On Sun, Dec 10, 2000 at 10:31:24AM -0500, Steve Manes wrote:
>I know what port 25 is and, no, it's not blocking incoming connections. It
>seems to be blocking outgoing connections. But if you look at the script
>you'll see that port 25 is open both ways:
Ahh, I didn't notice the output rule. I don't tend to use output rules.
># SMTP server (25)
># ----------------
>ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 25 -j ACCEPT
>
>ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 25 \
> --destination-port $UNPRIVPORTS -j ACCEPT
This rule includes "! -y", which means "match all rules *EXCEPT* those with
the SYN bit set". But, this is only for responses *FROM* your SMTP port.
The log lines you posted indicate it's connecting to a remote SMTP port
when it gets blocked, which isn't covered above. There should be a
section for "outbound connections", which is what's getting blocked.
>In fact, the script doesn't firewall any outbound traffic in eth0, only
>input. That's why this is weird. The error log throws occasional mentions
>about "SYN" (above) so I wonder if it's a problem with that.
What's the default policy on the output interface? Deny? If the script
doesn't mention outbound connections, that would be the problem...
Sean
--
I never thought I'd live in a country where physical violence would be used
to disenfranchise voters. Have you heard about Bush supporters rioting?
Sean Reifschneider, Inimitably Superfluous <[EMAIL PROTECTED]>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
