept network
connections and deliver mail to local mailboxes or deliver it to
another program.sendmail uses the following
configuration files:/etc/mail/access/etc/mail/aliases/etc/mail/local-host-names/etc/mail/mailer.conf/etc/mail/mailertable/etc/mail/sendmail.cf/etc/mail/virtusertableFilenameFunction/etc/mail/accesssendmail access database
file/etc/mail/aliasesMailbox aliases/etc/mail/local-host-namesLists of hosts sendmail
accepts mail for/etc/mail/mailer.confMailer program configuration/etc/mail/mailertableMailer delivery table/etc/mail/sendmail.cfsendmail master
configuration file/etc/mail/virtusertableVirtual users and domain tables/etc/mail/accessThe access database defines what host(s) or IP addresses
have access to the local mail server and what kind of access
they have. Hosts can be listed as ,
, or simply passed
to sendmail's error handling routine with a given mailer error.
Hosts that are listed as , which is the
default, are allowed to send mail to this host as long as the
mail's final destination is the local machine. Hosts that are
listed as are rejected for all mail
connections. Hosts that have the option
for their hostname are allowed to send mail for any destination
through this mail server.Configuring the sendmail
Access Database
- cyberspammer.com 550 We don't accept mail from spammers
-FREE.STEALTH.MAILER@ 550 We don't accept mail from spammers
+ cyberspammer.com 550 We do not accept mail from spammers
+FREE.STEALTH.MAILER@ 550 We do not accept mail from spammers
another.source.of.spam REJECT
okay.cyberspammer.com OK
128.32 RELAYIn this example we have five entries. Mail senders that
match the left hand side of the table are affected by the action
on the right side of the table. The first two examples give an
error code to sendmail's error
handling routine. The message is printed to the remote host when
a mail matches the left hand side of the table. The next entry
rejects mail from a specific host on the Internet,
another.source.of.spam. The next entry accepts
mail connections from a host
okay.cyberspammer.com, which is more exact than
the cyberspammer.com line above. More specific
matches override less exact matches. The last entry allows
relaying of electronic mail from hosts with an IP address that
begins with 128.32. These hosts would be able
to send mail through this mail server that are destined for other
mail servers.When this file is updated, you need to run
make in /etc/mail/ to
update the database./etc/mail/aliasesThe aliases database contains a list of virtual mailboxes
that are expanded to other user(s), files, programs or other
aliases. Here are a few examples that can be used in
/etc/mail/aliases:Mail Aliasesroot: localuser
ftp-bugs: joe,eric,paul
bit.bucket: /dev/null
procmail: "|/usr/local/bin/procmail"The file format is simple; the mailbox name on the left
side of the colon is expanded to the target(s) on the right.
The
first example simply expands the mailbox root
to the mailbox localuser, which is then
looked up again in the aliases database. If no match is found,
then the message is delivered to the local user
localuser. The next example shows a mail
list. Mail to the mailbox ftp-bugs is
expanded to the three local mailboxes joe,
eric, and paul. Note
that a remote mailbox could be specified as user@example.com. The
next example shows writing mail to a file, in this case
/dev/null. The last example shows sending
mail to a program, in this case the mail message is written to the
standard input of /usr/local/bin/procmail
through a &unix; pipe.When this file is updated, you need to run
make in /etc/mail/ to
update the database./etc/mail/local-host-namesThis is a list of hostnames &man.sendmail.8; is to accept as
the local host name. Place any domains or hosts that
sendmail is to be receiving mail for.
For example, if this mail server was to accept mail for the
domain example.com and the host
mail.example.com, its
local-host-names might look something like
this:example.com
mail.example.comWhen this file is updated, &man.sendmail.8; needs to be
restarted to read the changes./etc/mail/sendmail.cfsendmail's master configuration
file, sendmail.cf controls the overall
behavior of sendmail, including everything
from rewriting e-mail addresses to printing rejection messages to
remote mail servers. Naturally, with such a diverse role, this
configuration file is quite complex and its details are a bit
out of the scope of this section. Fortunately, this file rarely
needs to be changed for standard mail servers.The master sendmail configuration
file can be built from &man.m4.1; macros that define the features
and behavior of sendmail. Please see
/usr/src/contrib/sendmail/cf/README for
some of the details.When changes to this file are made,
sendmail needs to be restarted for
the changes to take effect./etc/mail/virtusertableThe virtusertable maps mail addresses for
virtual domains and
mailboxes to real mailboxes. These mailboxes can be local,
remote, aliases defined in
/etc/mail/aliases or files.Example Virtual Domain Mail Maproot@example.com root
postmaster@example.com postmaster@noc.example.net
@example.com joeIn the above example, we have a mapping for a domain
example.com. This file is processed in a
first match order down the file. The first item maps
root@example.com to the local mailbox root. The next entry maps
postmaster@example.com to the mailbox postmaster on the host
noc.example.net. Finally, if nothing from example.com has
matched so far, it will match the last mapping, which matches
every other mail message addressed to someone at
example.com.
