Shorewall users - Dec 2003 - newnotsyn drops smtp

I have installed Mandake 9.2 with postfix 2.0.13, shorewall ver is 
1.4.8.Ican send emails out and receive them within my local network. I can 
not received mail from the net. When I check shorewall status it shows.

Dec 17 10:12:55 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154 
DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=8939 PROTO=TCP 
SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0

Dec 17 10:13:08 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154 
DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=23596 PROTO=TCP 
SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0

The origin is the mail server and the destination is my mail server, but 
shorewall drops it. How can I fix this?

This is how I have set up the rules file

ACCEPT	masq	fw	tcp
21,22,23,25,3128,10000,20000,domain,bootps,http,https,631,imap,pop3,nntp,ntp	-
ACCEPT	masq	fw	udp	domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp	-
ACCEPT	fw	masq	tcp	631,515,137,138,139	-
ACCEPT	fw	masq	udp	631,515,137,138,139	-
ACCEPT	net	fw	tcp	21,22,25,domain,http,https,10000,20000	-
ACCEPT	net	fw	udp	21,22,25,domain,http,https,10000,20000	-

Thank you.

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger. 
http://messenger.microsoft.com/es

On Wednesday 17 December 2003 01:27 am, Jose Arteaga
wrote:
> I have installed Mandake 9.2 with postfix 2.0.13, shorewall ver is
> 1.4.8.Ican send emails out and receive them within my local network. I can
> not received mail from the net. When I check shorewall status it shows.
>
> Dec 17 10:12:55 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154
> DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=8939 PROTO=TCP
> SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0
>
> Dec 17 10:13:08 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154
> DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=23596 PROTO=TCP
> SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0
>
> The origin is the mail server and the destination is my mail server, but
> shorewall drops it. How can I fix this?
>
> This is how I have set up the rules file
>
> ACCEPT	masq	fw	tcp	21,22,23,25,3128,10000,20000,domain,bootps,http,https,63
>1,imap,pop3,nntp,ntp	-
> ACCEPT	masq	fw	udp	domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp	-
> ACCEPT	fw	masq	tcp	631,515,137,138,139	-
> ACCEPT	fw	masq	udp	631,515,137,138,139	-
> ACCEPT	net	fw	tcp	21,22,25,domain,http,https,10000,20000	-
> ACCEPT	net	fw	udp	21,22,25,domain,http,https,10000,20000	-
>
At least half the above rules are unnecessary. http and https are tcp only as 
are imap, pop3, smtp and nntp, ftp (21), ssh (22) and telnet (23).

bootps should be handled by specifying ''dhcp'' for the internal
interface in
/etc/shorewall/interfaces.

The only port that you have listed there that is usually opened for both TCP 
and UDP is 53 (domain) because DNS uses both protocols.

See http://www.shorewall.net/samba.htm for rules for allowing SMB between your 
firewall and local network.

Finally to your problem -- The Shorewall ruleset is not "blocking
smtp" -- it
is blocking non-syn TCP packets that aren''t part of an established
connection
and some of those just happen to be SMTP. I suspect that your postfix server 
is rejecting connections from the net -- you can confirm that by doing a 
"shorewall clear" then trying to "telnet BLA.BLA.BLA.BLA 25"
from a host
outside the firewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net