Date: Mon, 20 Nov 2000 17:14:51 -0600 From: Hamilton Hoover <hamilton@twopoint.com> To: Nick Rogness <nick@rapidnet.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@FreeBSD.ORG> Subject: Re: dual homed gateway system running ipfw and nat. need rules help. Message-ID: <3A19B06B.1D5D9041@twopoint.com> References: <Pine.BSF.4.21.0011201353000.96101-100000@rapidnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ok, more answers and more questions...
>
> On Mon, 20 Nov 2000, Hamilton Hoover wrote:
>
> I'm only sending the response to -net.
>
> > >>1) We keep out pop server on the private net. I need to be >>able to
> > get the incoming mail passed to the mail server that >>has a 192.x.x.x
> > address. I was thinking something like:
> >
> >
> > > Incoming from the outside or inside?
> >
> > Incoming from the public net.
>
> Do you have a NAT translation setup for that machine?
> If not see below.
I have made a change to natd.conf as you list below. I am unsure if the
syntax is correct.
redirect_port tcp 192.x.x.x:25 209.x.x.x:25
I'm thinking that this will pass the mail from the external
(public)interface of the nated system to the mailserver at 192.x.x.x on
the private side. yes?
>
> >
> > >>${fw8cmd} pass tcp from any 25 to 192.x.x.x
> >
> >
> > > The POP server runs on port 110 not 25, that's SMTP.
> >
> > ok. then I change that from 25 to 110? I run qmail on a linux box on my
> > private net.
>
> Is your linux qmail server on the same network as your client
> machines? If so, then you need no special firewall rules for that
> box. Since your mail server is on the inside of your network it
> never touches your firewall.
yes it is.
>
> For public access to your mail server (SMTP) the above rule with
> port 25 will work fine. It must come AFTER the divert rule.
thats the thing. I don't want public access to the mail server. I just
want the incoming mail from the public side to get passed through the
firewall to the mailserver on the private side
By divert rule do you mean the addition to natd.conf, or is there a
divert I need to put in to my firewall script as well as the add pass
tcp 25 from any to 192.x.x.x?
>
> Another question...Do you want clients from the outside to check
> their mail via POP (or IMAP)?
No, mail should only be checked from the private side but, on the inside
we use POP.
>
> >
> > >>Is this solid or am I opening myself up from more problems. I
> > >>don't want to relay from outside as mail is only checked from
> > >>inside the private side.
> >
> > >If you don't want mail from the outside world or users to send >mail
> > to the outside world, then this should work. Is the BSD >machine
> > acting as a mail server?
>
> >
> > um, no. I want users to be able to read and send mail normally from the
> > private side to the public side and, I want mail from the outside world
> > to pass in to the mail server that is on the private side, mail server
> > is not running on the gateway/firewall. I allow all outgoing traffic ie;
> > from private to public so I don't think 'outgoing' mail needs its own
> > rule? But I have not been able to get mail from the public net to get
> > passed to my mail server on the private net.
>
> If you don't have NAT setup then:
>
> You need to add a network address translation (NAT) statement to
> your natd config. Either a redirect_address or redirect_port will
> work. For example, let's say that your inside mail server is
> 192.168.1.2. You have a free outside IP of 209.4.4.4 that you
> want to assign to this mail server. Your natd statement would be:
>
> redirect_address 192.168.1.2 209.4.4.4
I looked in the natd man pages and didn't see an example of
redirect_port.
>
> You can use redirect_port in the same way.
>
> Then set you MX record (public) to point to the above outside IP.
The public MX record points to a name that has an alias. The alias point
to the firewall. The alias is also the machine name of the mailserver on
the inside.
>
> Nick Rogness
> - Drive defensively. Buy a tank.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
Hamilton Hoover
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A19B06B.1D5D9041>