That did the trick! Thanks you
Viet >From: "Charles Steinkuehler" <[EMAIL PROTECTED]> >To: "Viet Vo" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> >Subject: Re: [leaf-user] Can't access Exchange 5.5 from outside >Date: Thu, 20 Jun 2002 09:58:14 -0500 > > > I'm using DCD v1.0.2 with Proxy - arp setup. Everything in the >internal net > > work work fine and all the service in the DMZ such as web, ftp, citrix >is > > work fine except for Exchange 5.5 which I can't access from the >outside if I > > use Outlook. I configure Exchange server to reponse on port 1225, >1226 and > > 135 using microsoft sugestion > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q155831. > > > > Any help is greatly appreciated > >If you expect to send/recieve any traffic on port 135, you'll have to >manually edit the firewall scripts (/etc/ipfilter.conf), which includes >rules to drop all MS networking packets from the input and output >chains. > >The procedure to build these rules is standardBlock (), which is located >near the top of the file. While I don't actually suggest you do this, >if you really want to, modifying the standardBlock procedure to pass >whatever MSNetworking stuff is required will be necessary. Just be sure >you understand the security implications of whatever changes you make. >I'd at least suggest creating rules that allow *ONLY* traffic to your >exchange box, while continuing to drop everything else, limiting your >exposere to spraying unencrypted passwords and other MSNetworking info >from your internal network out to the internet inadvertently. Such >rules could be placed in the /etc/ipchains.input file, using the -I >(insert) switch so they match (and accept) the traffic before the rules >created by standardBlock drop the packets. Something like: > >$IPCH -I input -j ACCEPT -s 0/0 -d <exchange IP> 135 -p <tcp? udp?> > >I'm not sure if you need tcp or udp (or both) on port 135...AFAIK, >windows uses both protocols on this port #. Also, if you have a short >list of valid static source IP's, it would be very benifical from a >security standpoint to replace the -s 0/0 with the real IP's, if >possible. > >Charles Steinkuehler >http://lrp.steinkuehler.net >http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > >------------------------------------------------------- > Bringing you mounds of caffeinated joy > >>> http://thinkgeek.com/sf <<< > >------------------------------------------------------------------------ >leaf-user mailing list: [EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user >SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html