This will be mapped to the local mailbox joe.AndrewBoothmanWritten by GregoryNeil ShapiroInformation taken from e-mails written by Changing Your Mail Transfer Agentemailchange mtaAs already mentioned, FreeBSD comes with
sendmail already installed as your
MTA (Mail Transfer Agent). Therefore by default it is
in charge of your outgoing and incoming mail.However, for a variety of reasons, some system
administrators want to change their system's MTA. These
reasons range from simply wanting to try out another MTA to
needing a specific feature or package which relies on another
mailer. Fortunately, whatever the reason, FreeBSD makes it
easy to make the change.Install a New MTAYou have a wide choice of MTAs available. A good
starting point is the
FreeBSD Ports Collection where
you will be able to find many. Of course you are free to use
any MTA you want from any location, as long as you can make
it run under FreeBSD.Start by installing your new MTA. Once it is installed
it gives you a chance to decide if it really fulfills your
needs, and also gives you the opportunity to configure your
new software before getting it to take over from
sendmail. When doing this, you
should be sure that installing the new software will not attempt
to overwrite system binaries such as
/usr/bin/sendmail. Otherwise, your new
mail software has essentially been put into service before
you have configured it.Please refer to your chosen MTA's documentation for
information on how to configure the software you have
chosen.Disable sendmailThe procedure used to start
sendmail changed significantly
between 4.5-RELEASE and 4.6-RELEASE. Therefore, the procedure
used to disable it is subtly different.FreeBSD 4.5-STABLE before 2002/4/4 and Earlier
(Including 4.5-RELEASE and Earlier)Enter:sendmail_enable="NO"into /etc/rc.conf. This will disable
sendmail's incoming mail service,
but if /etc/mail/mailer.conf (see below)
is not changed, sendmail will
still be used to send e-mail.FreeBSD 4.5-STABLE after 2002/4/4
(Including 4.6-RELEASE and Later)In order to completely disable
sendmail you must usesendmail_enable="NONE"in /etc/rc.conf.If you disable sendmail's
outgoing mail service in this way, it is important that you
replace it with a fully working alternative mail delivery
system. If you choose not to, system functions such as
&man.periodic.8; will be unable to deliver their results by
e-mail as they would normally expect to. Many parts of your
system may expect to have a functional
sendmail-compatible system. If
applications continue to use
sendmail's binaries to try to send
e-mail after you have disabled them, mail could go into an
inactive sendmail queue, and never be delivered.If you only want to disable
sendmail's incoming mail service,
you should setsendmail_enable="NO"in /etc/rc.conf. More information on
sendmail's startup options is
available from the &man.rc.sendmail.8; manual page.Running Your New MTA on BootYou may have a choice of two methods for running your
new MTA on boot, again depending on what version of FreeBSD
you are running.FreeBSD 4.5-STABLE before 2002/4/11
(Including 4.5-RELEASE and Earlier)Add a script to
/usr/local/etc/rc.d/ that
ends in .sh and is executable by
root. The script should accept start and
stop parameters. At startup time the
system scripts will execute the command/usr/local/etc/rc.d/supermailer.sh startwhich you can also use to manually start the server. At
shutdown time, the system scripts will use the
stop option, running the command/usr/local/etc/rc.d/supermailer.sh stopwhich you can also use to manually stop the server
while the system is running.FreeBSD 4.5-STABLE after 2002/4/11
(Including 4.6-RELEASE and Later)With later versions of FreeBSD, you can use the
above method or you can setmta_start_script="filename"in /etc/rc.conf, where
filename is the name of some
script that you want executed at boot to start your
MTA.Replacing sendmail as
the System's Default MailerThe program sendmail is so ubiquitous
as standard software on &unix; systems that some software
just assumes it is already installed and configured.
For this reason, many alternative MTA's provide their own compatible
implementations of the sendmail
command-line interface; this facilitates using them as
drop-in replacements for sendmail.Therefore, if you are using an alternative mailer,
you will need to make sure that software trying to execute
standard sendmail binaries such as
/usr/bin/sendmail actually executes
your chosen mailer instead. Fortunately, FreeBSD provides
a system called &man.mailwrapper.8; that does this job for
you.When sendmail is operating as installed, you will
find something like the following
in /etc/mail/mailer.conf:sendmail /usr/libexec/sendmail/sendmail
send-mail /usr/libexec/sendmail/sendmail
mailq /usr/libexec/sendmail/sendmail
newaliases /usr/libexec/sendmail/sendmail
hoststat /usr/libexec/sendmail/sendmail
purgestat /usr/libexec/sendmail/sendmailThis means that when any of these common commands
(such as sendmail itself) are run,
the system actually invokes a copy of mailwrapper named sendmail, which
checks mailer.conf and
executes /usr/libexec/sendmail/sendmail
instead. This system makes it easy to change what binaries
are actually executed when these default sendmail functions
are invoked.Therefore if you wanted
/usr/local/supermailer/bin/sendmail-compat
to be run instead of sendmail, you could change
/etc/mail/mailer.conf to read:sendmail /usr/local/supermailer/bin/sendmail-compat
send-mail /usr/local/supermailer/bin/sendmail-compat
mailq /usr/local/supermailer/bin/mailq-compat
newaliases /usr/local/supermailer/bin/newaliases-compat
hoststat /usr/local/supermailer/bin/hoststat-compat
purgestat /usr/local/supermailer/bin/purgestat-compatFinishingOnce you have everything configured the way you want it, you should
either kill the sendmail processes that
you no longer need and start the processes belonging to your new
software, or simply reboot. Rebooting will also
give you the opportunity to ensure that you have correctly
configured your system to start your new MTA automatically on boot.TroubleshootingemailtroubleshootingWhy do I have to use the FQDN for hosts on my site?You will probably find that the host is actually in a
different domain; for example, if you are in
foo.bar.edu and you wish to reach
a host called mumble in the bar.edu domain, you will have to
refer to it by the fully-qualified domain name, mumble.bar.edu, instead of just
mumble.BINDTraditionally, this was allowed by BSD BIND resolvers.
