I'm not an ipchains guru, and I don't have a DMZ, but this is what I have that I built from the ipchains HOWTO. The key for me was allowing the source port to be a range from 1024:4999
NOTE that my input, output, and forward chains (not shown here) like the ipchains HOWTO send packets based only on interfaces. I have custom chains for the different interfaces (internal, external), and this one is for the fw-svc chain that's a "subchain" of the external, which gets JUMP'd to after accepting any MASQ'd packets. # allow firewall-initiated connections to mail servers ipchains -A fw-svc -p tcp ! -y --sport 25 --dport 1024:4999 -j ACCEPT # allow BOOTP and DHCP requests/acks/etc from ISP ipchains -A fw-svc -p udp --sport 67:68 --dport 67:68 -j ACCEPT # allow DNS lookups from the firewall ipchains -A fw-svc -p udp --sport 53 --dport 1024:4999 -j ACCEPT > and allowing access to other machines destined for port 25 (i thought this > would work). Ditto for the DNS servers. Everything else works great. > > for a DMZ with a default (bad-DMZ & DMZ-bad) of DENY, what rules do I need > (in the bad-DMZ and DMZ-bad chains) to host an smtp server that can send and > recieve mail? I have tried opening up access to port 25, and allowing it, > and allowing access to other machines destined for port 25 (i thought this > would work). Ditto for the DNS servers. Everything else works great. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
