On Sun, 10 Dec 2000, Steve Manes wrote:
> I know what port 25 is and, no, it's not blocking incoming connections. It
> seems to be blocking outgoing connections. But if you look at the script
> you'll see that port 25 is open both ways:
>
> # SMTP server (25)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 25 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 25 \
> --destination-port $UNPRIVPORTS -j ACCEPT
Actually, no, it's not open both ways. All those two rules do is allow
traffic back and forth between an external smtp client and your smtp
server.
To allow traffic between qmail acting as a smtp client on your machine and
a remote smtp server, you also need this:
# SMTP client (unpriv->25)
#
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port 25 -j ACCEPT
(note that both these two rules and the above ones will fall over if you
meet a SMTP server that binds to a port <1024 for outgoing mail (Exchange
maybe?))
> In fact, the script doesn't firewall any outbound traffic in eth0, only
> input. That's why this is weird. The error log throws occasional mentions
> about "SYN" (above) so I wonder if it's a problem with that.
Yes it does. The actual rule on your firewall that is rejecting SMTP
traffic is this one:
ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l
> Admittedly, it's huge but I didn't create it by hand. Nevertheless it's a
> very thorough script and well commented, and similarly-generated firewall
> scripts work very well on my other machines. It's only Qmail that seems to
> be having a problem with it.
I'd be surprised if that worked on any mail server. It was at least easy
to read and find the problem
--Colin.
Colin Palmer -- [EMAIL PROTECTED] -- http://raccoon.osoal.org.nz/
Systems Engineer -- [One Short Of A Llama] http://web.osoal.org.nz/