However the current version of BIND
that ships with FreeBSD no longer provides default abbreviations
for non-fully qualified domain names other than the domain you
are in. So an unqualified host mumble must
either be found as mumble.foo.bar.edu, or it will be searched
for in the root domain.This is different from the previous behavior, where the
search continued across mumble.bar.edu, and mumble.edu. Have a look at RFC 1535
for why this was considered bad practice, or even a security
hole.As a good workaround, you can place the line:
search foo.bar.edu bar.edu
instead of the previous:
domain foo.bar.edu
into your /etc/resolv.conf. However, make
sure that the search order does not go beyond the
boundary between local and public administration,
as RFC 1535 calls it.MX recordsendmail says mail
loops back to myselfThis is answered in the
sendmail FAQ as follows:I'm getting these error messages:
553 MX list for domain.net points back to relay.domain.net
554 <user@domain.net>... Local configuration error
How can I solve this problem?
You have asked mail to the domain (e.g., domain.net) to be
forwarded to a specific host (in this case, relay.domain.net)
by using an MX record, but the relay machine does not recognize
itself as domain.net. Add domain.net to /etc/mail/local-host-names
[known as /etc/sendmail.cw prior to version 8.10]
(if you are using FEATURE(use_cw_file)) or add Cw domain.net
to /etc/mail/sendmail.cf.The sendmail FAQ can be found at
and is
recommended reading if you want to do any
tweaking of your mail setup.PPPHow can I run a mail server on a dial-up PPP host?You want to connect a FreeBSD box on a LAN to the
Internet. The FreeBSD box will be a mail gateway for the LAN.
The PPP connection is non-dedicated.UUCPMX recordThere are at least two ways to do this. One way is to use
UUCP.Another way is to get a full-time Internet server to provide secondary MX
services for your domain. For example, if your company's domain is
example.com and your Internet service provider has
set example.net up to provide secondary MX services
to your domain:example.com. MX 10 example.com.
MX 20 example.net.Only one host should be specified as the final recipient
(add Cw example.com in
/etc/mail/sendmail.cf on example.com).When the sending sendmail is trying to
deliver the mail it will try to connect to you (example.com) over the modem
link. It will most likely time out because you are not online.
The program sendmail will automatically deliver it to the
secondary MX site, i.e. your Internet provider (example.net). The secondary MX
site will then periodically try to connect to
your host and deliver the mail to the primary MX host (example.com).You might want to use something like this as a login
script:#!/bin/sh
# Put me in /usr/local/bin/pppmyisp
( sleep 60 ; /usr/sbin/sendmail -q ) &
/usr/sbin/ppp -direct pppmyispIf you are going to create a separate login script for a
user you could use sendmail -qRexample.com
instead in the script above. This will force all mail in your
queue for example.com to be processed immediately.A further refinement of the situation is as follows:Message stolen from the &a.isp;.> we provide the secondary MX for a customer. The customer connects to
> our services several times a day automatically to get the mails to
> his primary MX (We do not call his site when a mail for his domains
> arrived). Our sendmail sends the mailqueue every 30 minutes. At the
> moment he has to stay 30 minutes online to be sure that all mail is
> gone to the primary MX.
>
> Is there a command that would initiate sendmail to send all the mails
> now? The user has not root-privileges on our machine of course.
In the privacy flags section of sendmail.cf, there is a
definition Opgoaway,restrictqrun
Remove restrictqrun to allow non-root users to start the queue processing.
You might also like to rearrange the MXs. We are the 1st MX for our
customers like this, and we have defined:
# If we are the best MX for a host, try directly instead of generating
# local config error.
OwTrue
That way a remote site will deliver straight to you, without trying
the customer connection. You then send to your customer. Only works for
hosts, so you need to get your customer to name their mail
machine customer.com as well as
hostname.customer.com in the DNS. Just put an A record in
the DNS for customer.com.Why do I keep getting Relaying
Denied errors when sending mail from other
hosts?In default FreeBSD installations,
sendmail is configured to only
send mail from the host it is running on. For example, if
a POP server is available, then users
will be able to check mail from school, work, or other
remote locations but they still will not be able to send
outgoing emails from outside locations. Typically, a few
moments after the attempt, an email will be sent from
MAILER-DAEMON with a
5.7 Relaying Denied error
message.There are several ways to get around this. The most
straightforward solution is to put your ISP's address in
a relay-domains file at
/etc/mail/relay-domains. A quick way
to do this would be:&prompt.root; echo "your.isp.example.com" > /etc/mail/relay-domainsAfter creating or editing this file you must restart
sendmail. This works great if
you are a server administrator and do not wish to send mail
locally, or would like to use a point and click
client/system on another machine or even another ISP. It
is also very useful if you only have one or two email
accounts set up. If there is a large number of addresses
to add, you can simply open this file in your favorite
text editor and then add the domains, one per line:your.isp.example.com
other.isp.example.net
users-isp.example.org
www.example.orgNow any mail sent through your system, by any host in
this list (provided the user has an account on your
system), will succeed. This is a very nice way to allow
users to send mail from your system remotely without
allowing people to send SPAM through your system.Advanced TopicsThe following section covers more involved topics such as mail
configuration and setting up mail for your entire domain.Basic ConfigurationemailconfigurationOut of the box, you should be able to send email to external
hosts as long as you have set up
/etc/resolv.conf or are running your own
name server. If you would like to have mail for your host
delivered to the MTA (e.g., sendmail) on your own FreeBSD host, there are two methods:Run your own name server and have your own domain. For
example, FreeBSD.orgGet mail delivered directly to your host. This is done by
delivering mail directly to the current DNS name for your
machine. For example, example.FreeBSD.org.SMTPRegardless of which of the above you choose, in order to have
mail delivered directly to your host, it must have a permanent
static IP address (not a dynamic address, as with most PPP dial-up configurations). If you are behind a
firewall, it must pass SMTP traffic on to you. If you want to
receive mail directly at your host, you need to be sure of either of two
things:MX recordMake sure that the (lowest-numbered) MX record in your DNS points to your
host's IP address.Make sure there is no MX entry in your DNS for your
host.Either of the above will allow you to receive mail directly at
your host.Try this:&prompt.root; hostname
example.FreeBSD.org
&prompt.root; host example.FreeBSD.org
example.FreeBSD.org has address 204.216.27.XXIf that is what you see, mail directly to
yourlogin@example.FreeBSD.org should work without
problems (assuming sendmail is
running correctly on example.FreeBSD.org).If instead you see something like this:&prompt.root; host example.FreeBSD.org
example.FreeBSD.org has address 204.216.27.XX
example.FreeBSD.org mail is handled (pri=10) by hub.FreeBSD.orgAll mail sent to your host (example.FreeBSD.org) will end up being
collected on hub under the same username instead
of being sent directly to your host.The above information is handled by your DNS server. The DNS
record that carries mail routing information is the
Mail eXchange entry. If
no MX record exists, mail will be delivered directly to the host by
way of its IP address.The MX entry for freefall.FreeBSD.org at one time looked like
this:freefall MX 30 mail.crl.net
freefall MX 40 agora.rdrop.com
freefall MX 10 freefall.FreeBSD.org
freefall MX 20 who.cdrom.comAs you can see, freefall had many MX entries.
The lowest MX number is the host that receives mail directly if
available; if it is not accessible for some reason, the others
(sometimes called backup MXes) accept messages
temporarily, and pass it along when a lower-numbered host becomes
available, eventually to the lowest-numbered host.Alternate MX sites should have separate Internet connections
from your own in order to be most useful. Your ISP or another
friendly site should have no problem providing this service for
you.Mail for Your DomainIn order to set up a mailhost (a.k.a. mail
server) you need to have any mail sent to various workstations
directed to it. Basically, you want to claim any
mail for any hostname in your domain (in this case *.FreeBSD.org) and divert it to your mail
server so your users can receive their mail on
the master mail server.DNSTo make life easiest, a user account with the same
username should exist on both machines. Use
&man.adduser.8; to do this.The mailhost you will be using must be the designated mail
exchanger for each workstation on the network. This is done in
your DNS configuration like so:example.FreeBSD.org A 204.216.27.XX ; Workstation
MX 10 hub.FreeBSD.org ; MailhostThis will redirect mail for the workstation to the mailhost no
matter where the A record points. The mail is sent to the MX
host.You cannot do this yourself unless you are running a DNS
server. If you are not, or cannot run your own DNS server, talk
to your ISP or whoever provides your DNS.If you are doing virtual email hosting, the following
information will come in handy. For this example, we
will assume you have a customer with his own domain, in this
case customer1.org, and you want
all the mail for customer1.org
sent to your mailhost, mail.myhost.com. The entry in your DNS
should look like this:customer1.org MX 10 mail.myhost.comYou do not need an A record for customer1.org if you only
want to handle email for that domain.Be aware that pinging customer1.org will not work unless
an A record exists for it.The last thing that you must do is tell
sendmail on your mailhost what domains
and/or hostnames it should be accepting mail for. There are a few
different ways this can be done. Either of the following will
work:Add the hosts to your
/etc/mail/local-host-names file if you are using the
FEATURE(use_cw_file). If you are using
a version of sendmail earlier than 8.10, the file is
/etc/sendmail.cw.Add a Cwyour.host.com line to your
/etc/sendmail.cf or
/etc/mail/sendmail.cf if you are using
sendmail 8.10 or higher.SMTP with UUCPThe sendmail configuration that ships with FreeBSD is
designed for sites that connect directly to the Internet. Sites
that wish to exchange their mail via UUCP must install another
sendmail configuration file.Tweaking /etc/mail/sendmail.cf manually
