Hi, I am trying to configure the SMTP service on DMZ host. Added the rule: ACCEPT wan dmz:66.58.99.84 tcp pop3 - ACCEPT wan dmz:66.58.99.84 tcp 25 - ACCEPT dmz:66.58.99.84 wan tcp 25 - ACCEPT dmz:66.58.99.84 wan tcp pop3 - issued shorewall clear, shorewall restart, but still couldn''t telnet to the mail server on port 25. Are mine rules wrong or something else has to be done? I have another host DNS server which is working fine. The SSH to the mail server on port 22 is working fine, too. Could you please, help me?
--On Monday, January 06, 2003 03:27:33 PM -0800 Trifon Anguelov <TAnguelov@kana.com> wrote:> Hi, > > I am trying to configure the SMTP service on DMZ host. Added the rule: > > ACCEPT wan dmz:66.58.99.84 tcp pop3 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - > ACCEPT dmz:66.58.99.84 wan tcp 25 - > ACCEPT dmz:66.58.99.84 wan tcp pop3 - > > issued shorewall clear, shorewall restart, but still couldn''t telnet to > the mail server on port 25. > > Are mine rules wrong or something else has to be done? I have another > host DNS server which is working fine. The SSH to the mail server on port > 22 is working fine, too. > > Could you please, help me? >Does your ISP block port 25? Many do... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Monday, January 06, 2003 03:33:31 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Monday, January 06, 2003 03:27:33 PM -0800 Trifon Anguelov > <TAnguelov@kana.com> wrote: > >> Hi, >> >> I am trying to configure the SMTP service on DMZ host. Added the rule: >> >> ACCEPT wan dmz:66.58.99.84 tcp pop3 - >> ACCEPT wan dmz:66.58.99.84 tcp 25 - >> ACCEPT dmz:66.58.99.84 wan tcp 25 - >> ACCEPT dmz:66.58.99.84 wan tcp pop3 - >> >> issued shorewall clear, shorewall restart, but still couldn''t telnet to >> the mail server on port 25. >> >> Are mine rules wrong or something else has to be done? I have another >> host DNS server which is working fine. The SSH to the mail server on port >> 22 is working fine, too. >> >> Could you please, help me? >> > > Does your ISP block port 25? Many do... >I suggest that you look at FAQ 1a and FAQ 1b -- there are some troubleshooting tips there for port forwarding. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
I believe the log messages refer to outgoing packets (that''s what the "IN=<blank>" means). They''re also ICMP type 3, code 1 packets, not SMTP packets, so it''s not a port forwarding issue, and your ISP isn''t blocking incoming SMTP packets. My trusty Stevens says that ICMP type 3, code 1 is "host unreachable", so at the very least the routing table on your firewall is incorrect. It appears that the root cause of the problem is that you either should be using Proxy ARP and aren''t, or are using Proxy ARP but have "Yes" in the "Have Route" column. If so, please go to the Shorewall web site and carefully read the Proxy ARP Quick Start and the proxyarp section of the Reference Manual. It''s all in there--I don''t know how Tom could have made it any clearer. Finally, it''s worth saying yet again: your rules are meaningless without your policies! FAQ 17 tells you that "all2all" log messages are generated by a _policy_, not a rule, so in order to interpret these messages we really need to know your policies. For everyone else out there: never, ever, ever, post your rules without also including your policies. If you''re posting log messages, your interfaces file is useful as well, so that we can match things up. - Bradey -----Original Message----- From: Trifon Anguelov [mailto:TAnguelov@kana.com] Sent: Monday, January 06, 2003 4:37 PM To: ''shorewall-users@shorewall.net'' Subject: FW: [Shorewall-users] SMTP traffic gets blocked Anyone, willing to take a lead on this one, since Tom is taking a rest: " I am hosting all servers by myself. I have five static IP addreses with a DSL line. My DSL router from the ISP provider is configured as bridge, so no traffic is filtered. I checked the logs and getting: Jan 5 23:05:12 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1508 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=55762 DF PROTO=TCP SPT=51131 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] Jan 5 23:23:21 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1516 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=31260 DF PROTO=TCP SPT=38949 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] Jan 5 23:28:02 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=204.153.177.10 