Björn Engels a écrit :
I had to desactivate FW_PROTECT_FROM_INTERNAL to allows certain feature, for example traceroute. What is the good way?
Hmm, do you want to allow traceroute to the firewall or through the firewall to the Internet ? If you would want to allow it to the Internet 'FW_PROTECT_FROM_INTERNAL' wouldn't help you.
In fact, we tried the connexion using ping from a PC/win. It didn't work until I set FW_PROTECT_FROM_INTERNAL to "no". But there is no problem, I can rely on the internal users.
FW_DEV_WORLD=""
You Don't have an Interface that is connected to the Internet ? *g* I guess this should be ppp0
FW_DEV_INT="eth0 ppp0"
This should be only eth0 if my guess from above is correct.
You're right, as I said in another mail. This setiing was only for testing. Consider: FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0"
FW_ROUTE="yes" FW_SERVICES_EXTERNAL_TCP="25 80"
Ok, you can connect to the mail server and to the webserver from the Internet. (What about pop3?)
pop3 shoulb be accessible only from internal users. In a first time.
FW_SERVICE_DNS="yes"
I don't remember this option, I think it makes your Nameserver accessible from outside. Do you really want this ?
No.
FW_STOP_KEEP_ROUTING_STATE="yes"
You said 'FW_ROUTE="yes"', if you bring down the Firewall, it will still route, I think. No good idea in my opinion...
It's a reliquat of tests, before I tried FW_PROTECT_FROM_INTERNAL="no".
- - -
SENDMAIL_TYPE="yes" SENDMAIL_SMARTHOST=""
It looks as if you're not always online. You should use your ISP's mailserver here to send your mails to it and let it deliver mail for you.
The site is connected through a leased line (34.8Kb, Ukrainia is not very rich). The firewall is always on line, and the users connect to the local SMTP to send mail. It seems that it works well to send mail toward outside. But you're right, in case of multiposting, it's better to let the ISP's server to explode it.
SENDMAIL_LOCALHOST="localhost this.server.ua"
I use m4 to generate my config files, so I don't know how this options works. Take a look in /etc/sendmail.cf and look for 'Cw localhost' After 'localhost' should be also the domainname you're receiving mail for.
I've checked that. I've effectively found "Cw localhost this.server.ua" in sendmail.cf.
SENDMAIL_RELAY=""
Enter the network you wish to relay mails for. (Your LAN-clients. Well, it's some abbreviated method of naming your network...) For example 192.168.1
I've manually configured /etc/mail/access, and add the line: 192.168.1 RELAY then I ran SuSEConfig. Sendmail realays without problem mails sent from inside.
SENDMAIL_ARGS="-bd -q30m -om" SENDMAIL_EXPENSIVE="no" SENDMAIL_NOCANONIFY="no" SENDMAIL_NODNS="no" SENDMAIL_DIALUP="no" SENDMAIL_GENERICS_DOMAIN="" MASQUERADE_DOMAINS=""
Jul 13 16:50:30 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 202.58.118.7:1329 aaa.bbb.ccc.130:25 L=60 S=0x00 I=3205 F=0x4000 T=41 SYN (#7)
Sure, this has to happen. Somebody sends a TCP SYN (connection initiation) from 202.58.118.7 Port 1329 to your Server, Port 25 (SMTP). The packet is being rejected because you didn't specify your external ('WORLD') interface correctly. Fix that and it won't be rejected.
As I said above, I've tried this setting to desactivate the firewall, by coupling the options FW_DEV_INT="eth0 ppp0" FW_PROTECT_FROM_INTERNAL="no" without real success. Ma situation is a little bit complex. I've worked in Unkrainia to help network administrators to configure a Suse box. But now I'm back in France, and I promised to send them some help from this list. I can't anymore manipulate the server. Please give me as many suggestions as possible, and I'll forward them. Thanks very much in advance, Philippe. -- Philippe Allart "Internet et Logiciels Libres dans les Collectivités Territoriales" http://illico.org/ GNU: La plus grande multinationale de la planète