is an advanced topic. sendmail version 8 generates config files
via &man.m4.1; preprocessing, where the actual configuration
occurs on a higher abstraction level. The &man.m4.1;
configuration files can be found under
/usr/src/usr.sbin/sendmail/cf.If you did not install your system with full sources, the
sendmail configuration set has been broken out into a separate source
distribution tarball. Assuming you have your FreeBSD source code
CDROM mounted, do:&prompt.root; cd /cdrom/src
&prompt.root; cat scontrib.?? | tar xzf - -C /usr/src/contrib/sendmailThis extracts to only a few hundred kilobytes. The file
README in the cf
directory can serve as a basic introduction to &man.m4.1;
configuration.The best way to support UUCP delivery is to use the
mailertable feature. This creates a database
that sendmail can use to make routing decisions.First, you have to create your .mc
file. The directory
/usr/src/usr.sbin/sendmail/cf/cf contains a
few examples. Assuming you have named your file
foo.mc, all you need to do in order to
convert it into a valid sendmail.cf
is:&prompt.root; cd /usr/src/usr.sbin/sendmail/cf/cf
&prompt.root; make foo.cf
&prompt.root; cp foo.cf /etc/mail/sendmail.cfA typical .mc file might look
like:VERSIONID(`Your version number') OSTYPE(bsd4.4)
FEATURE(accept_unresolvable_domains)
FEATURE(nocanonify)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
define(`UUCP_RELAY', your.uucp.relay)
define(`UUCP_MAX_SIZE', 200000)
define(`confDONT_PROBE_INTERFACES')
MAILER(local)
MAILER(smtp)
MAILER(uucp)
Cw your.alias.host.name
Cw youruucpnodename.UUCPThe lines containing
accept_unresolvable_domains,
nocanonify, and
confDONT_PROBE_INTERFACES features will
prevent any usage of the DNS during mail delivery. The
UUCP_RELAY clause is needed to support UUCP
delivery. Simply put an Internet hostname there that is able to
handle .UUCP pseudo-domain addresses; most likely, you will
enter the mail relay of your ISP there.Once you have this, you need an
/etc/mail/mailertable file. If you have
only one link to the outside that is used for all your mails,
the following file will suffice:#
# makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable
. uucp-dom:your.uucp.relayA more complex example might look like this:#
# makemap hash /etc/mail/mailertable.db < /etc/mail/mailertable
#
horus.interface-business.de uucp-dom:horus
.interface-business.de uucp-dom:if-bus
interface-business.de uucp-dom:if-bus
.heep.sax.de smtp8:%1
horus.UUCP uucp-dom:horus
if-bus.UUCP uucp-dom:if-bus
. uucp-dom:The first three lines handle special cases where
domain-addressed mail should not be sent out to the default
route, but instead to some UUCP neighbor in order to
shortcut the delivery path. The next line handles
mail to the local Ethernet domain that can be delivered using
SMTP. Finally, the UUCP neighbors are mentioned in the .UUCP
pseudo-domain notation, to allow for a
uucp-neighbor
!recipient
override of the default rules. The last line is always a single
dot, matching everything else, with UUCP delivery to a UUCP
neighbor that serves as your universal mail gateway to the
world. All of the node names behind the
uucp-dom: keyword must be valid UUCP
neighbors, as you can verify using the command
uuname.As a reminder that this file needs to be converted into a
DBM database file before use. The command line to accomplish
this is best placed as a comment at the top of the mailertable file.
You always have to execute this command each time you change
your mailertable file.Final hint: if you are uncertain whether some particular
mail routing would work, remember the
option to sendmail. It starts sendmail in address test
mode; simply enter 3,0, followed
by the address you wish to test for the mail routing. The last
line tells you the used internal mail agent, the destination
host this agent will be called with, and the (possibly
translated) address. Leave this mode by typing CtrlD.&prompt.user; sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
>3,0 foo@example.com
canonify input: foo @ example . com
...
parse returns: $# uucp-dom $@ your.uucp.relay $: foo < @ example . com . >
>^DBillMoranContributed by Setting Up to Send OnlyThere are many instances where you may only want to send
mail through a relay. Some examples are:Your computer is a desktop machine, but you want
to use programs such as &man.send-pr.1;. To do so, you should use
your ISP's mail relay.The computer is a server that does not handle mail
locally, but needs to pass off all mail to a relay for
processing.Just about any MTA is capable of filling
this particular niche. Unfortunately, it can be very difficult
to properly configure a full-featured MTA
just to handle offloading mail. Programs such as
sendmail and
postfix are largely overkill for
this use.Additionally, if you are using a typical Internet access
service, your agreement may forbid you from running a
mail server.The easiest way to fulfill those needs is to install the
mail/ssmtp port. Execute
the following commands as root:&prompt.root; cd /usr/ports/mail/ssmtp
&prompt.root; make install replace cleanOnce installed,
mail/ssmtp can be configured
with a four-line file located at
/usr/local/etc/ssmtp/ssmtp.conf:root=yourrealemail@example.com
mailhub=mail.example.com
rewriteDomain=example.com
hostname=_HOSTNAME_Make sure you use your real email address for
root. Enter your ISP's outgoing mail relay
in place of mail.example.com (some ISPs call
this the outgoing mail server or
SMTP server).Make sure you disable sendmail by
setting sendmail_enable="NONE"
in /etc/rc.conf.mail/ssmtp has some
other options available. See the example configuration file in
/usr/local/etc/ssmtp or the manual page of
ssmtp for some examples and more
information.Setting up ssmtp in this manner
will allow any software on your computer that needs to send
mail to function properly, while not violating your ISP's usage
policy or allowing your computer to be hijacked for spamming.Using Mail with a Dialup ConnectionIf you have a static IP address, you should not need to
adjust anything from the defaults. Set your host name to your
assigned Internet name and sendmail will do the rest.If you have a dynamically assigned IP number and use a
dialup PPP connection to the Internet, you will probably have a
mailbox on your ISPs mail server. Let's assume your ISP's domain
is example.net, and that your
user name is user, you have called your
machine bsd.home, and your ISP has
told you that you may use relay.example.net as a mail relay.In order to retrieve mail from your mailbox, you must
install a retrieval agent. The
fetchmail utility is a good choice as
it supports many different protocols. This program is available
as a package or from the Ports Collection (mail/fetchmail). Usually, your ISP will
provide POP. If you are using user PPP, you can
automatically fetch your mail when an Internet connection is
established with the following entry in
/etc/ppp/ppp.linkup:MYADDR:
!bg su user -c fetchmailIf you are using sendmail (as
shown below) to deliver mail to non-local accounts, you probably
want to have sendmail process your
mailqueue as soon as your Internet connection is established.
