On Wednesday 17 December 2003 01:27 am, Jose Arteaga
wrote:> I have installed Mandake 9.2 with postfix 2.0.13, shorewall ver is
> 1.4.8.Ican send emails out and receive them within my local network. I can
> not received mail from the net. When I check shorewall status it shows.
>
> Dec 17 10:12:55 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154
> DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=8939 PROTO=TCP
> SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0
>
> Dec 17 10:13:08 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154
> DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=23596 PROTO=TCP
> SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0
>
> The origin is the mail server and the destination is my mail server, but
> shorewall drops it. How can I fix this?
>
> This is how I have set up the rules file
>
> ACCEPT masq fw tcp 21,22,23,25,3128,10000,20000,domain,bootps,http,https,63
>1,imap,pop3,nntp,ntp -
> ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp -
> ACCEPT fw masq tcp 631,515,137,138,139 -
> ACCEPT fw masq udp 631,515,137,138,139 -
> ACCEPT net fw tcp 21,22,25,domain,http,https,10000,20000 -
> ACCEPT net fw udp 21,22,25,domain,http,https,10000,20000 -
>
At least half the above rules are unnecessary. http and https are tcp only as
are imap, pop3, smtp and nntp, ftp (21), ssh (22) and telnet (23).
bootps should be handled by specifying ''dhcp'' for the internal
interface in
/etc/shorewall/interfaces.
The only port that you have listed there that is usually opened for both TCP
and UDP is 53 (domain) because DNS uses both protocols.
See http://www.shorewall.net/samba.htm for rules for allowing SMB between your
firewall and local network.
Finally to your problem -- The Shorewall ruleset is not "blocking
smtp" -- it
is blocking non-syn TCP packets that aren''t part of an established
connection
and some of those just happen to be SMTP. I suspect that your postfix server
is rejecting connections from the net -- you can confirm that by doing a
"shorewall clear" then trying to "telnet BLA.BLA.BLA.BLA 25"
from a host
outside the firewall.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net