thr3ads.net - Shorewall users - mail in/out within DMZ [Jan 2006]

If this information is useful, please help other people find it:
Share via:

claus westerkamp

2006-Jan-12 16:56 UTC

mail in/out within DMZ

Hello Shorewall-people

I have following situation/problem:

2mailservers within the DMZ. one for incoming messages (192.168.0.11), 
one for outgoing messages (192.168.0.10).

I have tried this in "rules"

#### Mail#########################################################
DNAT:info       net     dmz:192.168.0.11        tcp      25      - 
  public.ip
ACCEPT:info     dmz     net                     tcp     25
DNAT:info       dmz:192.168.0.10        dmz:192.168.0.11        tcp 
  \ 25 	-       public.ip

which results in:

Jan 12 17:46:09 firewall kernel: Shorewall:FORWARD:REJECT:IN=eth2 
OUT=eth2 SRC=192.168.0.10 DST=192.168.0.11 LEN=48 TOS=0x00 PREC=0x00 
TTL=63 ID=51884 DF PROTO=TCP SPT=39987 DPT=25 WINDOW=24820 RES=0x00 SYN 
URGP=0
-----

mails come in wonderful, they are sent to world perfect. but mail-out 
cannot send messages to public.ip, nor to mail-in

what needs to be done so shorewall recognizes both hosts are from the 
DMZ or whatever?

thanks in advance
claus


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Tom Eastep

2006-Jan-12 17:04 UTC

head link

Re: mail in/out within DMZ

On Thursday 12 January 2006 08:56, claus westerkamp
wrote:> Hello Shorewall-people
>
> I have following situation/problem:
>
> 2mailservers within the DMZ. one for incoming messages (192.168.0.11),
> one for outgoing messages (192.168.0.10).
>
> I have tried this in "rules"
>
> #### Mail#########################################################
> DNAT:info       net     dmz:192.168.0.11        tcp      25      -
>   public.ip
> ACCEPT:info     dmz     net                     tcp     25
> DNAT:info       dmz:192.168.0.10        dmz:192.168.0.11        tcp
>   \ 25 	-       public.ip
>
> which results in:
>
> Jan 12 17:46:09 firewall kernel: Shorewall:FORWARD:REJECT:IN=eth2
> OUT=eth2 SRC=192.168.0.10 DST=192.168.0.11 LEN=48 TOS=0x00 PREC=0x00
> TTL=63 ID=51884 DF PROTO=TCP SPT=39987 DPT=25 WINDOW=24820 RES=0x00 SYN
> URGP=0
> -----
This is an miserable configuration. You would be much better off using split 
DNS so that 192.168.0.10 sent traffic directly to 192.168.0.11 rather than 
sending it through the firewall. If you really want to continue with this 
hack, please see Shorewall FAQ 2. Be advised that all traffic from 
192.168.0.10 to 192.168.0.11 will appear to 192.168.0.11 to have originated 
on your firewall rather than on 192.168.0.10.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Shorewall users - Jan 2006 - mail in/out within DMZ

mail in/out within DMZ

Re: mail in/out within DMZ