Hi there! Our company has a bering firewall with shorewall, with local, vpn, and dmz zones. we have our web and mail server in the dmz, and this set of rules for accessing the server services from the net and local zones. DNAT net dmz:192.168.5.2 tcp http,https DNAT net dmz:192.168.5.2 tcp smtp DNAT net dmz:192.168.5.2 tcp pop-3,imap DNAT net dmz:192.168.5.2 udp pop-3,imap DNAT net dmz:192.168.5.2 tcp ftp,ftp-data ACCEPT dmz net tcp smtp,ftp,ftp-data ACCEPT dmz net tcp domain ACCEPT dmz net udp domain ACCEPT dmz $FW tcp 53 ACCEPT dmz $FW udp 53 # # Allow access to our new server from our LAN # DNAT loc:192.168.0.0/16 dmz:192.168.5.2 tcp http,htttps,ftp,ftp-data,smtp,pop3,imap - 1.2.3.4 1.2.3.4 is our external IP. This works great. Now I need that the fax server, also in the dmz with IP 192.168.5.5 can reach port 25 of the mail sever for sending automated fax notifications to our users. If I telnet 1.2.3.4 25 I get connection refused. If I telnet 192.168.5.2 25 it works. However, when sendmail sends message it always resolves the external IP, even if I put an entry in /etc/hosts with the local IP. So I´m stuck. Can anybody help? TIA, Ignacio
Ignacio Garcia wrote:> Hi there! > > However, when sendmail sends message it always resolves the > external IP, even if I put an entry in /etc/hosts with the > local IP. So I´m stuck. Can anybody help? >If I understand your post correctly, this seems more like a sendmail config problem, not a shorewall problem. With this in mind, have you considered using the sendmail "mailertable" feature to overide your domains MX record. Ex: # cat /etc/mail/mailertable mydomain.com esmtp:[192.168.5.2] -or- reference the entry in your /etc/host file # cat /etc/mail/mailertable mydomain.com esmtp:[smtp.mydomain.com] Steve Cowles
> If I understand your post correctly, this seems more like a sendmail > config > problem, not a shorewall problem. With this in mind, have you considered > using the sendmail "mailertable" feature to overide your domains MX > record. > Ex: > > # cat /etc/mail/mailertable > mydomain.com esmtp:[192.168.5.2] > > -or- reference the entry in your /etc/host file > > # cat /etc/mail/mailertable > mydomain.com esmtp:[smtp.mydomain.com] > > Steve Cowlesthat´s right, Steve, and your tip works, but, what about other services that don´t have a "transport map" and I need access to them using the external ip? Thanks, Steve. Ignacio
Ignacio Garcia wrote:>>If I understand your post correctly, this seems more like a sendmail >>config >>problem, not a shorewall problem. With this in mind, have you considered >>using the sendmail "mailertable" feature to overide your domains MX >>record. >>Ex: >> >># cat /etc/mail/mailertable >>mydomain.com esmtp:[192.168.5.2] >> >> -or- reference the entry in your /etc/host file >> >># cat /etc/mail/mailertable >>mydomain.com esmtp:[smtp.mydomain.com] >> >>Steve Cowles > > > that´s right, Steve, and your tip works, but, what about other services > that don´t have a "transport map" and I need access to them using the > external ip?That''s Shorewall FAQ #2 -- you just have the problem with in you ''dmz'' zone rather than the ''loc'' zone. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net