* on the Fri, Jul 14, 2006 at 09:39:56AM +0800, W B Hacker wrote: >>>> iptables -t nat -A OUTPUT -p tcp --dport 25 -d ! 127.0.0.1 -m owner ! >>>> --uid-owner exim -j DNAT --to-destination 127.0.0.1 >>>> Someone might find that useful... >>> The intent is good, but that specific rule is not necessary on Unix, nor >>> will it >>> block outbound traffic. >> I think you are misreading what that line does. It redirects outbound >> traffic destined to port 25 to localhost port 25. It does not address >> what port the query comes from. > I understand what it *attempts* to accomplish.
Attempts and succeeds... > Server security would be required to also prevent disabling the rule, either > by > deletion, insertion of a pass or workaround earlier in the ruleset, or > killing > the process that runs the firewall. Erm. The people he's trying to block from emailing remote accounts are only normal system users as far as I understand... They don't have root... "Server security would be required" - That's a given isn't it? A normal user can't modify iptables rules... > Better if it were on an external firewall. Probably yes. But also, probably not necessary. > It also does not block pointing to a far-end submission port, So add a similar rule for port 587... > nor can we be certain that a distant server will not accept local delivery > without > auth on such a port. No idea what you're talking about here. How is this related to the initial requirements stated at the beginning of this thread? Mike -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
