> OK - I'm still stuck. Could anyone help me out? > > I've got a range of IP addresses.... > > 213.107.212.9 (adsl modem) > 213.107.212.10 (firewall WAN interface) > 213.107.212.11 (incoming email comes to this address) > 213.107.212.12 (DMZ - not used yet) > > Trying to let incoming mail through to the mail server (213.107.212.11 > >> > mail server 192.168.175.1) > > With help i've got: > > assign extra IP's to the external interface: > eth0_IP_EXTRA_ADDRS="213.107.212.11 213.107.212.12" > > allow e-mail traffic through the firewall filters with the following: > EXTERN_TCP_PORT0="0/0 smtp 213.107.212.11" > > port-forward the traffic to your exchange server: > INTERN_SERVERS="tcp_213.107.212.11_smtp_192.168.175.1_smtp" > > But, still no joy. In particular, I notice that > > the addition IPs i've added have a different subnet entry to the primary > eth0 : is this OK?
It should be, but you might try: eth0_IP_EXTRA_ADDRS="213.107.212.11/29 213.107.212.12/29" > I can ping the firewall eth0 interface IPs (apart from the .11 for some > reason?) from the internet (which I couldn't do with the old firewall) : > is this a bad setup by me? If getting the subnet length on the IP addresses doesn't help (and I don't really think it will), you're probably suffering from "untested combination syndrome". What you're trying to do isn't something I've explicitly tested. What I *HAVE* tested, know works, and would be applicable in your situation: - Port-forward the firewall's primary IP to your internal mail-server - Move your mail server to the DMZ, and use either the port-forwarded (private) DMZ, or (preferred) a proxy-arp DMZ. I have not tried to port-forward from extra external-IP's to anything other than a private-DMZ, so there could be something subtle that doesn't work quite right in the default configuration. There's probably something subtle wrong with the port-forwards or ipchains rules, but I'd need packet dumps (or similar debugging data) from your system to figure out exactly what's wrong. BTW: If you include the ipchains listing, use "net ipfilter list", which outputs the port-forwarding settings as well... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html