Date: Sun, 1 Oct 2000 18:24:20 +1100 (EST) From: Rob Hurle <rob@coombs.anu.edu.au> To: cjclark@alum.mit.edu Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd and ipfw Message-ID: <Pine.GSO.4.05.10010011815340.11360-100000@caligula.anu.edu.au> In-Reply-To: <20000930005724.S81242@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Crist, Thanks for your very helpful reply about natd and ipfw. I also discovered some of this myself, by turning on "log" for each of the firewall commands, so that I could see what was happening. The sticking point was that the internal mail hub was trying to contact a DNS outside the firewall, and I had not realised that it used UDP protocol to do this - I was allowing only TCP on port 53. Pages 543 and 544 of "Building Internet Firewall" by Zwicky, Cooper and Chapman are relevant (as someone else also recently pointed out on this list). It's now working fine - thanks again. (BTW, yes, sendmail should not be running on my firewall - it was only there so that I would be able to have a mail hub available even if I was not able to meet my client's deadline). (I'm leaving the rest of the mail conversation here for reference in case others are interested). Cheers, Rob Hurle > On Sat, Sep 30, 2000 at 11:59:52AM +1100, Rob Hurle wrote: > > Hi, > > > > I have a problem trying to set up natd and ipfw. The basic setup > > is fine, but my customer wants to use his mail hub which is inside the > > firewall, with a private IP address (my advice is not to do this, but has > > not been taken). The configuration is: > > > > Outside world > > | > > FreeBSD box - FreeBSD 3.4, IPDIVERT, IPFIREWALL, etc > > | > > Inside network, including > > client's mail hub. > > > > I am trying to route all TCP port 25 through to the mail hub by using the > > natd config: > > > > # mail is passed straight through > > redirect_port tcp 192.168.0.15:25 25 > > # log > > log yes > > # use sockets - ftp works better > > use_sockets yes > > # try to keep the same ports > > same_ports yes > > > > (I am using a config file for natd). The relevant ipfw rules are: > > > > 00100 1579 85136 divert 8668 ip from any to any via xl0 > > 01200 0 0 allow log logamount 100 tcp from any 25 to any 25 setup > ^^ > The incoming SMTP connection will not be coming from 25. And I assume > there are some more rules that you > > > (from an `ipfw show` command) > > > > Trying a telnet to port 25 on the outside interface times out with nothing > > logged, but if I remove the "redirect" in the natd config file, this is > > fine, I leap into my firwall box. > > > > What am I not understanding? Any help would be appreciated. > > Hmmm... But if that is the rule you are using above, you really should > not be having success connecting to the firewall box... > > And what the heck kind of firewall box is running a SMTP listener? On > a firewall, > > sendmail_enable="NO" > > Fer sure. > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > ---------------------------------------------------------- Rob Hurle rob@coombs.anu.edu.au Connect-A Tel: +61 2 6247 2397 PO Box 13 Fax: +61 2 6248 8905 Ainslie ACT 2602 Mobile: 0417 293 603 Australia ---------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.05.10010011815340.11360-100000>