[Firehol-support] SMTP/Telnet Problem

Richard Williams richard at everything4it.co.uk
Thu Nov 29 10:35:39 GMT 2007


Hi

 

I’ve been running with an unchanged Firehol config for a couple of years but
have suddenly come across a problem trying to send email to one particular
server.  To try to identify the cause of the problem I’ve run telnet to that
server on port 25.  this is what I get in the log: (I’ve overwritten my IP
addresses to protect the innocent)

 

Nov 29 10:08:25 mail kernel: OUT-unknown:IN= OUT=eth1 SRC=public_ip
DST=77.75.72.32 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=39033 DF PROTO=TCP
SPT=54822 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 

Nov 29 10:08:28 mail kernel: OUT-unknown:IN= OUT=eth1 SRC=public_ip
DST=77.75.72.32 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=39034 DF PROTO=TCP
SPT=54822 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

 

This doesn’t happen when I telnet to other SMTP servers and I can connect
perfectly OK when Firehol is switched off.

 

Any ideas on what might be wrong here?

 

The complete config is :

 

#

FIREHOL_LOG_LEVEL=error

# $Id: lan-gateway.conf,v 1.1 2003/10/12 13:43:42 ktsaou Exp $

#

# Configuration file for a LAN router with one ethernet interface (eth0)

# for the LAN and a PPP interface for connecting to the Internet.

#

# The LAN works with private IP addresses.

#

# This script will also setup a transparent cache for all the PCs on the

# local LAN.

 

#
----------------------------------------------------------------------------

# CUSTOM SERVICES

#
----------------------------------------------------------------------------

# See the section "Adding Services" in the documentation

 

# Example service x, listening on port TCP/z

# > server_x_ports="tcp/z"

# > client_x_ports="default"

#

#
----------------------------------------------------------------------------

# STOP UDP 2222 MESSAGES FLOODING SYSLOG

#
----------------------------------------------------------------------------

server_office_ports="udp/2222"

client_office_ports="any"

 

#
----------------------------------------------------------------------------

# NETWORK DEFINITIONS - Normally, only these are to be touched by you.

#
----------------------------------------------------------------------------

# You can define anything you like, assuming you are using it later.

 

# --- HOME ---

 

# The definition of our HOME LAN.

HOME_MYIP="home_ip"                        # The IP on our HOME LAN

HOME_MYIF="eth0"                  # The HOME LAN interface

HOME_BCAST="home_ip"         # The HOME LAN broadcast

HOME_LAN="home_ip/24"                     # The HOME LAN

HOME_SERVICES="all"

 

# Do we run a DHCP server on the HOME LAN?

HOME_DHCP=1                                    # Set to 0 to disable

 

 

# --- PUBLIC ---

 

# The definition of our PUBLIC interface.

PUBLIC_MYIP="public_ip"                                  # Leave empty for
dynamic IP

PUBLIC_MYIF="eth1"                # The public interface

PUBLIC_SERVICES="smtp ftp imap pptp"

 

# Is the PPP interface a DIAL-ON-DEMAND?

DIAL_ON_DEMAND=0               # Set to 0 to disable

 

 

# --- TRUSTED ---

 

# Hosts in the internet I trust for accessing private services

# Empty these to disable.

TRUSTED_IPS=""

TRUSTED_SERVICES=""

 

 

# --- TRANSPARENT CACHE ---

 

# Run a transparent cache?

SQUID_PORT=""                       # Leave empty to disable SQUID

SQUID_USERS=""                     # Users to be excluded from the cache

SQUID_EXCLUDE=""                 # Web Server IPs to be excluded from the
cache

 

 

# --- BLACKLIST ---

 

# A space-separated list of IPs to be blocked.

blacklist=""

 

 

#
----------------------------------------------------------------------------

# HELPERS

#
----------------------------------------------------------------------------

 

# Block all traffic from/to certain IPs

if [ ! -z "${blacklist}" ]

then

            blacklist full "${blacklist}"

fi

 

