Shorewall users - Oct 2003 - SMTP+POP problem with MNF

Hello,

I am using MNF 8.2. From my local network I can access the Internet with
success. But I am unable to get smtp and pop working from my mail server (or
Outlook client) in my local network. I don''t understand why. Any ideas
?

In my configuration I have the following rules :
ACCEPT    lan    wan    tcp    smtp
ACCEPT    lan    wan    tcp    pop


Best regards,
Philippe Perles

Hi,
Philippe PERLES - DIS-PRO Sarl wrote:
> Hello,
>
> I am using MNF 8.2. From my local network I can access the Internet with
> success. But I am unable to get smtp and pop working from my mail server
> (or
> Outlook client) in my local network. I don''t understand why. Any
ideas ?
>
> In my configuration I have the following rules :
> ACCEPT    lan    wan    tcp    smtp
> ACCEPT    lan    wan    tcp    pop
Try:
ACCEPT    wan    lan    tcp    smtp
ACCEPT    wan    lan    tcp    pop

-- 
Thanks,

Jean-Pierre Denis
jp at msfree dot ca

On Sat, 2003-10-04 at 21:42, Philippe PERLES - DIS-PRO Sarl
wrote:
> Hello,
> 
> I am using MNF 8.2. From my local network I can access the Internet with
> success. But I am unable to get smtp and pop working from my mail server
(or
> Outlook client) in my local network. I don''t understand why. Any
ideas ?
> 
> In my configuration I have the following rules :
> ACCEPT    lan    wan    tcp    smtp
> ACCEPT    lan    wan    tcp    pop
Are you seeing any rejected/dropped packets logged?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

No nothing in the log /var/log/messages. Is it possible to run shorewall in
debug mode ?
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Philippe PERLES - DIS-PRO Sarl"
<philippe.perles@dis-pro.net>;
> "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> Sent: Sunday, October 05, 2003 6:07 PM
> Subject: Re: [Shorewall-users] SMTP+POP problem with MNF
>
>
> > On Sat, 2003-10-04 at 21:42, Philippe PERLES - DIS-PRO Sarl wrote:
> > > Hello,
> > >
> > > I am using MNF 8.2. From my local network I can access the
Internet
with
> > > success. But I am unable to get smtp and pop working from my mail
server
> (or
> > > Outlook client) in my local network. I don''t understand
why. Any ideas
?
> > >
> > > In my configuration I have the following rules :
> > > ACCEPT    lan    wan    tcp    smtp
> > > ACCEPT    lan    wan    tcp    pop
> >
> > Are you seeing any rejected/dropped packets logged?
> >
> > -Tom
> > -- 
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> >
>

Hello,

I try this also :
> ACCEPT    wan    lan    tcp    smtp
> ACCEPT    wan    lan    tcp    pop
and very strange it doesn''t work but I have NOW a message in log :
ACCEPT  Lan2all  eth0 (lan)  eth1(wan)  10.1.1.1   193.251.143.162  TCP
src=xxxx  dst=25
I don''t understand !

I have seen many mail about this problem pop+smtp in lan with MNF 8.2 news.
But no way to solve my problem. How to configure the smtp send and pop3 for
a mail server or Outlook client inside my lan (local network) ? Is it
necessary to masquerade my private network ?

My configuration is :

lan --------------- MNF FW ----------------- Router ------ ISP
10.1.1.1       10.1.1.2   172.16.1.2       172.16.1.1       Dynamic IP

No DMZ, router Cisco 805 IOS 12.2 is configured with NAT. Web access is
working.

Any ideas ?

Regards,
Philippe Perles

----- Original Message ----- 
From: "Jean-Pierre Denis" <jp@msfree.ca>
To: "Philippe PERLES - DIS-PRO Sarl"
<philippe.perles@dis-pro.net>;
"Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Sunday, October 05, 2003 10:00 AM
Subject: Re: [Shorewall-users] SMTP+POP problem with MNF

> Hi,
> Philippe PERLES - DIS-PRO Sarl wrote:
> > Hello,
> >
> > I am using MNF 8.2. From my local network I can access the Internet
with
> > success. But I am unable to get smtp and pop working from my mail
server
> > (or
> > Outlook client) in my local network. I don''t understand why.
Any ideas ?
> >
> > In my configuration I have the following rules :
> > ACCEPT    lan    wan    tcp    smtp
> > ACCEPT    lan    wan    tcp    pop
>
> Try:
> ACCEPT    wan    lan    tcp    smtp
> ACCEPT    wan    lan    tcp    pop
>
> -- 
> Thanks,
>
> Jean-Pierre Denis
> jp at msfree dot ca
>

Hello,

Nothing in log. But when I add :
> ACCEPT    wan    lan    tcp    smtp
> ACCEPT    wan    lan    tcp    pop
I get in the log :
ACCEPT  Lan2all  eth0 (lan)  eth1(wan)  10.1.1.1   193.251.143.162  TCP
src=xxxx  dst=25
But still not working, error socket 10060.

