Shorewall users - May 2003 - SMTP question

Hi guys,
I''m trying to install Shorewall 1.4.2 in my RedHat 9.0 box
I have a two-interface setup, like this 


(Internet) <--> eth0 |Firewall| eth1 <--> Intranet (192.168.1.*) 

the firewall box, gives intranet mail to the intranet clients
as well as pop/smtp access to external pop/smtp servers 

I have noticed that after installing shorewall the smtp for the intranet
won''t answer requests 

I have added the following 3 lines to /etc/shorewall/rules 

  ACCEPT          loc             fw              tcp     110
  ACCEPT          loc             fw              tcp     25
  ACCEPT          loc             fw              tcp     80 

to allow www/pop/smtp requests but now the mail that should
stay in the intranet servers goes out to the internet smtp server. 

Is this configuration ok ??

On Thu, 22 May 2003 15:40:39 -0700, dumdavin <dumdavin@klarocom.com>
wrote:
>
>
> (Internet) <--> eth0 |Firewall| eth1 <--> Intranet
(192.168.1.*)
>
> the firewall box, gives intranet mail to the intranet clients
> as well as pop/smtp access to external pop/smtp servers
>
> I have noticed that after installing shorewall the smtp for the intranet
> won''t answer requests
>
> I have added the following 3 lines to /etc/shorewall/rules
>
> ACCEPT          loc             fw              tcp     110
> ACCEPT          loc             fw              tcp     25
> ACCEPT          loc             fw              tcp     80
>
> to allow www/pop/smtp requests but now the mail that should
> stay in the intranet servers goes out to the internet smtp server.
I''m having a hard time understanding what problem you are reporting.
The
rules you quote above:

a) Allow POP3 access from the local network to a POP3 server running on the 
firewall.
b) Allow local systems to send email to the firewall.
c) Allow local systems to access a web server on the firewall.

If the firewall is expected to send mail on to the internet and to use 
fetchmail to pull mail from external POP3 server then you also need:

ACCEPT	fw	net	tcp	110
ACCEPT	fw	net	tcp	25

Hope that helps.
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep writes: 
> On Thu, 22 May 2003 15:40:39 -0700, dumdavin <dumdavin@klarocom.com> 
> wrote: 
> 
>>  
>> 
>> (Internet) <--> eth0 |Firewall| eth1 <--> Intranet
(192.168.1.*)
>> 
>> the firewall box, gives intranet mail to the intranet clients
>> as well as pop/smtp access to external pop/smtp servers 
>> 
>> I have noticed that after installing shorewall the smtp for the
intranet
>> won''t answer requests 
>> 
>> I have added the following 3 lines to /etc/shorewall/rules 
>> 
>> ACCEPT          loc             fw              tcp     110
>> ACCEPT          loc             fw              tcp     25
>> ACCEPT          loc             fw              tcp     80 
>> 
>> to allow www/pop/smtp requests but now the mail that should
>> stay in the intranet servers goes out to the internet smtp server.
> 
> I''m having a hard time understanding what problem you are
reporting. The
> rules you quote above: 
> 
> a) Allow POP3 access from the local network to a POP3 server running on 
> the firewall.
> b) Allow local systems to send email to the firewall.
> c) Allow local systems to access a web server on the firewall. 
> 
> If the firewall is expected to send mail on to the internet and to use 
> fetchmail to pull mail from external POP3 server then you also need: 
> 
> ACCEPT	fw	net	tcp	110
> ACCEPT	fw	net	tcp	25 
> 
> Hope that helps.
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net 
> 
 

I''m sorry I made this hard to read, the problem is that the
firewall machine will forward the intranet mail out. 

we own a domain: mydomain.com
firewall is:     intranet.mydomain.com
users have both: user@mydomain.com (internet email)
                user@intranet.mydomain.com (intranet mail) 

every time a user sends a message to otheruser@intranet.mydomain.com
the message is forwarded to otheruser@mydomain.com instead of the
intranet user. 

I pop3 and www are working fine. 

Thanks for your time.

> every time a user sends a message to otheruser@intranet.mydomain.com
> the message is forwarded to otheruser@mydomain.com instead of the
> intranet user. 
Seems like a broken SMTP server setting.

  karsten


-- 
char
*t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8?
c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){
putchar(t[s]);h=m;s=0; }}}

On 23 May 2003, guenther wrote:
> 
> > every time a user sends a message to otheruser@intranet.mydomain.com
> > the message is forwarded to otheruser@mydomain.com instead of the
> > intranet user. 
> 
> Seems like a broken SMTP server setting.
> 
That was my guess but the original poster claims that clearing Shorewall 
''fixes'' the problem!!

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

> > Seems like a broken SMTP server setting.
> 
> That was my guess but the original poster claims that clearing Shorewall 
> ''fixes'' the problem!!
Sorry, my fault. Forgot that detail.

And stupid me sent the previous message using the wrong account...

  karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

On Thu, 22 May 2003 16:19:28 -0700 (PDT), Tom Eastep 
<teastep@shorewall.net> wrote:
> On 23 May 2003, guenther wrote:
>
>>
>> > every time a user sends a message to
otheruser@intranet.mydomain.com
>> > the message is forwarded to otheruser@mydomain.com instead of the
>> > intranet user.
>>
>> Seems like a broken SMTP server setting.
>>
>
> That was my guess but the original poster claims that clearing Shorewall 
> ''fixes'' the problem!!
>
Actually, Guenther says that "shorewall stop" corrects the problem so
I''m
guessing that ''routestopped'' is set on the local interface.

