Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] Can't receive messages
  • From: Philippe Allart <pallart@xxxxxxxxxx>
  • Date: Fri, 27 Jul 2001 10:00:10 +0200
  • Message-id: <3B611F8A.7C33B9AA@xxxxxxxxxx>
Björn Engels a écrit :
> > I had to desactivate FW_PROTECT_FROM_INTERNAL to allows certain
> feature,
> > for example traceroute. What is the good way?
>
> Hmm, do you want to allow traceroute to the firewall or through the
> firewall to the Internet ? If you would want to allow it to the Internet
> 'FW_PROTECT_FROM_INTERNAL' wouldn't help you.

In fact, we tried the connexion using ping from a PC/win. It didn't work
until I set FW_PROTECT_FROM_INTERNAL to "no". But there is no problem, I
can rely on the internal users.

>
> > FW_DEV_WORLD=""
>
> You Don't have an Interface that is connected to the
> Internet ? *g* I guess this should be ppp0
>
> > FW_DEV_INT="eth0 ppp0"
>
> This should be only eth0 if my guess from above is correct.

You're right, as I said in another mail. This setiing was only for
testing. Consider:
FW_DEV_WORLD="ppp0"
FW_DEV_INT="eth0"

>
> > FW_ROUTE="yes"
> > FW_SERVICES_EXTERNAL_TCP="25 80"
>
> Ok, you can connect to the mail server and to the webserver
> from the Internet. (What about pop3?)

pop3 shoulb be accessible only from internal users. In a first time.

>
> > FW_SERVICE_DNS="yes"
>
> I don't remember this option, I think it makes your Nameserver
> accessible from outside. Do you really want this ?

No.

>
> > FW_STOP_KEEP_ROUTING_STATE="yes"
>
> You said 'FW_ROUTE="yes"', if you bring down the Firewall, it
> will still route, I think. No good idea in my opinion...

It's a reliquat of tests, before I tried FW_PROTECT_FROM_INTERNAL="no".

>
> - - -
>
> > SENDMAIL_TYPE="yes"
> > SENDMAIL_SMARTHOST=""
>
> It looks as if you're not always online. You should use your ISP's
> mailserver here to send your mails to it and let it deliver mail for
> you.

The site is connected through a leased line (34.8Kb, Ukrainia is not
very rich). The firewall is always on line, and the users connect to the
local SMTP to send mail. It seems that it works well to send mail toward
outside. But you're right, in case of multiposting, it's better to let
the ISP's server to explode it.

>
> > SENDMAIL_LOCALHOST="localhost this.server.ua"
>
> I use m4 to generate my config files, so I don't know how this options
> works.
> Take a look in /etc/sendmail.cf and look for 'Cw localhost' After
> 'localhost'
> should be also the domainname you're receiving mail for.

I've checked that. I've effectively found "Cw localhost this.server.ua"
in sendmail.cf.

>
> > SENDMAIL_RELAY=""
>
> Enter the network you wish to relay mails for. (Your LAN-clients. Well,
> it's
> some abbreviated method of naming your network...) For example 192.168.1

I've manually configured /etc/mail/access, and add the line:
192.168.1 RELAY
then I ran SuSEConfig.

Sendmail realays without problem mails sent from inside.

>
> > SENDMAIL_ARGS="-bd -q30m -om"
> > SENDMAIL_EXPENSIVE="no"
> > SENDMAIL_NOCANONIFY="no"
> > SENDMAIL_NODNS="no"
> > SENDMAIL_DIALUP="no"
> > SENDMAIL_GENERICS_DOMAIN=""
> > MASQUERADE_DOMAINS=""
>
>
>
> > Jul 13 16:50:30 citydesign kernel: Packet log: rulchain REJECT ppp0
> > PROTO=6 202.58.118.7:1329 aaa.bbb.ccc.130:25 L=60 S=0x00 I=3205
> F=0x4000
> > T=41 SYN (#7)
>
> Sure, this has to happen. Somebody sends a TCP SYN (connection
> initiation)
> from 202.58.118.7 Port 1329 to your Server, Port 25 (SMTP).
> The packet is being rejected because you didn't specify your external
> ('WORLD')
> interface correctly. Fix that and it won't be rejected.

As I said above, I've tried this setting to desactivate the firewall, by
coupling the options
FW_DEV_INT="eth0 ppp0"
FW_PROTECT_FROM_INTERNAL="no"
without real success.

Ma situation is a little bit complex. I've worked in Unkrainia to help
network administrators to configure a Suse box. But now I'm back in
France, and I promised to send them some help from this list. I can't
anymore manipulate the server. Please give me as many suggestions as
possible, and I'll forward them.

Thanks very much in advance,

Philippe.

--
Philippe Allart
"Internet et Logiciels Libres dans les Collectivités Territoriales"
http://illico.org/
GNU: La plus grande multinationale de la planète

< Previous Next >
References