[ale] SMTP and firewall problems

Joseph A. Knapka jknapka at earthlink.net
Fri Feb 9 11:56:21 EST 2001


Ben Coleman wrote:
> 
> On Fri, 9 Feb 2001 07:18:07 -0500, Eric_Brubakken at aoncons.com wrote:
> 
> >
> >
> >I am currently trying to configure my firewall at home and have run into a
> >problem with sending mail.  Receiving mail is not a problem just sending - my
> >firewall script seems to rejecting everything from SMPT (port 25).
> >
> >Does anyone see problems in the following code?
> >Here is a snipit from my rc.firewall script:
> 
> >LOOPBACK_INTERFACE="lo"                 # or your local naming convention
> >LOCAL_INTERFACE_1="eth1"                # internal LAN interface
> >
> >IPADDR="64.81.31.123"                   # your IP address
> >LOCALNET_1="192.168.0.0/24"             # whatever private range you use
> >
> >ANYWHERE="any/0"                        # match any IP address
> >
> >NAMESERVER_1="216.254.95.2"                     # everyone must have at least
> >one
> >NAMESERVER_2="216.231.41.2"
> >UNPRIVPORTS="1024:65535"
> 
> Hmmm.  That looks a lot like the firewall scripts from the book 'Linux
> Firewalls'.
> 
> >------------------------------------------------------- problem child area -----------------------------------------------
> >
> >
> ># SMTP server (25)
> ># ----------------
> >    /sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  \
> >             -s $ANYWHERE $UNPRIVPORTS \
> >             -d $IPADDR 25 -j ACCEPT

This says, "Allow any incoming packet from unpriviledged ports on
any machine for local port 25." So this is going to allow folks
to send you mail to be delivered locally, but won't allow your
machine to send reply packets - no one will be able to actually
connect until that is fixed. I'm assuming there's a rule somewhere
else that lets your machine send any well-formed outgoing packets
on port 25 (since you say elsewhere that you can receive mail),
so that should be fine.

> >    /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> >             -s $IPADDR $UNPRIVPORTS \
> >             -d $ANYWHERE 25  -j ACCEPT

This says,  "Allow any outgoing packet from a local unprivileged port
to port 25 on any other machine, so long as it's not attempting to
open a new connection." So you are explicitly *blocking* outgoing
SMTP connections with this rule. I think you want to get rid of the
"! -y", since you *do* want to be able to actually open connections to
other machines. The log message in your original post indicates that
this is exactly what's happening: the firewall is rejecting outgoing
packets with the SYN bit set (SYN is set when attempting to open
a connection).

> > ------------------------------------------------------- problem child area -----------------------------------------------
> 
> That's fine as far as it goes, but it only allows for incoming SMTP
> (which is what you've reported).  You also need to allow connections to
> external SMTP servers.  Assuming that you're not using your ISP's SMTP
> server, you need something like this:
> 
> /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
>         -s $IPADDR $UNPRIVPORTS \
>         -d $ANYWHERE 25 -j ACCEPT

This is just the second rule above with the "! -y" taken away,
so adding this will achieve the same effect as my suggestion.

> /sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
>         -s $ANYWHERE 25 \
>         -d $IPADDR $UNPRIVPORTS -j ACCEPT

And this rule is what you need to allow other SMTP agents to reply
to you when sending mail.


-- Joe Knapka
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list