To do this, put this command after the
fetchmail command in
/etc/ppp/ppp.linkup: !bg su user -c "sendmail -q"Assume that you have an account for
user on bsd.home. In the home directory of
user on bsd.home, create a
.fetchmailrc file:poll example.net protocol pop3 fetchall pass MySecretThis file should not be readable by anyone except
user as it contains the password
MySecret.In order to send mail with the correct
from: header, you must tell
sendmail to use
user@example.net rather than
user@bsd.home. You may also wish to tell
sendmail to send all mail via relay.example.net, allowing quicker mail
transmission.The following .mc file should
suffice:VERSIONID(`bsd.home.mc version 1.0')
OSTYPE(bsd4.4)dnl
FEATURE(nouucp)dnl
MAILER(local)dnl
MAILER(smtp)dnl
Cwlocalhost
Cwbsd.home
MASQUERADE_AS(`example.net')dnl
FEATURE(allmasquerade)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(nocanonify)dnl
FEATURE(nodns)dnl
define(`SMART_HOST', `relay.example.net')
Dmbsd.home
define(`confDOMAIN_NAME',`bsd.home')dnl
define(`confDELIVERY_MODE',`deferred')dnlRefer to the previous section for details of how to turn
this .mc file into a
sendmail.cf file. Also, do not forget to
restart sendmail after updating
sendmail.cf.JamesGorhamWritten by SMTP AuthenticationHaving SMTP Authentication in place on
your mail server has a number of benefits.
SMTP Authentication can add another layer
of security to sendmail, and has the benefit of giving mobile
users who switch hosts the ability to use the same mail server
without the need to reconfigure their mail client settings
each time.Install security/cyrus-sasl
from the ports. You can find this port in
security/cyrus-sasl.
security/cyrus-sasl has
a number of compile time options to choose from and, for
the method we will be using here, make sure to select the
option.After installing security/cyrus-sasl,
edit /usr/local/lib/sasl/Sendmail.conf
(or create it if it does not exist) and add the following
line:pwcheck_method: passwdThis method will enable sendmail
to authenticate against your FreeBSD passwd
database. This saves the trouble of creating a new set of usernames
and passwords for each user that needs to use
SMTP authentication, and keeps the login
and mail password the same.Now edit /etc/make.conf and add the
following lines:SENDMAIL_CFLAGS=-I/usr/local/include/sasl1 -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsaslThese lines will give sendmail
the proper configuration options for linking
to cyrus-sasl at compile time.
Make sure that cyrus-sasl
has been installed before recompiling
sendmail.Recompile sendmail by executing the following commands:&prompt.root; cd /usr/src/usr.sbin/sendmail
&prompt.root; make cleandir
&prompt.root; make obj
&prompt.root; make
&prompt.root; make installThe compile of sendmail should not have any problems
if /usr/src has not been changed extensively
and the shared libraries it needs are available.After sendmail has been compiled
and reinstalled, edit your /etc/mail/freebsd.mc
file (or whichever file you use as your .mc file. Many administrators
choose to use the output from &man.hostname.1; as the .mc file for
uniqueness). Add these lines to it:dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confDEF_AUTH_INFO', `/etc/mail/auth-info')dnlThese options configure the different methods available to
sendmail for authenticating users.
If you would like to use a method other than
pwcheck, please see the
included documentation.Finally, run &man.make.1; while in /etc/mail.
That will run your new .mc file and create a .cf file named
freebsd.cf (or whatever name you have used
for your .mc file). Then use the
command make install restart, which will
copy the file to sendmail.cf, and will
properly restart sendmail.
For more information about this process, you should refer
to /etc/mail/Makefile.If all has gone correctly, you should be able to enter your login
information into the mail client and send a test message.
For further investigation, set the of
sendmail to 13 and watch
/var/log/maillog for any errors.You may wish to add the following lines to /etc/rc.conf
so this service will be available after every system boot:sasl_pwcheck_enable="YES"
sasl_pwcheck_program="/usr/local/sbin/pwcheck"This will ensure the initialization of SMTP_AUTH upon system
boot.For more information, please see the sendmail
page regarding
SMTP authentication.MarcSilverContributed by Mail User AgentsMail User AgentsA Mail User Agent (MUA) is an application
that is used to send and receive email. Furthermore, as email
evolves and becomes more complex,
MUA's are becoming increasingly powerful in the
way they interact with email; this gives users increased
functionality and flexibility. &os; contains support for
numerous mail user agents, all of which can be easily installed
using the FreeBSD Ports Collection.
