Stephen Gran wrote: > On Fri, Jul 14, 2006 at 07:09:51AM +0800, W B Hacker said: > >>Mike Cardwell wrote: >> >>>iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! >>>--uid-owner exim -j DNAT --to-destination 127.0.0.1 >>> >>>Someone might find that useful... >> >>The intent is good, but that specific rule is not necessary on Unix, nor will >>it >>block outbound traffic. > > > I think you are misreading what that line does. It redirects outbound > traffic destined to port 25 to localhost port 25. It does not address > what port the query comes from.
I understand what it *attempts* to accomplish. Server security would be required to also prevent disabling the rule, either by deletion, insertion of a pass or workaround earlier in the ruleset, or killing the process that runs the firewall. Better if it were on an external firewall. It also does not block pointing to a far-end submission port, nor can we be certain that a distant server will not accept local delivery without auth on such a port. Bill -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
