RE: IPCHAINS and Qmail

Phil Oester Sun, 10 Dec 2000 09:00:50 -0800
Your output rule for port 25 is definitely the problem.  Contrary to your
belief, it is filtering outbound traffic on eth0.  Personally, I don't think
that's such a good idea - my firewall allows everything outbound, and only
filters inbound.  Try changing your SMTP output rule to this:

/sbin/ipchains -A output -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR
25 -d 0.0.0.0/0

-Phil


-----Original Message-----
From: Steve Manes [mailto:[EMAIL PROTECTED]]
Sent: Sunday, December 10, 2000 7:31 AM
To: Sean Reifschneider
Cc: [EMAIL PROTECTED]
Subject: Re: IPCHAINS and Qmail


At 01:31 AM 12/10/00 -0700, Sean Reifschneider wrote:
>On Sun, Dec 10, 2000 at 02:51:24AM -0500, Steve Manes wrote:
> >Dec 10 01:02:49 meg kernel: Packet log: output REJECT eth0 PROTO=6
> 166.84.147.
> >124:3687 206.26.89.202:25 L=1064 S=0x00 I=46413 F=0x0000 T=64 (#37)
> >Dec 10 01:02:55 meg kernel: Packet log: output REJECT eth0 PROTO=6
> 166.84.147.
> >124:4396 204.242.84.1:25 L=60 S=0x00 I=46421 F=0x0000 T=64 SYN (#37)
> >
> >Any idea what's causing this?
>
>ipchains is blocking incoming connections to port 25/tcp.  You know, the
>e-mail port.

I know what port 25 is and, no, it's not blocking incoming connections.  It
seems to be blocking outgoing connections.  But if you look at the script
you'll see that port 25  is open both ways:

# SMTP server (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
     --source-port $UNPRIVPORTS \
     -d $IPADDR 25 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
      -s $IPADDR 25 \
      --destination-port $UNPRIVPORTS -j ACCEPT

In fact, the script doesn't firewall any outbound traffic in eth0, only
input.  That's why this is weird.  The error log throws occasional mentions
about "SYN" (above) so I wonder if it's a problem with that.

> >The problematic firewall script is rather large (25k) so I've posted it
on
> >my web server at http://www.magpie.com/work/rc.firewall.html
>
>Yikes!  25KB?!?  I have a hard time imagining it being a tenth the size
>of that.

Admittedly, it's huge but I didn't create it by hand.  Nevertheless it's a
very thorough script and well commented, and similarly-generated firewall
scripts work very well on my other machines.  It's only Qmail that seems to
be having a problem with it.


-----------------------[ http://www.magpie.com ]-------=o&>o-------
Steve Manes
Brooklyn, N'Yawk
RE: IPCHAINS and Qmail

Reply via email to
