I am busy building a mailserver and this is my first time using
shorewall or any form of iptables except ipmasq on a Debian dialup
system.
What puzzles me is that some connections on port 25 are dropped
although most of are accepted. And most (more than 90%) of the IP''s
whos packets are dropped comes from adresses 83.103.226.118 :
84.128.76.73.
I am using version 1.4.8 on Debian Woody.
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw loc:146.232.128.1 tcp domain
ACCEPT fw loc:146.232.128.10 tcp domain
ACCEPT fw loc:146.232.128.1 udp domain
ACCEPT fw loc:146.232.128.10 udp domain
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
# ntp
ACCEPT fw loc:146.232.128.1 tcp ntp
ACCEPT fw loc:146.232.128.10 tcp ntp
ACCEPT fw loc:146.232.128.1 udp ntp
ACCEPT fw loc:146.232.128.10 udp ntp
# Allow connections to postgresql
ACCEPT loc:146.232.128.10 fw tcp 5432
# Accept ftp-connections to archive (146.232.128.14) and
# archive2 (146.232.128.48)
ACCEPT fw net tcp 20
ACCEPT fw net tcp 21
ACCEPT fw loc:146.232.128.48 tcp 20
ACCEPT fw loc:146.232.128.48 tcp 21
ACCEPT fw loc:146.232.128.14 tcp 20
ACCEPT fw loc:146.232.128.14 tcp 21
# Poort 113 (I did this because of logs filled with entries of
# packets rejected to port 113)
ACCEPT fw net tcp 113
ACCEPT fw loc tcp 113
ACCEPT net fw tcp 113
ACCEPT loc fw tcp 113
# Accept email connections from the firewall to the internet and network
ACCEPT fw net tcp 25
ACCEPT net fw tcp 25
ACCEPT loc fw tcp 25
ACCEPT loc:146.232.97.1 fw tcp 24
ACCEPT fw loc tcp 25
# ACCEPT loc net:146.232.64.12 tcp 25
# Allow DNS Cache to work
#
ACCEPT loc fw udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT fw loc tcp 22
ACCEPT fw loc tcp 80
ACCEPT loc fw tcp 22
ACCEPT loc fw tcp 80
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
# using netcat on port 3000
#
ACCEPT loc fw tcp 3000
How can I prevent legitimate email connections being dropped by the
shorewall?
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"The sacrifices of God are a broken spirit; a broken
and a contrite heart, O God, thou wilt not despise."
Psalms 51:17
Johann Spies wrote (on Wed, Apr 21, 2004 at 03:02:43PM +0200):> I am busy building a mailserver and this is my first time using > shorewall or any form of iptables except ipmasq on a Debian > dialup system. > > What puzzles me is that some connections on port 25 are dropped > although most of are accepted. And most (more than 90%) of the > IP''s whos packets are dropped comes from adresses > 83.103.226.118 : 84.128.76.73.You didn''t post the Shorewall messages. Did they, by any chance, mention ''rfc1918''? Older versions of Shorewall had the 83/8 and 84/8 as rfc1918 addresses; apparently, they''ve been put in use. Look at /etc/shorewall/rfc1918.> How can I prevent legitimate email connections being dropped by > the shorewall?NYZ -- _________________________________________ Nachman Yaakov Ziskind, EA, LLM awacs@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
Johann Spies wrote:> I am busy building a mailserver and this is my first time using > shorewall or any form of iptables except ipmasq on a Debian dialup > system. > > What puzzles me is that some connections on port 25 are dropped > although most of are accepted. And most (more than 90%) of the IP''s > whos packets are dropped comes from adresses 83.103.226.118 : > 84.128.76.73. > > I am using version 1.4.8 on Debian Woody. >Go to the Shorewall errata page and download the latest version of the rfc1918 file. If you set ''norfc1918'' on an external interface then you *must* check regularly for updates to that file. Once you have upgrade to Shorewall 2.0.1 or later, the ''norfc1918'' option has been split into two options - ''norfc1918'' and ''nobogons''. There, the ''rfc1918'' file is static while the ''bogons'' file is the one that needs regular care and feeding. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, Apr 21, 2004 at 06:52:16AM -0700, Tom Eastep wrote:> > Go to the Shorewall errata page and download the latest version of the > rfc1918 file. If you set ''norfc1918'' on an external interface then you > *must* check regularly for updates to that file.Thanks Tom and Nachman. I have downloaded the new rfc1918 file now. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "The sacrifices of God are a broken spirit; a broken and a contrite heart, O God, thou wilt not despise." Psalms 51:17