I have site A and site B both running shorewall and are connected to each other via VPN Site A runs a Mail server that I wish to move temporarily to B and configure shorewall to DNAT smtp connections on A -> B through VPN. DNAT operates correct and sends the smtp connection to B with no problem On B however shorewall complaints ( Correctly in my opinion ) about Martial source since it receives smtp connection from the net while the default route on the firewall is not the VPN interface .... ( tun ) Any thoughts on how to overcome this ??? Kind Regards Harry. PS: Happy New Year List !!!!! ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 1/3/11 12:03 AM, Harry Lachanas wrote:> I have site A and site B both running shorewall and are connected to > each other via VPN > > Site A runs a Mail server that I wish to move temporarily to B and > configure shorewall to DNAT smtp connections on A -> B through VPN. > > DNAT operates correct and sends the smtp connection to B with no problem > > On B however > > shorewall complaints ( Correctly in my opinion ) about Martial source > since it receives smtp connection from the net while the default route > on the firewall is not the VPN interface .... ( tun )Actually, your kernel complains -- Shorewall may have configured it to do so, however.> > Any thoughts on how to overcome this ??? >Three ideas: a) Update your MX record to point to B. b) Configure multi-ISP on system B so that it has multiple default routes. c) SNAT the forwarded traffic. I don''t recommend this one for a mail server, though, since you lose the true identity of the sending host. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 01/03/2011 05:43 PM, Tom Eastep wrote:> On 1/3/11 12:03 AM, Harry Lachanas wrote: >> I have site A and site B both running shorewall and are connected to >> each other via VPN >> >> Site A runs a Mail server that I wish to move temporarily to B and >> configure shorewall to DNAT smtp connections on A -> B through VPN. >> >> DNAT operates correct and sends the smtp connection to B with no problem >> >> On B however >> >> shorewall complaints ( Correctly in my opinion ) about Martial source >> since it receives smtp connection from the net while the default route >> on the firewall is not the VPN interface .... ( tun ) > Actually, your kernel complains -- Shorewall may have configured it to > do so, however. > >> Any thoughts on how to overcome this ??? >> > Three ideas: > > a) Update your MX record to point to B. > b) Configure multi-ISP on system B so that it has multiple default routes. > c) SNAT the forwarded traffic. I don''t recommend this one for a mail > server, though, since you lose the true identity of the sending host. >Thank''s Tom your opinion is reliable as a 100$ bill ! a) ... n/a second site B has a dynamic ip address. b) ... Thought about it but seemed quite a dirty trick .... + the mess , shorewall on site B runs on a openvz server so go figure. c) ... Not a chance .... too much spam around the net today. Thanks again, Harry. ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
How about : Change the port forwarding on site A to send SMTP traffic to the server at site B. Configure the server to use Site A router for it''s external gateway ? If there isn''t too much traffic then just do it for the whole server, otherwise use policy routing to send just SMTP traffic via site A. Also, how dynamic is the address at site B ? If the address only changes infrequently, and this is a temporary setup, then could you get away with setting a short TTL on the MX record and changing it as required ? Or even use one of the dynamic-ip-to-dns services for the hostname in the MX record. Or, setup a temporary mail server at site A, with the same config (user accounts etc) as the main server, but forwarding all received messages to the other server. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
On 01/04/2011 11:41 AM, Simon Hobson wrote:> How about : > > Change the port forwarding on site A to send SMTP traffic to the > server at site B. > > Configure the server to use Site A router for it''s external gateway ? > If there isn''t too much traffic then just do it for the whole server, > otherwise use policy routing to send just SMTP traffic via site A. > > > Also, how dynamic is the address at site B ? If the address only > changes infrequently, and this is a temporary setup, then could you > get away with setting a short TTL on the MX record and changing it as > required ? Or even use one of the dynamic-ip-to-dns services for the > hostname in the MX record. >The ip address changes about once every 24 hours, the DNS MX record is not an issue cause I serve my own DNS. However, you cannot mail to google from a dynamic DNS that is google rejects you with 550 message.> > Or, setup a temporary mail server at site A, with the same config > (user accounts etc) as the main server, but forwarding all received > messages to the other server. >This tends to be the most real solution with the least effort. Thanks a lot All. harry. ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl