[Firehol-support] SMTP/Telnet Problem
Richard Williams
richard at everything4it.co.uk
Thu Nov 29 10:35:39 GMT 2007
Hi
I’ve been running with an unchanged Firehol config for a couple of years but
have suddenly come across a problem trying to send email to one particular
server. To try to identify the cause of the problem I’ve run telnet to that
server on port 25. this is what I get in the log: (I’ve overwritten my IP
addresses to protect the innocent)
Nov 29 10:08:25 mail kernel: OUT-unknown:IN= OUT=eth1 SRC=public_ip
DST=77.75.72.32 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=39033 DF PROTO=TCP
SPT=54822 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Nov 29 10:08:28 mail kernel: OUT-unknown:IN= OUT=eth1 SRC=public_ip
DST=77.75.72.32 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=39034 DF PROTO=TCP
SPT=54822 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
This doesn’t happen when I telnet to other SMTP servers and I can connect
perfectly OK when Firehol is switched off.
Any ideas on what might be wrong here?
The complete config is :
#
FIREHOL_LOG_LEVEL=error
# $Id: lan-gateway.conf,v 1.1 2003/10/12 13:43:42 ktsaou Exp $
#
# Configuration file for a LAN router with one ethernet interface (eth0)
# for the LAN and a PPP interface for connecting to the Internet.
#
# The LAN works with private IP addresses.
#
# This script will also setup a transparent cache for all the PCs on the
# local LAN.
#
----------------------------------------------------------------------------
# CUSTOM SERVICES
#
----------------------------------------------------------------------------
# See the section "Adding Services" in the documentation
# Example service x, listening on port TCP/z
# > server_x_ports="tcp/z"
# > client_x_ports="default"
#
#
----------------------------------------------------------------------------
# STOP UDP 2222 MESSAGES FLOODING SYSLOG
#
----------------------------------------------------------------------------
server_office_ports="udp/2222"
client_office_ports="any"
#
----------------------------------------------------------------------------
# NETWORK DEFINITIONS - Normally, only these are to be touched by you.
#
----------------------------------------------------------------------------
# You can define anything you like, assuming you are using it later.
# --- HOME ---
# The definition of our HOME LAN.
HOME_MYIP="home_ip" # The IP on our HOME LAN
HOME_MYIF="eth0" # The HOME LAN interface
HOME_BCAST="home_ip" # The HOME LAN broadcast
HOME_LAN="home_ip/24" # The HOME LAN
HOME_SERVICES="all"
# Do we run a DHCP server on the HOME LAN?
HOME_DHCP=1 # Set to 0 to disable
# --- PUBLIC ---
# The definition of our PUBLIC interface.
PUBLIC_MYIP="public_ip" # Leave empty for
dynamic IP
PUBLIC_MYIF="eth1" # The public interface
PUBLIC_SERVICES="smtp ftp imap pptp"
# Is the PPP interface a DIAL-ON-DEMAND?
DIAL_ON_DEMAND=0 # Set to 0 to disable
# --- TRUSTED ---
# Hosts in the internet I trust for accessing private services
# Empty these to disable.
TRUSTED_IPS=""
TRUSTED_SERVICES=""
# --- TRANSPARENT CACHE ---
# Run a transparent cache?
SQUID_PORT="" # Leave empty to disable SQUID
SQUID_USERS="" # Users to be excluded from the cache
SQUID_EXCLUDE="" # Web Server IPs to be excluded from the
cache
# --- BLACKLIST ---
# A space-separated list of IPs to be blocked.
blacklist=""
#
----------------------------------------------------------------------------
# HELPERS
#
----------------------------------------------------------------------------
# Block all traffic from/to certain IPs
if [ ! -z "${blacklist}" ]
then
blacklist full "${blacklist}"
fi
# Setup a transparent squid, only if SQUID_PORT is set.
if [ ! -z "${SQUID_PORT}" ]