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=11282 PROTO=ICMP TYPE=3 CODE=1 [SRC=204.153.177.10 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=0 DF PROTO=TCP SPT=36011 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 ] Jan 5 23:28:58 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1524 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=40480 DF PROTO=TCP SPT=45350 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] Jan 5 23:42:42 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1532 PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=12542 DF PROTO=TCP SPT=60986 DPT=25 WINDOW=8760 RES=0x00 RST URGP=0 ] and here are my rules: ACCEPT dmz:66.58.99.84 wan tcp 25 - ACCEPT dmz:66.58.99.84 wan tcp pop3 - ACCEPT lan dmz:66.58.99.84 tcp pop3 - ACCEPT lan dmz:66.58.99.84 tcp 25 - ACCEPT fw dmz:66.58.99.84 tcp 25 - ACCEPT wan dmz:66.58.99.84 tcp pop3 - ACCEPT wan dmz:66.58.99.84 tcp 25 - ACCEPT dmz:66.58.99.84 fw tcp 25 - Unfortunatelly, I already searched and read the whole documentation on shorewall.net site. google.com didn''t help much either. It''s something small, but somehow could not get it. If you need some other files, listings, I am ready to post them here. Regards and thank you for your help, Trifon Anguelov " Trifon Anguelov -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, January 06, 2003 3:34 PM To: Trifon Anguelov; ''shorewall-users@shorewall.net'' Subject: Re: [Shorewall-users] SMTP traffic gets blocked --On Monday, January 06, 2003 03:27:33 PM -0800 Trifon Anguelov <TAnguelov@kana.com> wrote:> Hi, > > I am trying to configure the SMTP service on DMZ host. Added the rule: > > ACCEPT wan dmz:66.58.99.84 tcp pop3 - > ACCEPT wan dmz:66.58.99.84 tcp 25 - > ACCEPT dmz:66.58.99.84 wan tcp 25 - > ACCEPT dmz:66.58.99.84 wan tcp pop3 - > > issued shorewall clear, shorewall restart, but still couldn''t telnet to > the mail server on port 25. > > Are mine rules wrong or something else has to be done? I have another > host DNS server which is working fine. The SSH to the mail server on port > 22 is working fine, too. > > Could you please, help me? >Does your ISP block port 25? Many do... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Sorry about that. Still net to shorewall.
So here is the info requested:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
66.58.99.84 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
66.58.99.82 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
66.58.99.80 0.0.0.0 255.255.255.248 U 0 0 0 eth0
10.10.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 66.58.99.81 0.0.0.0 UG 0 0 0 eth0
eth0 - WAN
eth1 - DMZ
eth2 - LAN
66.58.99.81 - my ISP router
------------------------------
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:D0:B7:0E:CC:61
inet addr:66.58.99.86 Bcast:66.58.99.87 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1237116 errors:0 dropped:0 overruns:0 frame:0
TX packets:1113292 errors:0 dropped:0 overruns:0 carrier:0
collisions:31776 txqueuelen:100
RX bytes:1329865780 (1268.2 Mb) TX bytes:517838824 (493.8 Mb)
Interrupt:9 Base address:0xfcc0
eth1 Link encap:Ethernet HWaddr 00:D0:B7:10:37:F0
inet addr:10.10.100.1 Bcast:10.10.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:783 errors:0 dropped:0 overruns:0 frame:0
TX packets:1112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:89283 (87.1 Kb) TX bytes:75673 (73.8 Kb)
Interrupt:11 Base address:0xfc80
eth2 Link encap:Ethernet HWaddr 00:60:8C:35:E1:43
inet addr:10.10.200.1 Bcast:10.10.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1112066 errors:9938 dropped:0 overruns:9262 frame:9938
TX packets:1230813 errors:0 dropped:0 overruns:0 carrier:0
collisions:3257 txqueuelen:100
RX bytes:521075258 (496.9 Mb) TX bytes:1327157006 (1265.6 Mb)
Interrupt:10 Base address:0x300
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
-------------------------------
# cat policy
# Shorewall /etc/shorewall/policy
#client server policy log_level
lan lan ACCEPT info
lan wan ACCEPT info
fw lan ACCEPT info
lan fw REJECT info
wan wan ACCEPT info
wan all DROP info
all all REJECT info
---------------------------
As far as proxyapr goes, here is my config:
# cat proxyarp
# Shorewall 1.2.5 /etc/shorewall/proxyarp
#address interface external haveroute
66.58.99.82 eth1 eth0 No
66.58.99.84 eth1 eth0 No
The two hosts on the DMZ zone, are having proxy APR to the eth0 public
interface on the firewall.
