Hi, I've tried to use SuSEFirewall to configure a server with SMTP, POP and a Web server. I've activated masquerading to allow the users on the local network to access Internet. I had to desactivate FW_PROTECT_FROM_INTERNAL to allows certain feature, for example traceroute. What is the good way? The mail server works well from local user to local user and from local user to external user. But entering mails are systematically rejected. I've copied below the Firewall and senmail config file of SuSEFirewall. aaa.bbb.ccc.130 is the public IP adress of the firewall. Below, you can see also the log of the firewall. How to find a relation between this messages, and the output of ipchains -L? Thank for your help, regards, Philippe. --- FW_DEV_WORLD="" FW_DEV_INT="eth0 ppp0" FW_MASQUERADE="yes" FW_PROTECT_FROM_INTERNAL="no" FW_ROUTE="yes" FW_SERVICES_EXTERNAL_TCP="25 80" FW_SERVICES_EXTERNAL_UDP="25 80" FW_SERVICES_INTERNAL_TCP="25 53 80 110 3128" FW_SERVICES_INTERNAL_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" SENDMAIL_TYPE="yes" SENDMAIL_SMARTHOST="" SENDMAIL_LOCALHOST="localhost this.server.ua" SENDMAIL_RELAY="" SENDMAIL_ARGS="-bd -q30m -om" SENDMAIL_EXPENSIVE="no" SENDMAIL_EXPENSIVE="no" SENDMAIL_NOCANONIFY="no" SENDMAIL_NODNS="no" SENDMAIL_DIALUP="no" SENDMAIL_GENERICS_DOMAIN="" MASQUERADE_DOMAINS="" Jul 13 16:50:30 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 202.58.118.7:1329 aaa.bbb.ccc.130:25 L=60 S=0x00 I=3205 F=0x4000 T=41 SYN (#7) Jul 13 16:50:30 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 202.58.118.7:1329 aaa.bbb.ccc.130:25 L=60 S=0x00 I=3205 F=0x4000 T=41 SYN (#7) Jul 13 16:50:46 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=7215 F=0x4000 T=61 SYN (#7) Jul 13 16:50:49 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=7338 F=0x4000 T=61 SYN (#7) Jul 13 16:50:55 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=7580 F=0x4000 T=61 SYN (#7) Jul 13 16:51:07 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=8061 F=0x4000 T=61 SYN (#7)
Hi Philippe, eth0 and ppp0 are both internal? Try FW_DEV_WORLD="ppp0" and FW_DEV_INT="eth0" - I assume eth0 is the device to your internal net? Cheers, Ralf
Hi,
I've tried to use SuSEFirewall to configure a server with SMTP, POP and a Web server.
I've activated masquerading to allow the users on the local network to access Internet.
I had to desactivate FW_PROTECT_FROM_INTERNAL to allows certain feature, for example traceroute. What is the good way?
The mail server works well from local user to local user and from local user to external user. But entering mails are systematically rejected. I've copied below the Firewall and senmail config file of SuSEFirewall. aaa.bbb.ccc.130 is the public IP adress of the firewall.
Below, you can see also the log of the firewall. How to find a relation between this messages, and the output of ipchains -L?
Thank for your help,
regards,
Philippe.
---
FW_DEV_WORLD="" FW_DEV_INT="eth0 ppp0" FW_MASQUERADE="yes" FW_PROTECT_FROM_INTERNAL="no" FW_ROUTE="yes" FW_SERVICES_EXTERNAL_TCP="25 80" FW_SERVICES_EXTERNAL_UDP="25 80" FW_SERVICES_INTERNAL_TCP="25 53 80 110 3128" FW_SERVICES_INTERNAL_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes"
SENDMAIL_TYPE="yes" SENDMAIL_SMARTHOST="" SENDMAIL_LOCALHOST="localhost this.server.ua" SENDMAIL_RELAY="" SENDMAIL_ARGS="-bd -q30m -om" SENDMAIL_EXPENSIVE="no" SENDMAIL_EXPENSIVE="no" SENDMAIL_NOCANONIFY="no" SENDMAIL_NODNS="no" SENDMAIL_DIALUP="no" SENDMAIL_GENERICS_DOMAIN="" MASQUERADE_DOMAINS=""
Jul 13 16:50:30 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 202.58.118.7:1329 aaa.bbb.ccc.130:25 L=60 S=0x00 I=3205 F=0x4000 T=41 SYN (#7) Jul 13 16:50:30 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 202.58.118.7:1329 aaa.bbb.ccc.130:25 L=60 S=0x00 I=3205 F=0x4000 T=41 SYN (#7) Jul 13 16:50:46 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=7215 F=0x4000 T=61 SYN (#7) Jul 13 16:50:49 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=7338 F=0x4000 T=61 SYN (#7) Jul 13 16:50:55 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=7580 F=0x4000 T=61 SYN (#7) Jul 13 16:51:07 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 193.41.48.5:1426 aaa.bbb.ccc.130:25 L=44 S=0x00 I=8061 F=0x4000 T=61 SYN (#7)
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* * Ralf 'coko' Koch * mailto:info@formel4.de * --- The only thing Micro$oft has done for society, is make people believe, that computers are inherently unreliable.