Users may choose between graphical email clients such as
evolution or
balsa, console based clients such as
mutt, pine
or mail, or the web interfaces used by some
large organizations.mail&man.mail.1; is the default Mail User Agent
(MUA) in &os;. It is a
console based MUA that offers all the basic
functionality required to send and receive text-based email,
though it is limited in interaction abilities with attachments
and can only support local mailboxes.Although mail does not natively support
interaction with POP or
IMAP servers, these mailboxes may be
downloaded to a local mbox file using an
application such as fetchmail, which
will be discussed later in this chapter ().In order to send and receive email, simply invoke the
mail command as per the following
example:&prompt.user; mailThe contents of the user mailbox in
/var/mail are
automatically read by the mail utility.
Should the mailbox be empty, the utility exits with a
message indicating that no mails could be found. Once the
mailbox has been read, the application interface is started, and
a list of messages will be displayed. Messages are automatically
numbered, as can be seen in the following example:Mail version 8.1 6/6/93. Type ? for help.
"/var/mail/marcs": 3 messages 3 new
>N 1 root@localhost Mon Mar 8 14:05 14/510 "test"
N 2 root@localhost Mon Mar 8 14:05 14/509 "user account"
N 3 root@localhost Mon Mar 8 14:05 14/509 "sample"Messages can now be read by using the tmail command, suffixed by the message number
that should be displayed. In this example, we will read the
first email:& t 1
Message 1:
From root@localhost Mon Mar 8 14:05:52 2004
X-Original-To: marcs@localhost
Delivered-To: marcs@localhost
To: marcs@localhost
Subject: test
Date: Mon, 8 Mar 2004 14:05:52 +0200 (SAST)
From: root@localhost (Charlie Root)
This is a test message, please reply if you receive it.As can be seen in the example above, the t
key will cause the message to be displayed with full headers.
To display the list of messages again, the h
key should be used.If the email requires a response, you may use
mail to reply, by using either the
R or rmail
keys. The R key instructs
mail to reply only to the sender of the
email, while r replies not only to the sender,
but also to other recipients of the message. You may also
suffix these commands with the mail number which you would like
make a reply to. Once this has been done, the response should
be entered, and the end of the message should be marked by a
single . on a new line. An example can be seen
below:& R 1
To: root@localhost
Subject: Re: test
Thank you, I did get your email.
.
EOTIn order to send new email, the m
key should be used, followed by the
recipient email address. Multiple recipients may also be
specified by separating each address with the ,
delimiter. The subject of the message may then be entered,
followed by the message contents. The end of the message should
be specified by putting a single . on a new
line.& mail root@localhost
Subject: I mastered mail
Now I can send and receive email using mail ... :)
.
EOTWhile inside the mail utility, the
? command may be used to display help at any
time, the &man.mail.1; manual page should also be consulted for
more help with mail.As previously mentioned, the &man.mail.1; command was not
originally designed to handle attachments, and thus deals with
them very poorly. Newer MUAs such as
mutt handle attachments in a much
more intelligent way. But should you still wish to use the
mail command, the converters/mpack port may be of
considerable use.muttmutt is a small yet very
powerful Mail User Agent, with excellent features,
just some of which include:The ability to thread messages;PGP support for digital signing and encryption of
email;MIME Support;Maildir Support;Highly customizable.All of these features help to make
mutt one of the most advanced mail
user agents available. See for more
information on mutt.The stable version of mutt may be
installed using the mail/mutt port, while the current
development version may be installed via the mail/mutt-devel port. After the port
has been installed, mutt can be
started by issuing the following command:&prompt.user; muttmutt will automatically read the
contents of the user mailbox in /var/mail and display the contents
if applicable. If no mails are found in the user mailbox, then
mutt will wait for commands from the
user. The example below shows mutt
displaying a list of messages:In order to read an email, simply select it using the cursor
keys, and press the Enter key. An example of
mutt displaying email can be seen
below:As with the &man.mail.1; command,
mutt allows users to reply only to
the sender of the message as well as to all recipients. To
reply only to the sender of the email, use the
r keyboard shortcut. To send a group reply,
which will be sent to the original sender as well as all the
message recipients, use the g shortcut.mutt makes use of the
&man.vi.1; command as an editor for creating and replying to
emails. This may be customized by the user by creating or
editing their own .muttrc file in their home directory and setting the
editor variable.In order to compose a new mail message, press
m. After a valid subject has been given,
mutt will start &man.vi.1; and the
mail can be written. Once the contents of the mail are
complete, save and quit from vi and
mutt will resume, displaying a
summary screen of the mail that is to be delivered. In order to
send the mail, press y. An example of the
summary screen can be seen below:mutt also contains extensive
help, which can be accessed from most of the menus by pressing
the ? key. The top line also displays the
keyboard shortcuts where appropriate.pinepine is aimed at a beginner
user, but also includes some advanced features.The pine software has had several remote vulnerabilities
discovered in the past, which allowed remote attackers to
execute arbitrary code as users on the local system, by the
action of sending a specially-prepared email. All such
known problems have been fixed, but the
pine code is written in a very insecure style and the &os;
Security Officer believes there are likely to be other
undiscovered vulnerabilities. You install
pine at your own risk.The current version of pine may
be installed using the mail/pine4 port. Once the port has
installed, pine can be started by
issuing the following command:&prompt.user; pineThe first time that pine is run
it displays a greeting page with a brief introduction, as well
as a request from the pine
development team to send an anonymous email message allowing
them to judge how many users are using their client. To send
this anonymous message, press Enter, or
alternatively press E to exit the greeting
without sending an anonymous message. An example of the
greeting page can be seen below:Users are then presented with the main menu, which can be
easily navigated using the cursor keys. This main menu provides
shortcuts for the composing new mails, browsing of mail directories,
and even the administration of address book entries. Below the
main menu, relevant keyboard shortcuts to perform functions
specific to the task at hand are shown.The default directory opened by pine
is the inbox. To view the message index, press
I, or select the MESSAGE INDEX
option as seen below:The message index shows messages in the current directory,
and can be navigated by using the cursor keys. Highlighted
messages can be read by pressing the
Enter key.In the screenshot below, a sample message is displayed by
pine. Keyboard shortcuts are
displayed as a reference at the bottom of the screen. An
example of one of these shortcuts is the r key,
which tells the MUA to reply to the current
message being displayed.Replying to an email in pine is
done using the pico editor, which is
installed by default with pine.