Gunther: Where does your DNS server run? Do you have a separate DNS server 
for internal and external users?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom, actually I am guenther (a nickname, but most people do know me by
that). Just used the wrong account once again. I will have to change
that and re-subscribe I guess...

> >> > every time a user sends a message to
otheruser@intranet.mydomain.com
> >> > the message is forwarded to otheruser@mydomain.com instead of
the
> >> > intranet user.
> >>
> >> Seems like a broken SMTP server setting.
> >
> > That was my guess but the original poster claims that clearing
Shorewall
> > ''fixes'' the problem!!
> 
> Actually, Guenther says that "shorewall stop" corrects the
problem so I''m
> guessing that ''routestopped'' is set on the local
interface.
I said that? Now I am confused...

> Gunther: Where does your DNS server run? Do you have a separate DNS server 
> for internal and external users?
Don''t have a DNS server running by myself. You really meant me?

  karsten


-- 
Hi, I''m a signature virus. Copy me into your ~/.signature to help me
spread!

On 23 May 2003 03:49:55 +0200, kb <kb@bluehash.de> wrote:
>
> Don''t have a DNS server running by myself. You really meant me?
>
No, your sig confused my and I thought that the original poster was 
Guenther.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 22 May 2003, Tom Eastep wrote:
> On Thu, 22 May 2003 16:19:28 -0700 (PDT), Tom Eastep
> <teastep@shorewall.net> wrote:
>
> > On 23 May 2003, guenther wrote:
> >
> >>
> >> > every time a user sends a message to
otheruser@intranet.mydomain.com
> >> > the message is forwarded to otheruser@mydomain.com instead of
the
> >> > intranet user.
> >>
> >> Seems like a broken SMTP server setting.
> >>
> >
> > That was my guess but the original poster claims that clearing
Shorewall
> > ''fixes'' the problem!!
> >
>
> Actually, Guenther says that "shorewall stop" corrects the
problem so I''m
> guessing that ''routestopped'' is set on the local
interface.
>
> Gunther: Where does your DNS server run? Do you have a separate DNS server
> for internal and external users?
Davin,

Sorry -- I got confused about who was who in this thread since
''Guenther''
usually signs his posts as Karsten or kb :-)

The above questions were actually directec to you...

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep writes: 
> On Thu, 22 May 2003, Tom Eastep wrote: 
> 
>> On Thu, 22 May 2003 16:19:28 -0700 (PDT), Tom Eastep
>> <teastep@shorewall.net> wrote: 
>>
>> > On 23 May 2003, guenther wrote:
>> >
>> >>
>> >> > every time a user sends a message to
otheruser@intranet.mydomain.com
>> >> > the message is forwarded to otheruser@mydomain.com
instead of the
>> >> > intranet user.
>> >>
>> >> Seems like a broken SMTP server setting.
>> >>
>> >
>> > That was my guess but the original poster claims that clearing
Shorewall
>> > ''fixes'' the problem!!
>> > 
>>
>> Actually, Guenther says that "shorewall stop" corrects the
problem so I''m
>> guessing that ''routestopped'' is set on the local
interface.
>>
>> Gunther: Where does your DNS server run? Do you have a separate DNS
server
>> for internal and external users?
> 
> Davin, 
> 
> Sorry -- I got confused about who was who in this thread since
''Guenther''
> usually signs his posts as Karsten or kb :-) 
> 
> The above questions were actually directec to you...
No problem.
No, I''m not using DNS for Intranet name resolution, I just have a
hosts file.

On Fri, 23 May 2003 07:20:56 -0700, dumdavin <dumdavin@klarocom.com>
wrote:

> No, I''m not using DNS for Intranet name resolution, I just have a
> hosts file.
>
When you send mail with Shorewall started, are you seeing any messages in 
the Shorewall log?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep writes: 
> On Fri, 23 May 2003 07:20:56 -0700, dumdavin <dumdavin@klarocom.com> 
> wrote: 
> 
> 
>> No, I''m not using DNS for Intranet name resolution, I just
have a
>> hosts file. 
>> 
> 
> When you send mail with Shorewall started, are you seeing any messages in 
> the Shorewall log?
 

Yes, using "shorewall logwatch" I see some log info about my IP
sending
data.

On Fri, 23 May 2003 08:02:45 -0700, dumdavin <dumdavin@klarocom.com>
wrote:
> Tom Eastep writes:
>
>> On Fri, 23 May 2003 07:20:56 -0700, dumdavin
<dumdavin@klarocom.com>
>> wrote:
>>
>> When you send mail with Shorewall started, are you seeing any messages 
>> in the Shorewall log?
>
>
> Yes, using "shorewall logwatch" I see some log info about my IP
sending
> data.
>
When you send us a copy of those messages, we can help you -- without them 
we can''t.

-tOM
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep writes: 
> On Fri, 23 May 2003 08:02:45 -0700, dumdavin <dumdavin@klarocom.com> 
> wrote: 
> 
>> Tom Eastep writes: 
>> 
>>> On Fri, 23 May 2003 07:20:56 -0700, dumdavin
<dumdavin@klarocom.com>
>>> wrote:
> 
>>> 
>>> When you send mail with Shorewall started, are you seeing any
messages
>>> in the Shorewall log?
>>  
>> 
>> Yes, using "shorewall logwatch" I see some log info about my
IP sending
>> data. 
>> 
> 
> When you send us a copy of those messages, we can help you -- without them 
> we can''t. 
> 
> -tOM
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net 
> 
 


I''ll get a clean copy of the log sent to you, thanks