[ale] SMTP and firewall problems
Ben Coleman
oloryn at benshome.net
Fri Feb 9 21:14:47 EST 2001
On Fri, 09 Feb 2001 09:56:21 -0700, Joseph A. Knapka wrote:
>Ben Coleman wrote:
>> On Fri, 9 Feb 2001 07:18:07 -0500, Eric_Brubakken at aoncons.com wrote:
>> >I am currently trying to configure my firewall at home and have run into a
>> >problem with sending mail. Receiving mail is not a problem just sending - my
>> >firewall script seems to rejecting everything from SMPT (port 25).
>> >
>> >Does anyone see problems in the following code?
>> >Here is a snipit from my rc.firewall script:
>>
>> >LOOPBACK_INTERFACE="lo" # or your local naming convention
>> >LOCAL_INTERFACE_1="eth1" # internal LAN interface
>> >
>> >IPADDR="64.81.31.123" # your IP address
>> >LOCALNET_1="192.168.0.0/24" # whatever private range you use
>> >
>> >ANYWHERE="any/0" # match any IP address
>> >
>> >NAMESERVER_1="216.254.95.2" # everyone must have at least
>> >one
>> >NAMESERVER_2="216.231.41.2"
>> >UNPRIVPORTS="1024:65535"
>>
>> Hmmm. That looks a lot like the firewall scripts from the book 'Linux
>> Firewalls'.
>>
>> >------------------------------------------------------- problem child area -----------------------------------------------
>> >
>> >
>> ># SMTP server (25)
>> ># ----------------
>> > /sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
>> > -s $ANYWHERE $UNPRIVPORTS \
>> > -d $IPADDR 25 -j ACCEPT
>
>This says, "Allow any incoming packet from unpriviledged ports on
>any machine for local port 25." So this is going to allow folks
>to send you mail to be delivered locally, but won't allow your
>machine to send reply packets - no one will be able to actually
>connect until that is fixed. I'm assuming there's a rule somewhere
>else that lets your machine send any well-formed outgoing packets
>on port 25 (since you say elsewhere that you can receive mail),
>so that should be fine.
>> > /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
>> > -s $IPADDR $UNPRIVPORTS \
>> > -d $ANYWHERE 25 -j ACCEPT
>
>This says, "Allow any outgoing packet from a local unprivileged port
>to port 25 on any other machine, so long as it's not attempting to
>open a new connection." So you are explicitly *blocking* outgoing
>SMTP connections with this rule. I think you want to get rid of the
>"! -y", since you *do* want to be able to actually open connections to
>other machines. The log message in your original post indicates that
>this is exactly what's happening: the firewall is rejecting outgoing
>packets with the SYN bit set (SYN is set when attempting to open
>a connection).
Actually, the real problem is that this second rule is incorrect for
handling the 'return' packets for incoming SMTP connections (I was
wrong in saying his original rules were ok as far as they went). It
should be
/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 25 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
Essentially, this is the 'return' from port 25 that you mentioned is
needed above. Either he already has this this and didn't include it,
or some other rule is allowing it through, in which case I'd try to
find it, as this other rule may be mal-formed.
>> That's fine as far as it goes, but it only allows for incoming SMTP
>> (which is what you've reported). You also need to allow connections to
>> external SMTP servers. Assuming that you're not using your ISP's SMTP
>> server, you need something like this:
>>
>> /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
>> -s $IPADDR $UNPRIVPORTS \
>> -d $ANYWHERE 25 -j ACCEPT
>
>This is just the second rule above with the "! -y" taken away,
>so adding this will achieve the same effect as my suggestion.
Once the second rule is corrected, this becomes necessary.
Ben
--
Ben Coleman oloryn at benshome.net | The attempt to legislatively
http://oloryn.home.mindspring.com/ | micromanage equality results, at
Amateur Radio NJ8J | best, in equal misery for all.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list