Thank you for your help. Waiting for your solutions. You are great
community. Regards,
Trifon Anguelov
-----Original Message-----
From: Bradey Honsinger [mailto:BradeyH@construx.com]
Sent: Monday, January 06, 2003 5:18 PM
To: ''shorewall-users@shorewall.net''
Subject: RE: [Shorewall-users] SMTP traffic gets blocked
I believe the log messages refer to outgoing packets (that''s what the
"IN=<blank>" means). They''re also ICMP type 3, code 1
packets, not SMTP
packets, so it''s not a port forwarding issue, and your ISP
isn''t blocking
incoming SMTP packets. My trusty Stevens says that ICMP type 3, code 1 is
"host unreachable", so at the very least the routing table on your
firewall
is incorrect.
It appears that the root cause of the problem is that you either should be
using Proxy ARP and aren''t, or are using Proxy ARP but have
"Yes" in the
"Have Route" column. If so, please go to the Shorewall web site and
carefully read the Proxy ARP Quick Start and the proxyarp section of the
Reference Manual. It''s all in there--I don''t know how Tom
could have made it
any clearer.
Finally, it''s worth saying yet again: your rules are meaningless
without
your policies! FAQ 17 tells you that "all2all" log messages are
generated by
a _policy_, not a rule, so in order to interpret these messages we really
need to know your policies. For everyone else out there: never, ever, ever,
post your rules without also including your policies. If you''re posting
log
messages, your interfaces file is useful as well, so that we can match
things up.
- Bradey
-----Original Message-----
From: Trifon Anguelov [mailto:TAnguelov@kana.com]
Sent: Monday, January 06, 2003 4:37 PM
To: ''shorewall-users@shorewall.net''
Subject: FW: [Shorewall-users] SMTP traffic gets blocked
Anyone, willing to take a lead on this one, since Tom is taking a rest:
"
I am hosting all servers by myself. I have five static IP addreses with a
DSL line. My DSL router from the ISP provider is configured as bridge, so no
traffic is filtered.
I checked the logs and getting:
Jan 5 23:05:12 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1508
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=55762 DF PROTO=TCP SPT=51131 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
Jan 5 23:23:21 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1516
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=31260 DF PROTO=TCP SPT=38949 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
Jan 5 23:28:02 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=204.153.177.10 LEN=68 TOS=0x00 PREC=0xC0 TTL=255
ID=11282 PROTO=ICMP TYPE=3 CODE=1 [SRC=204.153.177.10 DST=66.58.99.84 LEN=40
TOS=0x00 PREC=0x00 TTL=241 ID=0 DF PROTO=TCP SPT=36011 DPT=25 WINDOW=0
RES=0x00 RST URGP=0 ]
Jan 5 23:28:58 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1524
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=40480 DF PROTO=TCP SPT=45350 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
Jan 5 23:42:42 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1532
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=12542 DF PROTO=TCP SPT=60986 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
and here are my rules:
ACCEPT dmz:66.58.99.84 wan tcp 25 -
ACCEPT dmz:66.58.99.84 wan tcp pop3 -
ACCEPT lan dmz:66.58.99.84 tcp pop3 -
ACCEPT lan dmz:66.58.99.84 tcp 25 -
ACCEPT fw dmz:66.58.99.84 tcp 25 -
ACCEPT wan dmz:66.58.99.84 tcp pop3 -
ACCEPT wan dmz:66.58.99.84 tcp 25 -
ACCEPT dmz:66.58.99.84 fw tcp 25 -
Unfortunatelly, I already searched and read the whole documentation on
shorewall.net site. google.com didn''t help much either. It''s
something
small, but somehow could not get it.
If you need some other files, listings, I am ready to post them here.
Regards and thank you for your help,
Trifon Anguelov "
Trifon Anguelov
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Monday, January 06, 2003 3:34 PM
To: Trifon Anguelov; ''shorewall-users@shorewall.net''
Subject: Re: [Shorewall-users] SMTP traffic gets blocked
--On Monday, January 06, 2003 03:27:33 PM -0800 Trifon Anguelov
<TAnguelov@kana.com> wrote:
> Hi,
>
> I am trying to configure the SMTP service on DMZ host. Added the rule:
>
> ACCEPT wan dmz:66.58.99.84 tcp pop3 -
> ACCEPT wan dmz:66.58.99.84 tcp 25 -
> ACCEPT dmz:66.58.99.84 wan tcp 25 -
> ACCEPT dmz:66.58.99.84 wan tcp pop3 -
>
> issued shorewall clear, shorewall restart, but still couldn''t
telnet to
> the mail server on port 25.
