Re: ipfw configuration to intercept SMTP traffic
I believe you'll have one additional problem to resolve. Even if you successfully modify the destination IP address and get it pointed to the upstream server, the source IP will be unmodified and will still be the originator. Since the source IP is unmodified - the upstream mail server will send an ACK back to the originators IP (not yours) which will most likely get discarded and the connection will fail. Most sane TCP/IP stacks will reject an ACK from an IP address to which it did not send a request. Since the ACK is not going to run back through your host (thus allowing natd another go at reversing the translation) this likely wont work. Sorry all - I had missed the post regarding use of the -proxy_rule option, which may address this issue. Didn't mean to futher confuse the issue. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw configuration to intercept SMTP traffic
Actually, the original question contains the tidbit that the machine doing the serving is also the problem child, i.e., all of the traffic that I need to redirect is being produced on the same box from that box's SMTP server. Thanks for the explanation, though. Low-level TCP stuff is not my forte... yet. Bill On Nov 1, 2004, at 11:27 AM, Aaron Nichols wrote: I believe you'll have one additional problem to resolve. Even if you successfully modify the destination IP address and get it pointed to the upstream server, the source IP will be unmodified and will still be the originator. Since the source IP is unmodified - the upstream mail server will send an ACK back to the originators IP (not yours) which will most likely get discarded and the connection will fail. Most sane TCP/IP stacks will reject an ACK from an IP address to which it did not send a request. Since the ACK is not going to run back through your host (thus allowing natd another go at reversing the translation) this likely wont work. Sorry all - I had missed the post regarding use of the -proxy_rule option, which may address this issue. Didn't mean to futher confuse the issue. Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipfw configuration to intercept SMTP traffic
Gentleones, I have a commercial website/mail product running on a box. Unfortunately, the product is not so smart and when it needs to bounce something, it ignores the SMTP Always Relay Via setting and attempts to connect directly to the mail exchanger for the domain it's bouncing to. So what I figure I can do is redirect port 25 of me to any to port 25 of the upstream server at aa.bb.cc.dd. That makes sense, right? So I'd probably use: ipfw add 8000 divert 25 all from me to aa.bb.cc.dd via en0 (8000 is OK because the only other rule in there right now is the default at 65535.) Well, that's what I tried and it looks like the SMTP server is still trying (and failing) to contact the servers directly. A telnet somehost.net 25 executed on this box fails, too, where it should get me the upstream relay server. So have I goofed the rule? (Yes.) OK, then how have I goofed it? Thanks, Bill ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw configuration to intercept SMTP traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 31 October 2004 21:39, Bill Eccles wrote: Gentleones, I have a commercial website/mail product running on a box. Unfortunately, the product is not so smart and when it needs to bounce something, it ignores the SMTP Always Relay Via setting and attempts to connect directly to the mail exchanger for the domain it's bouncing to. So what I figure I can do is redirect port 25 of me to any to port 25 of the upstream server at aa.bb.cc.dd. That makes sense, right? So I'd probably use: You mean redirect [from me to any destination-port 25] to upstream server aa.bb.cc.dd port 25? ipfw add 8000 divert 25 all from me to aa.bb.cc.dd via en0 Your rule seems to be wrong. It uses port 25 to setup the divert-socket, and matches all source-ports. The divert-socket default-port is 8668 (natd). ipfw add 8000 divert natd all from me to any 25 via en0 Are you running natd on your machine? Natd reads/writes the packets from/to the divert-socket and changes IP-address and portnumber as defined by natd options or in your natd.conf file. In your case I would run natd with the option '-proxy_rule port 25 server aa.bb.cc.dd:25'. Natd-setup is documented in 'man 8 natd'. HTH, ch - -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBhWvk09WjGjvKU74RAh6VAJ9H6yEohPLFCBSRdJ+SNDA3nOycrACfaVqo C4tHUn2wstlv22ktbSCaFKU= =4jCL -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw configuration to intercept SMTP traffic
Actually, you bring up an interesting point that, yes, I'd forgotten about natd. However, I realized after watching a tcpdump that the outgoing port is a random port--only the destination port is 25 on the upstream box. So, somehow I have to rig up something that listens for an SMTP connection destined for any address from any port but to the upstream box's port 25. It then must send it out to the aa.bb.cc.dd:25. Any ideas, folks? Thanks, Bill -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 31 October 2004 21:39, Bill Eccles wrote: Gentleones, I have a commercial website/mail product running on a box. Unfortunately, the product is not so smart and when it needs to bounce something, it ignores the SMTP Always Relay Via setting and attempts to connect directly to the mail exchanger for the domain it's bouncing to. So what I figure I can do is redirect port 25 of me to any to port 25 of the upstream server at aa.bb.cc.dd. That makes sense, right? So I'd probably use: You mean redirect [from me to any destination-port 25] to upstream server aa.bb.cc.dd port 25? ipfw add 8000 divert 25 all from me to aa.bb.cc.dd via en0 Your rule seems to be wrong. It uses port 25 to setup the divert-socket, and matches all source-ports. The divert-socket default-port is 8668 (natd). ipfw add 8000 divert natd all from me to any 25 via en0 Are you running natd on your machine? Natd reads/writes the packets from/to the divert-socket and changes IP-address and portnumber as defined by natd options or in your natd.conf file. In your case I would run natd with the option '-proxy_rule port 25 server aa.bb.cc.dd:25'. Natd-setup is documented in 'man 8 natd'. HTH, ch - -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBhWvk09WjGjvKU74RAh6VAJ9H6yEohPLFCBSRdJ+SNDA3nOycrACfaVqo C4tHUn2wstlv22ktbSCaFKU= =4jCL -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
