> table <NoRouteIPs> { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
> }> # don't allow anyone to spoof non-routeable addresses > block in log quick on $ext_if from <NoRouteIPs> to any > block out log quick on $ext_if from any to <NoRouteIPs>
>if you're using 192.168.0.0/16 yourself, and expect connections using >such addresses to pass $ext_if, the above is not what you want :)
>If that's not the case, explain what addresses, exactly, you have on >your interfaces.
>Daniel
After working with a few people on the list and testing, that is exactly what the problem is. :)
The NoRouteIPs was the problem.
As it stands right now, the Mail gateway itself, will have a IP address in the 10.0.0.0/8 range, which will in turn, forward email to my internal mail server which has a IP address of 192.168.1.160 lets say...
What I was trying to figure out is, what rule type of setup will give me the best coverage/security on the mail gateway. For instance, should I setup one of the interfaces to receive email from the internet on that interface only...then use the second interface to send email out, to the internal mail server...
Of course, the other option is just to take out the NoRouteIPs section all together, as my frontline firewall is setup to block those ranges by default...
Just kicking around some thoughts and ideas, trying to figure out the better way to setup my mail gateway...
Jason