# Setup a transparent squid, only if SQUID_PORT is set.

if [ ! -z "${SQUID_PORT}" ]

then

            transparent_squid "${SQUID_PORT}" "${SQUID_USERS}"            \

              inface "${HOME_MYIF}" src "${HOME_LAN}"                 \

              `test ! -z "${SQUID_EXCLUDE}" && echo "dst not
'${SQUID_EXCLUDE}'"`

fi

 

 

#
----------------------------------------------------------------------------

# NETWORK ADDRESS TRANSLATION

#
----------------------------------------------------------------------------

# Change the source/destination of packets...

 

# Should we do SNAT or MASQUERADE?

# If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ.

#

if [ ! -z "${PUBLIC_MYIP}" ]

then

            snat to "${PUBLIC_MYIP}"
\

                        outface "${PUBLIC_MYIF}"
\

                        src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"

else

            masquerade "${PUBLIC_MYIF}"

fi

 

 

# To have some public service hit an internal machine, do this:

# (the example redirects external port TCP/26 to internal IP 10.0.0.2 port
25)

#

# > dnat to 10.0.0.2:25
\

# >       inface "${PUBLIC_MYIF}"
\

# >       src not "${HOME_LAN} ${UNROUTABLE_IPS}"
\

# >       proto tcp dport 26

#

# For each such statement, the router at the end has to support it.

 

#
----------------------------------------------------------------------------

# PROTECT SELF

#
----------------------------------------------------------------------------

# Protect the firewall host...

 

# --- HOME ---

 

# Protect us from the HOME LAN

interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}
${HOME_BCAST}"

            policy reject

            

            server "${HOME_SERVICES}" accept

            

            client all accept

 

            

# DHCP needs 0.0.0.0/255.255.255.255 access.

if [ ${HOME_DHCP} -eq 1 ]

then

            interface "${HOME_MYIF}" dhcp

                        server dhcp accept

                server office drop

fi

 

 

# --- PUBLIC ---

 

# Protect us from the PUBLIC

interface "${PUBLIC_MYIF}" internet
\

            src not "${UNROUTABLE_IPS}"
\

            `test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`

            

            protection strong

            policy drop

            

            # Are there any trusted PCs/services?

            if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]

            then

                        server "${TRUSTED_SERVICES}" accept src
"${TRUSTED_PCS}"

            fi

            

            server "${PUBLIC_SERVICES}" accept

 

            server custom rvw tcp/some_port default accept

        

            client all accept

 

# DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.

if [ ${DIAL_ON_DEMAND} -eq 1 ]

then

            interface "${PUBLIC_MYIF}" dialup

                        client all accept

fi

 

 

#
----------------------------------------------------------------------------

# PROTECT ROUTING

#
----------------------------------------------------------------------------

# Protect the LAN...

 

# Route traffic for the clients on the LAN

router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}"      \

            src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"

            

            # route all client traffic

            client all accept

            

            # For the dnat example above, this is needed:

            # > server smtp accept dst 10.0.0.2

            

#---------------------------------------------------------------------------
-

# SET LOG OPTIONS

#
---------------------------------------------------------------------------

#FIREHOL_LOG_LEVEL="error"

FIREHOL_LOG_FREQUENCY="1/minute"

FIREHOL_LOG_BURST="5"

 

****************************************************
Richard Williams
email: HYPERLINK
"mailto:richard at everything4it.co.uk"richard at everything4it.co.uk 
mobile: 07981 734697

web: HYPERLINK
"http://www.everything4it.co.uk"http://www.everything4it.co.uk 
**************************************************** 
The contents of this email message and any attachments are confidential and
are intended solely for addressee. The information may also be legally
privileged. This transmission is sent in trust, for the sole purpose of
delivery to the intended recipient. If you have received this transmission
in error, any use, reproduction or dissemination of this transmission is
strictly prohibited. If you are not the intended recipient, please
immediately notify the sender by reply email or at +44(0)7981 734697 and
delete this message and its attachments, if any.

 


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.503 / Virus Database: 269.16.9/1158 - Release Date: 28/11/2007
21:11
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20071129/279f34aa/attachment-0002.html>


More information about the Firehol-support mailing list