Is there any way to allow the firewall to access lan machines via their public ip? ------------------------------------------- Tyler Davis Sonic Development tdavis@sonicdev.com ------------------------------------------- Historia est vitae magistra.
Hi there, No offence but a little bit more information about your problem would be helpful. Who needs to access which maschine doing what ? Also, does the LAN maschine actually has that public IP assigned or do you speak about NAT ? Axel Westerhold DTS Systeme GmbH -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tyler Davis Sent: Montag, 19. April 2004 21:00 To: Shorewall-users@lists.shorewall.net Subject: [Shorewall-users] Fiirewall > Lan Is there any way to allow the firewall to access lan machines via their public ip? ------------------------------------------- Tyler Davis Sonic Development tdavis@sonicdev.com ------------------------------------------- Historia est vitae magistra. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tyler Davis wrote:> I have mutliple sendmail machines 1:1 Nat''d behind the firewall. I also have > sendmail on the firewall itself, when sendmail on the firewall box tries to > send email to a domain behind the firewall and does its DNS MX lookup, it of > course finds the public ip and is unable to send it. > > So my problem is that the firewall, and machines on the lan cannot send > email to each other via the public mx ip for some reason. > > Hope that makes sense.Set both the ALL INTERFACES and LOCAL columns to "Yes" in the /etc/shorewall/nat entries. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I have mutliple sendmail machines 1:1 Nat''d behind the firewall. I also have sendmail on the firewall itself, when sendmail on the firewall box tries to send email to a domain behind the firewall and does its DNS MX lookup, it of course finds the public ip and is unable to send it. So my problem is that the firewall, and machines on the lan cannot send email to each other via the public mx ip for some reason. Hope that makes sense. ------------------------------------------- Tyler Davis Sonic Development tdavis@sonicdev.com ------------------------------------------- Historia est vitae magistra. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Axel@congos-tools.com Sent: Monday, April 19, 2004 2:30 PM To: shorewall-users@lists.shorewall.net Subject: RE: [Shorewall-users] Fiirewall > Lan Hi there, No offence but a little bit more information about your problem would be helpful. Who needs to access which maschine doing what ? Also, does the LAN maschine actually has that public IP assigned or do you speak about NAT ? Axel Westerhold DTS Systeme GmbH -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tyler Davis Sent: Montag, 19. April 2004 21:00 To: Shorewall-users@lists.shorewall.net Subject: [Shorewall-users] Fiirewall > Lan Is there any way to allow the firewall to access lan machines via their public ip? ------------------------------------------- Tyler Davis Sonic Development tdavis@sonicdev.com ------------------------------------------- Historia est vitae magistra. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
*wipes sweat from brow That fixed it, thanks! ------------------------------------------- Tyler Davis Sonic Development tdavis@sonicdev.com ------------------------------------------- Historia est vitae magistra. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Monday, April 19, 2004 3:41 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Fiirewall > Lan Tyler Davis wrote:> I have mutliple sendmail machines 1:1 Nat''d behind the firewall. I > also have sendmail on the firewall itself, when sendmail on the > firewall box tries to send email to a domain behind the firewall and > does its DNS MX lookup, it of course finds the public ip and is unable tosend it.> > So my problem is that the firewall, and machines on the lan cannot > send email to each other via the public mx ip for some reason. > > Hope that makes sense.Set both the ALL INTERFACES and LOCAL columns to "Yes" in the /etc/shorewall/nat entries. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep wrote:> Tyler Davis wrote: >> I have mutliple sendmail machines 1:1 Nat''d behind the firewall. I >> also have sendmail on the firewall itself, when sendmail on the >> firewall box tries to send email to a domain behind the firewall and >> does its DNS MX lookup, it of course finds the public ip and is >> unable to send it. >> >> So my problem is that the firewall, and machines on the lan cannot >> send email to each other via the public mx ip for some reason. >> >> Hope that makes sense. > > Set both the ALL INTERFACES and LOCAL columns to "Yes" in the > /etc/shorewall/nat entries.That''s an interesting solution. I''ve always solved this problem by overriding sendmails MX lookup (for final delivery) by using the mailertable feature. i.e. From the sendmail README file... <cut/paste> In some cases you may want to temporarily turn off MX records, particularly on gateways. For example, you may want to MX everything in a domain to one machine that then forwards it directly. To do this, you might use the DNS configuration: *.domain. IN MX 0 relay.machine and on relay.machine use the mailertable: .domain smtp:[gateway.domain] The [square brackets] turn off MX records for this host only. If you didn''t do this, the mailertable would use the MX record again, which would give you an MX loop. </cut/paste> Tom, by implementing your firewall nat based solution - does this impact the number of ip_conntrack entries used by the firewall for hosts trying to send e-mail within the same domain that are also located on the LAN? For that matter, I would think inbound e-mail would also tie up ip_conntrack entries that would normally be free for other connections. Just trying to understand the pros/cons of your solution. It''s actually pretty cool. Steve Cowles
Cowles, Steve wrote:> That''s an interesting solution. I''ve always solved this problem by > overriding sendmails MX lookup (for final delivery) by using the mailertable > feature. i.e. From the sendmail README file... >< Sendmail instructions deleted> Yes -- Postfix has a similar capability using a transport map (including [...] turning off MX lookup).> > Tom, by implementing your firewall nat based solution - does this impact the > number of ip_conntrack entries used by the firewall for hosts trying to send > e-mail within the same domain that are also located on the LAN?No. A connection tracking entry is used for ANY connection to/from/through the firewall whether NAT is used or not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Cowles, Steve wrote: >> >> Tom, by implementing your firewall nat based solution - does this >> impact the number of ip_conntrack entries used by the firewall for >> hosts trying to send e-mail within the same domain that are also >> located on the LAN? > > No. A connection tracking entry is used for ANY connection > to/from/through the firewall whether NAT is used or not.I see - thanks for the clarification. Steve Cowles