Regards,
Philippe

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Philippe PERLES - DIS-PRO Sarl"
<philippe.perles@dis-pro.net>;
"Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Sunday, October 05, 2003 6:07 PM
Subject: Re: [Shorewall-users] SMTP+POP problem with MNF

> On Sat, 2003-10-04 at 21:42, Philippe PERLES - DIS-PRO Sarl wrote:
> > Hello,
> >
> > I am using MNF 8.2. From my local network I can access the Internet
with
> > success. But I am unable to get smtp and pop working from my mail
server
(or
> > Outlook client) in my local network. I don''t understand why.
Any ideas ?
> >
> > In my configuration I have the following rules :
> > ACCEPT    lan    wan    tcp    smtp
> > ACCEPT    lan    wan    tcp    pop
>
> Are you seeing any rejected/dropped packets logged?
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>

On Tue, 2003-10-07 at 02:55, Philippe PERLES - DIS-PRO Sarl
wrote:
> Hello,
> 
> I try this also :
> > ACCEPT    wan    lan    tcp    smtp
> > ACCEPT    wan    lan    tcp    pop
> 
> and very strange it doesn''t work but I have NOW a message in log :
> ACCEPT  Lan2all  eth0 (lan)  eth1(wan)  10.1.1.1   193.251.143.162  TCP
> src=xxxx  dst=25
> I don''t understand !
> 
> I have seen many mail about this problem pop+smtp in lan with MNF 8.2 news.
> But no way to solve my problem. How to configure the smtp send and pop3 for
> a mail server or Outlook client inside my lan (local network) ? Is it
> necessary to masquerade my private network ?
It is necessary unless the upstream CICSO router knows how to route to
10.1.1.0/*
> 
> My configuration is :
> 
> lan --------------- MNF FW ----------------- Router ------ ISP
> 10.1.1.1       10.1.1.2   172.16.1.2       172.16.1.1       Dynamic IP
> 
> No DMZ, router Cisco 805 IOS 12.2 is configured with NAT. Web access is
> working.
> 
> Any ideas ?
> 
I would use tcpdump or ethereal to see what is happening at the protocol
level.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-07 at 07:28, Tom Eastep wrote:
> > 
> > Any ideas ?
> > 
> 
> I would use tcpdump or ethereal to see what is happening at the protocol
> level.
You could also give us a detailed problem report as described at
http://shorewall.net/support.htm. Be sure to include the information
described in the section that begins "This is important!" in bold red
type.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hello,

My Cisco router doesn''t know how to route to 10.1.1.0/*, so I have to
masqerade my private network 10.1.1.1/*.
> > My configuration is :
> >
> > lan --------------- MNF FW ----------------- Router ------ ISP
> > 10.1.1.1       10.1.1.2   172.16.1.2       172.16.1.1       Dynamic IP
> >
> > No DMZ, router Cisco 805 IOS 12.2 is configured with NAT. Web access
is
> > working.
I try to use tcpdump but I don''t know this utility and I don''t
get
ineresting informations.

But Good News, I finally success to run smtp and pop3 ! I install a 3rd
network card to create a DMZ, just to test the standards rules with 3
interfaces and put my email server in DMZ not in Lan. And it works fastly
after 5 minutes (but I have noting in my DMZ, I keep teh email server in the
Lan).

Very strange for me ! My opinion is Shorewall works better with 3
interfaces.

But now I have a new problem : DNS requests from my Windows 2000 proxy/email
server 10.1.1.1 are opening the modem connection on my Cisco router many
time and keep it opened all the day. I have a named DNS server on my MNF
server to use it as cache for the Lan clients. How can I stop this ?


Regards,
Philippe Perles

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Philippe PERLES - DIS-PRO Sarl"
<philippe.perles@dis-pro.net>;
"Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Cc: <jp@msfree.ca>
Sent: Tuesday, October 07, 2003 5:28 PM
Subject: Re: [Shorewall-users] SMTP+POP problem with MNF

> On Tue, 2003-10-07 at 02:55, Philippe PERLES - DIS-PRO Sarl wrote:
> > Hello,
> >
> > I try this also :
> > > ACCEPT    wan    lan    tcp    smtp
> > > ACCEPT    wan    lan    tcp    pop
> >
> > and very strange it doesn''t work but I have NOW a message in
log :
> > ACCEPT  Lan2all  eth0 (lan)  eth1(wan)  10.1.1.1   193.251.143.162 
TCP
> > src=xxxx  dst=25
> > I don''t understand !
> >
> > I have seen many mail about this problem pop+smtp in lan with MNF 8.2
news.
> > But no way to solve my problem. How to configure the smtp send and
pop3
for
> > a mail server or Outlook client inside my lan (local network) ? Is it
> > necessary to masquerade my private network ?
>
> It is necessary unless the upstream CICSO router knows how to route to
> 10.1.1.0/*
> >
> > My configuration is :
> >
> > lan --------------- MNF FW ----------------- Router ------ ISP
> > 10.1.1.1       10.1.1.2   172.16.1.2       172.16.1.1       Dynamic IP
> >
> > No DMZ, router Cisco 805 IOS 12.2 is configured with NAT. Web access
is
> > working.
> >
> > Any ideas ?
> >
>
> I would use tcpdump or ethereal to see what is happening at the protocol
> level.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>

On Fri, 2003-10-10 at 02:04, Philippe PERLES - DIS-PRO Sarl wrote:
> Very strange for me ! My opinion is Shorewall works better with 3
> interfaces.
Shorewall works better when you install it using my method than it does
when Mandrake installs and configures it (or at least it is more
understandable).
> 
> But now I have a new problem : DNS requests from my Windows 2000
proxy/email
> server 10.1.1.1 are opening the modem connection on my Cisco router many
> time and keep it opened all the day. I have a named DNS server on my MNF
> server to use it as cache for the Lan clients. How can I stop this ?
I don''t know.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net