Am 04.04.2016 um 12:12 schrieb Marc Mertes: Hell Marc,
your net behind your firewall (131.x.x.x) can be reached from the outside? This would be a prerequisite if you want to exclude port 25 traffic from being masq'd. I'd try something like eth3 131.x.x.0/24 !:25 tcp This is just my best guess on what I can read out of man masq. I bet Tom knows for sure... > Hi Folks, > hi Tom, > after a few years of useing shorewall now, I run into a "special case" > of a new masquerading need, and I´m not sure if this is possible. > I´ve already browsed through the mail archive - but there is not exactly > my case discussed, just some where close to - or I didn´t understand one > of them correctly, > or wasn´t able adapt it to my case. > > Shorewall Version 4.6.4.3 on debian jessie > This is my masq config now: I masq everything to the external Iface ip: > #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) > IPSEC MARK USER/ SWITCH ORIGINAL > eth3 131.xxx.xxx.0/24 > > What I now want to do is: > Keep the masq as it is - with one exception. > All traffic to our mailserver should not be masq. > I mean it like "masq everything outgoing on eth3 EXCEPT outgoing > traffic to emailserver on eth3" > > The background is, that our mailserver is in the external zone and > blocks the ip after to many failed logins. > This means, our masq ip is blocked and no one can use the mailserver > anymore. > For this case it would be good not to masq, that each ip here is > "visible" for the mailserver. > > Thanks and best regards > Marc > > ------------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Florian Piekert, PMP [email protected] Spargelweg 5 Telephone+Fax: +49-179- 3928582 38179 Schwülper-Walle/Germany =========================================================================== Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at [email protected]. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