then
transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \
inface "${HOME_MYIF}" src "${HOME_LAN}" \
`test ! -z "${SQUID_EXCLUDE}" && echo "dst not
'${SQUID_EXCLUDE}'"`
fi
#
----------------------------------------------------------------------------
# NETWORK ADDRESS TRANSLATION
#
----------------------------------------------------------------------------
# Change the source/destination of packets...
# Should we do SNAT or MASQUERADE?
# If there is a PUBLIC_MYIP defined, we should do SNAT, otherwise MASQ.
#
if [ ! -z "${PUBLIC_MYIP}" ]
then
snat to "${PUBLIC_MYIP}"
\
outface "${PUBLIC_MYIF}"
\
src "${HOME_LAN}" dst not "${UNROUTABLE_IPS}"
else
masquerade "${PUBLIC_MYIF}"
fi
# To have some public service hit an internal machine, do this:
# (the example redirects external port TCP/26 to internal IP 10.0.0.2 port
25)
#
# > dnat to 10.0.0.2:25
\
# > inface "${PUBLIC_MYIF}"
\
# > src not "${HOME_LAN} ${UNROUTABLE_IPS}"
\
# > proto tcp dport 26
#
# For each such statement, the router at the end has to support it.
#
----------------------------------------------------------------------------
# PROTECT SELF
#
----------------------------------------------------------------------------
# Protect the firewall host...
# --- HOME ---
# Protect us from the HOME LAN
interface "${HOME_MYIF}" home src "${HOME_LAN}" dst "${HOME_MYIP}
${HOME_BCAST}"
policy reject
server "${HOME_SERVICES}" accept
client all accept
# DHCP needs 0.0.0.0/255.255.255.255 access.
if [ ${HOME_DHCP} -eq 1 ]
then
interface "${HOME_MYIF}" dhcp
server dhcp accept
server office drop
fi
# --- PUBLIC ---
# Protect us from the PUBLIC
interface "${PUBLIC_MYIF}" internet
\
src not "${UNROUTABLE_IPS}"
\
`test ! -z "${PUBLIC_MYIP}" && echo "dst '${PUBLIC_MYIP}'"`
protection strong
policy drop
# Are there any trusted PCs/services?
if [ ! -z "${TRUSTED_PCS}" -a ! -z "${TRUSTED_SERVICES}" ]
then
server "${TRUSTED_SERVICES}" accept src
"${TRUSTED_PCS}"
fi
server "${PUBLIC_SERVICES}" accept
server custom rvw tcp/some_port default accept
client all accept
# DIAL-ON-DEMAND needs this in case there is a PUBLIC_MYIP defined.
if [ ${DIAL_ON_DEMAND} -eq 1 ]
then
interface "${PUBLIC_MYIF}" dialup
client all accept
fi
#
----------------------------------------------------------------------------
# PROTECT ROUTING
#
----------------------------------------------------------------------------
# Protect the LAN...
# Route traffic for the clients on the LAN
router internet2lan inface "${PUBLIC_MYIF}" outface "${HOME_MYIF}" \
src not "${UNROUTABLE_IPS}" dst "${HOME_LAN}"
# route all client traffic
client all accept
# For the dnat example above, this is needed:
# > server smtp accept dst 10.0.0.2
#---------------------------------------------------------------------------
-
# SET LOG OPTIONS
#
---------------------------------------------------------------------------
#FIREHOL_LOG_LEVEL="error"
FIREHOL_LOG_FREQUENCY="1/minute"
FIREHOL_LOG_BURST="5"
****************************************************
Richard Williams
email: HYPERLINK
"mailto:richard at everything4it.co.uk"richard at everything4it.co.uk
mobile: 07981 734697
web: HYPERLINK
"http://www.everything4it.co.uk"http://www.everything4it.co.uk
****************************************************
The contents of this email message and any attachments are confidential and
are intended solely for addressee. The information may also be legally
privileged. This transmission is sent in trust, for the sole purpose of
delivery to the intended recipient. If you have received this transmission
in error, any use, reproduction or dissemination of this transmission is
strictly prohibited. If you are not the intended recipient, please
immediately notify the sender by reply email or at +44(0)7981 734697 and
delete this message and its attachments, if any.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.9/1158 - Release Date: 28/11/2007
21:11
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20071129/279f34aa/attachment-0002.html>
More information about the Firehol-support
mailing list