>
> Are mine rules wrong or something else has to be done? I have another
> host DNS server which is working fine. The SSH to the mail server on port
> 22 is working fine, too.
>
> Could you please, help me?
>
Does your ISP block port 25? Many do...
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users
Hmm--all of the proxy ARP settings look fine. I assume you can ping
66.58.99.84 from the firewall (at least, your routing table looks fine).
Your policies file shows that you''re logging every single packet that
falls
through to a policy, which seems odd, but it shouldn''t affect firewall
function.
It still looks to me like your firewall can''t route the packets to your
mail
server for some reason--that ICMP host-unreachable packet is suspicious. Do
you have IP_FORWARDING=Off in your shorewall.conf? What does "cat
/proc/sys/net/ipv4/ip_forward" show? Do you have ALLOW_RELATED=No in
shorewall.conf?
The fact that the original packets show RST set seems a bit odd,
too--I''ll
take another look at it tomorrow. In the meantime, you can also try
temporarily adding a "wan dmz ACCEPT" policy--that''s the big
hammer
approach.
- Bradey
-----Original Message-----
From: Trifon Anguelov [mailto:TAnguelov@kana.com]
Sent: Monday, January 06, 2003 7:05 PM
To: ''shorewall-users@shorewall.net''
Subject: RE: [Shorewall-users] SMTP traffic gets blocked
Sorry about that. Still net to shorewall.
So here is the info requested:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
66.58.99.84 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
66.58.99.82 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
66.58.99.80 0.0.0.0 255.255.255.248 U 0 0 0 eth0
10.10.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 66.58.99.81 0.0.0.0 UG 0 0 0 eth0
eth0 - WAN
eth1 - DMZ
eth2 - LAN
66.58.99.81 - my ISP router
------------------------------
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:D0:B7:0E:CC:61
inet addr:66.58.99.86 Bcast:66.58.99.87 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1237116 errors:0 dropped:0 overruns:0 frame:0
TX packets:1113292 errors:0 dropped:0 overruns:0 carrier:0
collisions:31776 txqueuelen:100
RX bytes:1329865780 (1268.2 Mb) TX bytes:517838824 (493.8 Mb)
Interrupt:9 Base address:0xfcc0
eth1 Link encap:Ethernet HWaddr 00:D0:B7:10:37:F0
inet addr:10.10.100.1 Bcast:10.10.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:783 errors:0 dropped:0 overruns:0 frame:0
TX packets:1112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:89283 (87.1 Kb) TX bytes:75673 (73.8 Kb)
Interrupt:11 Base address:0xfc80
eth2 Link encap:Ethernet HWaddr 00:60:8C:35:E1:43
inet addr:10.10.200.1 Bcast:10.10.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1112066 errors:9938 dropped:0 overruns:9262 frame:9938
TX packets:1230813 errors:0 dropped:0 overruns:0 carrier:0
collisions:3257 txqueuelen:100
RX bytes:521075258 (496.9 Mb) TX bytes:1327157006 (1265.6 Mb)
Interrupt:10 Base address:0x300
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
-------------------------------
# cat policy
# Shorewall /etc/shorewall/policy
#client server policy log_level
lan lan ACCEPT info
lan wan ACCEPT info
fw lan ACCEPT info
lan fw REJECT info
wan wan ACCEPT info
wan all DROP info
all all REJECT info
---------------------------
As far as proxyapr goes, here is my config:
# cat proxyarp
# Shorewall 1.2.5 /etc/shorewall/proxyarp
#address interface external haveroute
66.58.99.82 eth1 eth0 No
66.58.99.84 eth1 eth0 No
The two hosts on the DMZ zone, are having proxy APR to the eth0 public
interface on the firewall.
Thank you for your help. Waiting for your solutions. You are great
community. Regards,
Trifon Anguelov
-----Original Message-----
From: Bradey Honsinger [mailto:BradeyH@construx.com]
Sent: Monday, January 06, 2003 5:18 PM
To: ''shorewall-users@shorewall.net''
Subject: RE: [Shorewall-users] SMTP traffic gets blocked
I believe the log messages refer to outgoing packets (that''s what the
"IN=<blank>" means). They''re also ICMP type 3, code 1
packets, not SMTP
packets, so it''s not a port forwarding issue, and your ISP
isn''t blocking
incoming SMTP packets. My trusty Stevens says that ICMP type 3, code 1 is
"host unreachable", so at the very least the routing table on your
firewall
is incorrect.
