I would appreciate some help to get mail sending out of my routed DMZ to work.
CS> Comments inline... What currently happens in my setup is that a DMZ machine can contact the mail server on the external internet via port 25. But the mail server's reply to the DMZ machine on high ports 4436 and 4437 are blocked in the input chain. To clarify I do NOT want to open port 25 to the outside. I read the docs and network.conf and tried to fix this by setting DMZ_HIGH_TCP_CONNECT to YES. This did not help. Below is an extract from ipchains -L --line-numbers -n for the high port range, IP addresses replaced with symbolic values from the script: <snip> CS> Nice try, but without the -v option, and pulled out of context, the rules you listed don't tell me much...sorry. If the mail server on the internet sends a packet to a high port on the DMZ machine (not the router address EXTERN_IP) then what is the purpose of opening EXTERN_IP? Should it not be DMZ_NET, the network of final recipient of the packet? I could understand that opening EXTERN_IP is required to allow packets to reach services that run on the router itself e.g. ssh. What part in network.conf or ipfilter.conf need to be configured to fix my problem? CS> You shouldn't have to configure anything special in network.conf to allow inbound responses to the DMZ network. Inbound TCP response packets are allowed by default. Only start of connection packets are filtered. CS> You should have something like the following rule in your forward chain. Note the extra fields you get when using the -v flag with ipchains. The !y means the rule matches only packets without the SYN flag set. The eth2 means the rule matches packets destined for eth2 (the DMZ interface). CS> 0 0 ACCEPT tcp !y---- 0xFF 0x00 eth2 0.0.0.0/0 216.171.153.128/26 * -> 1024:65535 Here is my simple setup: There are only 2 networks. What makes things REALLY easy is that these small networks don't need to be hidden or address-translated. They are both physically and IP address-wise different networks with routable IP addresses in the public internet IP range. I think Charles Steinkuehler terms this "Routed DMZ" <snip ascii-art network diagram> CS> Yes, this is what I call a "routed" DMZ. It's possible there's a problem with the firewall scripts, as it's been a while since I tested the routed DMZ functionality, and I could have messed something up. You might also have something incorrectly entered in your network.conf file. Without a listing of the ipchains rules that have been created (ipchains -nvL or net ipfilter list), and/or your network.conf settings, it's hard to say what might be wrong. If you can't get things working using some of the hints above, post more detailed info and I'll dig into what's wrong... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user