The pico utility makes it easy to
navigate around the message and is slightly more forgiving on
novice users than &man.vi.1; or &man.mail.1;. Once the reply
is complete, the message can be sent by pressing
CtrlX. The pine application
will ask for confirmation.The pine application can be
customized using the SETUP option from the main
menu. Consult
for more information.MarcSilverContributed by Using fetchmailfetchmailfetchmail is a full-featured
IMAP and POP client which
allows users to automatically download mail from remote
IMAP and POP servers and
save it into local mailboxes; there it can be accessed more easily.
fetchmail can be installed using the
mail/fetchmail port, and
offers various features, some of which include:Support of POP3,
APOP, KPOP,
IMAP, ETRN and
ODMR protocols.Ability to forward mail using SMTP, which
allows filtering, forwarding, and aliasing to function
normally.May be run in daemon mode to check periodically for new
messages.Can retrieve multiple mailboxes and forward them based
on configuration, to different local users.While it is outside the scope of this document to explain
all of fetchmail's features, some
basic features will be explained. The
fetchmail utility requires a
configuration file known as .fetchmailrc,
in order to run correctly. This file includes server information
as well as login credentials. Due to the sensitive nature of the
contents of this file, it is advisable to make it readable only by the owner,
with the following command:&prompt.user; chmod 600 .fetchmailrcThe following .fetchmailrc serves as an
example for downloading a single user mailbox using
POP. It tells
fetchmail to connect to example.com using a username of
joesoap and a password of
XXX. This example assumes that the user
joesoap is also a user on the local
system.poll example.com protocol pop3 username "joesoap" password "XXX"The next example connects to multiple POP
and IMAP servers and redirects to different
local usernames where applicable:poll example.com proto pop3:
user "joesoap", with password "XXX", is "jsoap" here;
user "andrea", with password "XXXX";
poll example2.net proto imap:
user "john", with password "XXXXX", is "myth" here;The fetchmail utility can be run in daemon
mode by running it with the flag, followed
by the interval (in seconds) that
fetchmail should poll servers listed
in the .fetchmailrc file. The following
example would cause fetchmail to poll
every 60 seconds:&prompt.user; fetchmail -d 60More information on fetchmail can
be found at .MarcSilverContributed by Using procmailprocmailThe procmail utility is an
incredibly powerful application used to filter incoming mail.
It allows users to define rules which can be
matched to incoming mails to perform specific functions or to
reroute mail to alternative mailboxes and/or email addresses.
procmail can be installed using the
mail/procmail port. Once
installed, it can be directly integrated into most
MTAs; consult your MTA
documentation for more information. Alternatively,
procmail can be integrated by adding
the following line to a .forward in the home
directory of the user utilizing
procmail features:"|exec /usr/local/bin/procmail || exit 75"The following section will display some basic
procmail rules, as well as brief
descriptions on what they do. These rules, and others must be
inserted into a .procmailrc file, which
must reside in the user's home directory.The majority of these rules can also be found in the
&man.procmailex.5; manual page.Forward all mail from user@example.com to an
external address of goodmail@example2.com::0
* ^From.*user@example.com
! goodmail@example2.comForward all mails shorter than 1000 bytes to an external
address of goodmail@example2.com::0
* < 1000
! goodmail@example2.comSend all mail sent to alternate@example.com
into a mailbox called alternate::0
* ^TOalternate@example.com
alternateSend all mail with a subject of Spam to
/dev/null::0
^Subject:.*Spam
/dev/nullA useful recipe that parses incoming &os;.org mailing lists
and places each list in its own mailbox::0
* ^Sender:.owner-freebsd-\/[^@]+@FreeBSD.ORG
{
LISTNAME=${MATCH}
:0
* LISTNAME??^\/[^@]+
FreeBSD-${MATCH}
}