Hi Ralph, Please excuse me, this version of the config file is not the right one. I've tried this one to desactivate the firewall, and get some result. In fact, when I say FW_DEV_INT="eth0 ppp0", sometimes external mail can enter during boot time (I suppose between some phases of the firewall initialiZation). The normal setting is: FW_DEV_INT="eth0" FW_DEV_WORLD=ppp0" And in this case no mail may never enter (cf. firewall log file). Philippe. -- Ralf Koch a écrit :
Hi Philippe,
eth0 and ppp0 are both internal? Try FW_DEV_WORLD="ppp0" and FW_DEV_INT="eth0" - I assume eth0 is the device to your internal net?
Cheers,
Ralf
-- Philippe Allart "Internet et Logiciels Libres dans les Collectivités Territoriales" http://illico.org/ GNU: La plus grande multinationale de la planète
Björn Engels a écrit :
I had to desactivate FW_PROTECT_FROM_INTERNAL to allows certain feature, for example traceroute. What is the good way?
Hmm, do you want to allow traceroute to the firewall or through the firewall to the Internet ? If you would want to allow it to the Internet 'FW_PROTECT_FROM_INTERNAL' wouldn't help you.
In fact, we tried the connexion using ping from a PC/win. It didn't work until I set FW_PROTECT_FROM_INTERNAL to "no". But there is no problem, I can rely on the internal users.
FW_DEV_WORLD=""
You Don't have an Interface that is connected to the Internet ? *g* I guess this should be ppp0
FW_DEV_INT="eth0 ppp0"
This should be only eth0 if my guess from above is correct.
You're right, as I said in another mail. This setiing was only for testing. Consider: FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0"
FW_ROUTE="yes" FW_SERVICES_EXTERNAL_TCP="25 80"
Ok, you can connect to the mail server and to the webserver from the Internet. (What about pop3?)
pop3 shoulb be accessible only from internal users. In a first time.
FW_SERVICE_DNS="yes"
I don't remember this option, I think it makes your Nameserver accessible from outside. Do you really want this ?
No.
FW_STOP_KEEP_ROUTING_STATE="yes"
You said 'FW_ROUTE="yes"', if you bring down the Firewall, it will still route, I think. No good idea in my opinion...
It's a reliquat of tests, before I tried FW_PROTECT_FROM_INTERNAL="no".
- - -
SENDMAIL_TYPE="yes" SENDMAIL_SMARTHOST=""
It looks as if you're not always online. You should use your ISP's mailserver here to send your mails to it and let it deliver mail for you.
The site is connected through a leased line (34.8Kb, Ukrainia is not very rich). The firewall is always on line, and the users connect to the local SMTP to send mail. It seems that it works well to send mail toward outside. But you're right, in case of multiposting, it's better to let the ISP's server to explode it.
SENDMAIL_LOCALHOST="localhost this.server.ua"
I use m4 to generate my config files, so I don't know how this options works. Take a look in /etc/sendmail.cf and look for 'Cw localhost' After 'localhost' should be also the domainname you're receiving mail for.
I've checked that. I've effectively found "Cw localhost this.server.ua" in sendmail.cf.
SENDMAIL_RELAY=""
Enter the network you wish to relay mails for. (Your LAN-clients. Well, it's some abbreviated method of naming your network...) For example 192.168.1
I've manually configured /etc/mail/access, and add the line: 192.168.1 RELAY then I ran SuSEConfig. Sendmail realays without problem mails sent from inside.
SENDMAIL_ARGS="-bd -q30m -om" SENDMAIL_EXPENSIVE="no" SENDMAIL_NOCANONIFY="no" SENDMAIL_NODNS="no" SENDMAIL_DIALUP="no" SENDMAIL_GENERICS_DOMAIN="" MASQUERADE_DOMAINS=""
Jul 13 16:50:30 citydesign kernel: Packet log: rulchain REJECT ppp0 PROTO=6 202.58.118.7:1329 aaa.bbb.ccc.130:25 L=60 S=0x00 I=3205 F=0x4000 T=41 SYN (#7)
Sure, this has to happen. Somebody sends a TCP SYN (connection initiation) from 202.58.118.7 Port 1329 to your Server, Port 25 (SMTP). The packet is being rejected because you didn't specify your external ('WORLD') interface correctly. Fix that and it won't be rejected.
As I said above, I've tried this setting to desactivate the firewall, by coupling the options FW_DEV_INT="eth0 ppp0" FW_PROTECT_FROM_INTERNAL="no" without real success. Ma situation is a little bit complex. I've worked in Unkrainia to help network administrators to configure a Suse box. But now I'm back in France, and I promised to send them some help from this list. I can't anymore manipulate the server. Please give me as many suggestions as possible, and I'll forward them. Thanks very much in advance, Philippe. -- Philippe Allart "Internet et Logiciels Libres dans les Collectivités Territoriales" http://illico.org/ GNU: La plus grande multinationale de la planète
participants (2)
-
Philippe Allart -
Ralf Koch