I have been given a set of "firewall rules" to open my firewall for DCC to support my spam filtering. (I have done many web searches trying to find info relating to DCC with Shorewall, to no avail. The problem is that I am clueless on how these "rules" translate into the shorewall rule format. Could someone please help me translate these? allow udp local gt 1023 to remote 6277 allow udp remote 6277 to local gt 1023 Many thanks, Pete
> I have been given a set of "firewall rules" to open my firewall for DCC > to support my spam filtering. > (I have done many web searches trying to find info relating to DCC with > Shorewall, to no avail. > The problem is that I am clueless on how these "rules" translate into > the shorewall rule format. > Could someone please help me translate these? > > allow udp local gt 1023 to remote 6277 > allow udp remote 6277 to local gt 1023Since netfilter is stateful, this should be okay: ACCEPT loc net udp 6277
On Wed, 2004-08-04 at 09:41 -0600, Pete Dubler wrote:> I have been given a set of "firewall rules" to open my firewall for DCC > to support my spam filtering. > (I have done many web searches trying to find info relating to DCC with > Shorewall, to no avail. > The problem is that I am clueless on how these "rules" translate into > the shorewall rule format. > Could someone please help me translate these? > > allow udp local gt 1023 to remote 6277ACCEPT $FW net udp 6277> allow udp remote 6277 to local gt 1023ACCEPT net $FW udp - 6277 The assumption made is that it is your firewall that is also your mailserver. If that is incorrect and you have a seperate mail server, change $FW with loc:<ip of mail server> or the like. -- David T Hollis <dhollis@davehollis.com>
Thanks for the help. The rule set makes sense to me, but the traffic is not going through. (yes, I did restart shorewall after entering the rules:): ACCEPT loc net udp 6277 ACCEPT net loc udp - 6277 I still get the following from running cdcc info ################ # 08/04/04 13:30:22 MDT GreyList /var/dcc/map # Re-resolve names after 15:19:32 # 1 total, 0 working servers 127.0.0.1,- Greylist 32768 710809707x253 # 127.0.0.1,- # not answering indicating that the appropriate port is not open. My mail server is on the local lan and all machines on that lan are trusted and included in "loc" What am I missing here? Thanks again, Pete
Pete Dubler wrote:> Thanks for the help. The rule set makes sense to me, but the traffic is > not going through. > > (yes, I did restart shorewall after entering the rules:): > > ACCEPT loc net udp 6277 > ACCEPT net loc udp - 6277If you are using SNAT/Masquerade to allow the ''loc'' zone to access the net then the last rule is useless -- see FAQ 30. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> Pete Dubler wrote: >> Thanks for the help. The rule set makes sense to me, but the traffic is >> not going through. >> >> (yes, I did restart shorewall after entering the rules:): >> >> ACCEPT loc net udp 6277 >> ACCEPT net loc udp - 6277 > > If you are using SNAT/Masquerade to allow the ''loc'' zone to access the > net then the last rule is useless -- see FAQ 30.I think it''s useless anysway. The DCC servers will never send unrelated packets to clients, just reply to queries, right?. The reason why the DCC docs describe such rules is for those without stateful firewalls. Simon
> Thanks for the help. The rule set makes sense to me, but the traffic is > not going through. > > (yes, I did restart shorewall after entering the rules:): > > ACCEPT loc net udp 6277 > ACCEPT net loc udp - 6277 > > > I still get the following from running cdcc info > > ################ > # 08/04/04 13:30:22 MDT GreyList /var/dcc/map > # Re-resolve names after 15:19:32 > # 1 total, 0 working servers > > 127.0.0.1,- Greylist 32768 710809707x253 > # 127.0.0.1,- > # not answering > > > indicating that the appropriate port is not open. > > My mail server is on the local lan and all machines on that lan are > trusted and included in "loc" > > What am I missing here?Do you run cdcc info on your firewall? Then of course the rule must be changed to ACCEPT fw net udp 6277 BTW, does DNS resolution work? That''s important here! Also check the shorewall logs to see which traffic gets blocked. Simon