It appears that the root cause of the problem is that you either should be
using Proxy ARP and aren''t, or are using Proxy ARP but have
"Yes" in the
"Have Route" column. If so, please go to the Shorewall web site and
carefully read the Proxy ARP Quick Start and the proxyarp section of the
Reference Manual. It''s all in there--I don''t know how Tom
could have made it
any clearer.
Finally, it''s worth saying yet again: your rules are meaningless
without
your policies! FAQ 17 tells you that "all2all" log messages are
generated by
a _policy_, not a rule, so in order to interpret these messages we really
need to know your policies. For everyone else out there: never, ever, ever,
post your rules without also including your policies. If you''re posting
log
messages, your interfaces file is useful as well, so that we can match
things up.
- Bradey
-----Original Message-----
From: Trifon Anguelov [mailto:TAnguelov@kana.com]
Sent: Monday, January 06, 2003 4:37 PM
To: ''shorewall-users@shorewall.net''
Subject: FW: [Shorewall-users] SMTP traffic gets blocked
Anyone, willing to take a lead on this one, since Tom is taking a rest:
"
I am hosting all servers by myself. I have five static IP addreses with a
DSL line. My DSL router from the ISP provider is configured as bridge, so no
traffic is filtered.
I checked the logs and getting:
Jan 5 23:05:12 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1508
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=55762 DF PROTO=TCP SPT=51131 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
Jan 5 23:23:21 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1516
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=31260 DF PROTO=TCP SPT=38949 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
Jan 5 23:28:02 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=204.153.177.10 LEN=68 TOS=0x00 PREC=0xC0 TTL=255
ID=11282 PROTO=ICMP TYPE=3 CODE=1 [SRC=204.153.177.10 DST=66.58.99.84 LEN=40
TOS=0x00 PREC=0x00 TTL=241 ID=0 DF PROTO=TCP SPT=36011 DPT=25 WINDOW=0
RES=0x00 RST URGP=0 ]
Jan 5 23:28:58 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1524
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=40480 DF PROTO=TCP SPT=45350 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
Jan 5 23:42:42 gw1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0
SRC=66.58.99.86 DST=216.35.73.164 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=1532
PROTO=ICMP TYPE=3 CODE=1 [SRC=216.35.73.164 DST=66.58.99.84 LEN=40 TOS=0x00
PREC=0x00 TTL=236 ID=12542 DF PROTO=TCP SPT=60986 DPT=25 WINDOW=8760
RES=0x00 RST URGP=0 ]
and here are my rules:
ACCEPT dmz:66.58.99.84 wan tcp 25 -
ACCEPT dmz:66.58.99.84 wan tcp pop3 -
ACCEPT lan dmz:66.58.99.84 tcp pop3 -
ACCEPT lan dmz:66.58.99.84 tcp 25 -
ACCEPT fw dmz:66.58.99.84 tcp 25 -
ACCEPT wan dmz:66.58.99.84 tcp pop3 -
ACCEPT wan dmz:66.58.99.84 tcp 25 -
ACCEPT dmz:66.58.99.84 fw tcp 25 -
Unfortunatelly, I already searched and read the whole documentation on
shorewall.net site. google.com didn''t help much either. It''s
something
small, but somehow could not get it.
If you need some other files, listings, I am ready to post them here.
Regards and thank you for your help,
Trifon Anguelov "
Trifon Anguelov
-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Monday, January 06, 2003 3:34 PM
To: Trifon Anguelov; ''shorewall-users@shorewall.net''
Subject: Re: [Shorewall-users] SMTP traffic gets blocked
--On Monday, January 06, 2003 03:27:33 PM -0800 Trifon Anguelov
<TAnguelov@kana.com> wrote:
> Hi,
>
> I am trying to configure the SMTP service on DMZ host. Added the rule:
>
> ACCEPT wan dmz:66.58.99.84 tcp pop3 -
> ACCEPT wan dmz:66.58.99.84 tcp 25 -
> ACCEPT dmz:66.58.99.84 wan tcp 25 -
> ACCEPT dmz:66.58.99.84 wan tcp pop3 -
>
> issued shorewall clear, shorewall restart, but still couldn''t
telnet to
> the mail server on port 25.
>
> Are mine rules wrong or something else has to be done? I have another
> host DNS server which is working fine. The SSH to the mail server on port
> 22 is working fine, too.
>
> Could you please, help me?
>
Does your ISP block port 25? Many do...
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users