Mon OS est effectivement OpenBSD 3.1-Stable aussi bien sur la passerelle
que sur le serveur Mail.
OB> Mais je ne peux requ�ter sur une machine de l�Internet (qui
n�appartient
OB> pas � mon r�seau) sur les protocoles 143 et 110.
EG>Au fait, as-tu essay� � partir de ta machine mail, de faire
EG>un telnet sur une autre machine mail � l'ext�rieur en utilisant
EG>le port 110 ou 143? Juste pour savoir si cela passe... �a
EG>te dira si c'est un bug de r�gles.
Oui et cela fonctionne.
admin@postix: ~ :>telnet pop.nerim.net 110
Trying 62.4.16.71...
Connected to pop.nerim.net.
Escape character is '^]'.
+OK Qpopper (version 4.0.4) at brinstar.nerim.net starting.
USER oburelli
+OK Password required for oburelli.
PASS ********
+OK oburelli has 3 visible messages (0 hidden) in 9003 octets.
QUIT
+OK Pop server at brinstar.nerim.net signing off.
Connection closed by foreign host.
Le pire est que :
ntop -p 110 dans ce cas ( interface rl0 ecout� cot� internet ) il n'y a
aucun log.
Si je precise l'interface interne j'ai des logs.
De plus j'ai le message suivant � la sortie de ntop :
root@gw: ~ :>ntop -i rl1 -p 110
Unknown protocol '110'. It has been ignored.
WARNING: protocol 'www' has been discarded (multiple instances).
WARNING: protocol 'pop3' has been discarded (multiple instances).
WARNING: unknown protocol 'imap2'. It has been ignored.
165 packets received by filter
0 packets dropped by kernel
Apparement j'ai un souci de regles....
Voici mon nat.conf
# Pour le serveur de courrier imap (143) pop (110) smtp (25)
rdr on tun0 proto { tcp, udp } from any to 213.41.133.8/32 port 110 ->
192.168.1.2 port 110
rdr on tun0 proto { tcp, udp } from any to 213.41.133.8/32 port 143 ->
192.168.1.2 port 143
Voici mon /etc/pf.conf
#-----------------------------------------------------------------------
---
# PF ruleset, 11 dec. 2001
#
# Liberally adapted from the pf man page, the OpenBSD "Network How-To",
# and my own rulesets.
#-----------------------------------------------------------------------
---
#-----------------------------------------------------------------------
---
# Definitions
Ext = "tun0" # External interface
Int = "rl1" # Internal interface
Loop = "lo0" # Loopback interface
IntNet="192.168.1.0/24" # Internal network
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
255.255.255.255/32 }"
InServicesTCP = "{ ssh, smtp, auth, http, https, pop3, imap }"
InServicesUDP = "{ domain, imap }"
OutServicesTCP = "{ http, https, smtp, pop3, whois, domain, ssh, telnet,
ftp, ftp-data, nntp, auth,
ntp, imap }"
OutServicesUDP = "{ ntp, domain, imap }"
#-----------------------------------------------------------------------
---
#-----------------------------------------------------------------------
---
# Clean up fragmented and abnormal packets
# By default in pf, packets which contain IP options are blocked. Good.
scrub in on { $Ext, $Int } all
#-----------------------------------------------------------------------
---
#-----------------------------------------------------------------------
--
# Defaults
#-----------------------------------------------------------------------
--
# Defaults
# block and log everything
block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all
block in log quick inet6 all
block out log quick inet6 all
#-----------------------------------------------------------------------
--
#-----------------------------------------------------------------------
---
# loopback packets left unmolested
pass in quick on $Loop all
pass out quick on $Loop all
#-----------------------------------------------------------------------
---
#-----------------------------------------------------------------------
--
# Immediate blocks
# fuzz any 'nmap' attempt
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute
# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
#-----------------------------------------------------------------------
--
#-----------------------------------------------------------------------
--
# PASS rules
# ALL -- we don't normally do that. For debugging only.
# pass out quick on $Ext all keep state
# ICMP
pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep
state
pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep
state
# KaZAA
pass out quick on $Ext inet proto { tcp, udp } from any to any port
1214 keep state
pass in quick on $Ext inet proto { tcp, udp } from any to any port
1214 keep state
# Services we provide to the outside world
pass in quick on $Ext inet proto udp from any to any port $InServicesUDP
keep state
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP
flags S/SA keep state
# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port
$OutServicesUDP keep state
pass out quick on $Ext inet proto tcp from any to any port
$OutServicesTCP flags S/SA modulate state
# FTP passif
pass in log quick on $Ext inet proto tcp from any to any port { 0 ><
65535 } flags S/SA keep state
pass out log quick on $Ext inet proto tcp from any to any port { 0 ><
65535 } flags S/SA keep state
Merci pour les reponses
Olivier
--
Liste de diffusion qmailfr - http://qmail.free.fr/
