I am not sure I understand. Your example shows the destination to be the firewall object.
My users will not be connecting to port 25 of the firewall, so this wouldn't work - would it? (Picture a hotel/library situation.) My users would be connecting to port 25 of mail servers such as mail.yahoo.com, or mail.verizon.net, or mail.sbc.net I want to be what is called the "man in the middle" and stop them from connecting to these smtp servers. I want to redirect this SMTP to my mail relay server transparent to the user. Much the same as AOL does, or a PIX firewall could. The goal is to curb the amount of spam that could originate from this network (it's not in place yet) by running the outgoing e-mail through something like Spam Assassin. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] Behalf Of Robert Plaenk Sent: Wednesday, July 14, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Port 25 redirect on specific subnet You can do it with SMTP-mapped. Here's how: There are 3 user defined services in FireWall-1 NG FP1 / FP2: http_mapped ftp_mapped smtp_mapped These services perform port mapping. By editing the service, the destination port and IP address of a connection can be changed. Create the following rules in the Policy Editor: Rule #1 SOURCE: Any DESTINATION: FW-1_object SERVICE: mapped service (ie. http_mapped, ftp_mapped, or smtp_mapped) ACTION: accept Rule #2 SOURCE: Any DESTINATION: internal Workstation object SERVICE: actual service (ie. http, ftp, smtp) ACTION: accept Edit the properties of the "http_mapped" service to point to the IP address of an internal http server using a private address. If port 8000 on the FireWall Module (gateway) is to be mapped to port 80 on the internal web server 10.9.8.7, proceed as follows: On the Policy Editor 1. Select Manage > Services. 2. In the Services window, select http_mapped. 3. Click Edit. 4. In the User Defined Service Properties window, click on Advanced in the General tab. 5. In the Advanced Other Service Properties window, change the contents of the Match field from: SRV_REDIRECT(8080,0.0.0.0,80) to: SRV_REDIRECT(8000,10.9.8.7,80) After installing the new policy on the target Firewall Module, an http request may be sent whose destination address is port 8000 on the Firewall Module, and be transparently connected directly to the http server. No NAT needs to be configured for this to work. The internal "mapped" host can be non-routable. Note: There has to be at least one Network Address Translation (NAT) rule in the rulebase for this to work. However, the NAT rule does not necessarily have to apply to this connection. To create a "mapped" service, create a new service of type "Other" in the following way: On the Policy Editor 1. Select Manage > Services. 2. In the Services window, click the New button and select Other from the drop down list. 3. In the User Defined Service Properties window, configure the General tab fields as follows: Name: mapped_service IP Protocol: 6 4. Click the Advanced button. 5. In the Advanced Other Service Properties window, configure the Match field with the following syntax: Match: SRV_REDIRECT(<incoming destination port>,<IP to forward to>,<new destination port>) The following is an example configuration of the Match field: Match: SRV_REDIRECT(8080,10.1.1.250,80) The same technique works for SMTP and FTP, with the exception that FTP data connections of a redirected FTP request will not be implicitly allowed, and must be accepted explicitly by the Rule Base. In fact, the underlying macro SRV_REDIRECT can be used in user-defined services to redirect any simple TCP service from the FireWall Module to an internal server running on any TCP port. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Utsav Ratti Sent: Wednesday, July 14, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Port 25 redirect on specific subnet Edwin Davidson wrote: > For example, I want to take subnet 192.168.0.0 and any port 25 > connections they make I want it to be redirected to another SMTP server on my network. I think this may be possible somehow using the SMTP Security Server. I haven't done it, though, so I can't provide you with specific instructions. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= http://www.primeinc.com ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please reply to the sender of the message. The views expressed in this correspondence may not reflect the views of Prime, Inc. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
