[lug] Firewall / Lockdown questions

[dio2002 at indra.com]

>> 3) Do i need to have this sendmail service enabled for simple outgoing
>> mail as described?   Basically how do i configure minimal outbound
>> sendmail capability while keeping either:
>>
>> a) the port entirely closed / invisible (not sure if that's even
>> possible) or
>> b) locked down (visible and open but only sends from local host and
>> accepts no inbound - i'm thinking this can be done in a config file
>> without the need for iptables rules).
>
> In /etc/mail/sendmail.mc there is a line that says something like:
>
> dnl #DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

It looks like my system is using a differnet macro language or something:

# vi /etc/mail/sendmail.cf

# SMTP daemon options

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

Would this be the equivalent?  I think it is!  If i nmap on localhost i see:

 # nmap localhost

PORT    STATE SERVICE
25/tcp  open  smtp
80/tcp  open  http
443/tcp open  https

However if i nmap ACROSS the network from a different server i see:

 # nmap remotehost

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Yeah i think the default config takes care of this.

Which means sendmail should be enabled as a chkconfig service and that the
incoming mail blocking is handled entirely by the config directive above
correct?

Is there a way to confirm using netstat on localhost that smtp / 25 is
ONLY ACCEPTING on 127.0.0.1 versus accepting on 0.0.0.0?  I'm thinking
there is a way to confirm this functionality on the box without having to
issue a command over the network from a separate box.  just not sure how?