Questions[rules](server)

I have been working with the firewall/router distribution Pfsense for a while now and I have been trying to figure out how to "isolate" a server on my LAN from other computers on my LAN by using deny/reject LAN rules. I have tried adding a rule under Firewall->rules->LAN that denies a device (my phone for example 192.168.1.102) from sending any TCP packets to my web server at 192.168.1.105. For some reason, the packets manage to get though. The odd part is that if I specify the router itself as the destination, and to block the phone/computer from talking with it, it works. I have tested this with a wireless laptop and wireless phone, both on the same subnet.

My topology is as follows:

(internet)->(modem)->(pfsense)->(wireless router /w switch)->(wired devices)
                                            |
                                        (Wireless laptop/phone)
| == wifi
-> == wire

Is it possible the wireless router/switch is just relaying the packets from my phone to the server and completely bypassing the firewall (explaining why my rule isn't working)? If so, how could I set it up so that all LAN traffic has to go though my firewall to talk to any other computer on the network?

Image of the web interface available here as 3 rep won't let me post an image :( image

I have a resource mailbox set up in Exchange 2010 with auto attendant and it is auto accepting meetings without a problem. What I'm looking for it to do is the following:

• If a meeting is approved send out an approval email.
• If a meeting is cancelled by the creator send out a cancellation email.

If this were a users mailbox I'd just add the rules through Outlook on all incoming mail.

Is this possible with a resource mailbox? If so, can someone please let me know how?

I want to force users sending mail to my server to use BCC (we're getting a lot of internal spam created by mailings to 30+ mailing lists which then reply to all).

I thought spamassassin could be a good place to start since it is already used for spam filtering. However, I'm not sure how to do this (or if spamassassin is really the right place to do it). My idea was to just make a bccfilter.cf which checks the number of To+Cc recipients and mark the mail as spam if it is larger than a number (e.g. 10). What is the best way to do this?

The only thing I came up whit is something like this:

header  LOCAL_FORCE_BCC_TO      To =~ /(.*?,){9,}/
header  LOCAL_FORCE_BCC_CC      Cc =~ /(.*?,){9,}/
meta    LOCAL_FORCE_BCC         (LOCAL_FORCE_BCC_TO || LOCAL_FORCE_BCC_CC)
score   LOCAL_FORCE_BCC         15.0

It basically counts the number of comma's in the To and Cc header and if either one is larger than 9 (=10 recipients) is marks the message as spam. However I don't really like the approach and have the feeling it can be done better. Also I'd like to count the total number of recipients (To+Cc) instead of seperatly.

Does anyone know how to do that? Also I'd like to return a custom error message but that doesn't really matter much.

I finally managed to install my VM host and now I am messing with iptables to create, test and learn.

1. Does it matter if i put the below rules at the begin or at the end of my rules ?

   $IPT -P INPUT DROP
   $IPT -P FORWARD DROP
   $IPT -P OUTPUT DROP
   

   i have tested and there was no difference but i would like to confirm.

   Answer I choose so far: It is a good idea to apply your policies as early as possible. Put them at the start. DROP rules on internal traffic can cause problems.

2. Having the below rule would be considered as a fault on the firewall ?

   $IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   

   Without this rule i would need to add for example an OUTPUT rule for my ssh connection, example:

   $IPT -A OUTPUT -p tcp --sport 2013 -j ACCEPT
   

   Answer: After more tests and talks with people on #iptables@freenode, i came to the conclusion that using -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT for INPUT and OUPUT is a fine approch and will help you deal with lots of things like for example the FTP and is a fine approch because unless you have that given port open and being accept there will be no malicious connection on it.

   Here is a normal example without using the above:

   $IPT -A INPUT -p tcp --dport 20:21 -j ACCEPT
   $IPT -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
   

   Now here is how the rule looks like using the above:

   $IPT -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
   

   That's all you need because once the connection is ESTABLISHED, the output will follow-up right away and you won't need to make rules for the ftp-data port.

3. What are bad things of having the below rule, could you give some example as to why not have it and instead just define anything you may need to use ?

   $IPT -P OUTPUT ACCEPT
   

   Answer I choose so far: This policy rule allows all outgoing traffic. As a policy, allowing everything is obviously less secure than allowing only explicit kinds of traffic. So if security is your utmost priority, you'll want to set a DROP policy on the output chain instead. Just be aware that you'll then have to include a number of rules to allow outgoing traffic to a possibly large number of mundane things, such as: DNS, SMTP, IMAP, POP3, HTTP, HTTPS, etc.

4. What is the difference between conntrack and state in the below context ?

   state example:

   $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
   

   conntrack example:

   $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   

   Answer: After some research talks with people on #iptables@freenode i came to the conclusion i should be using conntrack from here on.

   Technically the conntrack match supersedes - and so obsoletes - the state match. But practically the state match is not obsoleted in any way.

I would aswell appreciate good online iptables reading materials.

Links recommended so far:

Perfect Ruleset

The Linux Documentation Project

For what are these rules in the default iptables shipped with centos 5.4 ?

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

Do I need them for a web server with ftp, apache, ssh, mysql?

Thanks