Thanks for responding, Ray.
I have added the diagnostic info described at leaf support.
I'm running Dachstein linux 4.0.6 with private.network at 192.168.1 and
dmz.network at 192.168.2.
The web server on dmz.network can be reached from the net.
Mail sent to the mail server on dmz.network returns an error message to the
sender.
I've tried varying the coding of the DMZ_OPEN_DEST and DMZ_SERVER parameters
in network.conf without success.
I've been assuming that it is a network.conf issue because I can send mail
from private.network to dmz.network and
I had successfully set up a mail server on private.network
(INTERNAL_SMTP_SERVER parm).
I tore it down prior to trying to move it to dmz.
My network.conf parameters and email error messages follow.
Bob
NETWORK.CONF PARAMETERS
############################################################################
###
# Extended firewall configruation scripts
# By Charles Steinkuehler
# Version 1.3.2
# September 29, 2001
############################################################################
###
############################################################################
###
# General Settings
############################################################################
###
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
############################################################################
###
# Interfaces
############################################################################
###
IF_AUTO="eth1 eth2"
IF_LIST="$IF_AUTO"
ALLIF_ACCEPT_REDIRECTS=NO
DEF_IP_SPOOF=YES
DEF_IP_KRNL_LOGMARTIANS=YES
BRG_SWITCH=NO
BRG_EXEMPT_PROTOS=""
eth0_IPADDR=1.1.1.2
eth0_MASKLEN=30
eth0_BROADCAST=+
eth0_DEFAULT_GW=1.1.1.1
eth0_IP_SPOOF=YES
eth0_IP_KRNL_LOGMARTIANS=YES
eth0_IP_SHARED_MEDIA=NO
eth0_BRIDGE=NO
eth0_PROXY_ARP=NO
eth0_FAIRQ=NO
eth1_IPADDR=192.168.1.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
eth2_IPADDR=192.168.2.254
eth2_MASKLEN=24
eth2_BROADCAST=+
#eth2_ROUTES=
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO
IPFILTER_SWITCH=firewall
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain
${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
EXTERN_IF="eth0" # External Interface
EXTERN_DHCP=YES # YES/NO
IF_DHCP=$EXTERN_IF
EXTERN_DYNADDR=NO # YES/NO
eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\"
if [ "$EXTERN_DHCP" = "YES" -o \
"$EXTERN_DHCP" = "Yes" -o \
"$EXTERN_DHCP" = "yes" -o \
"$EXTERN_IP" = "DYNAMIC" ] ; then
# This computes the IP address of $EXTERN_IF
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# If the external address is not configured, use a bogus address for the
# external interface to prevent a bunch of (harmless) errors that spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output
client
EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
DMZ_SWITCH=PRIVATE
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24
DMZ_SRC=1.1.1.0/27
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
DMZ_HIGH_TCP_CONNECT=NO
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
tcp_${DMZ_NET}_www
tcp_${DMZ_NET}_smtp"
DMZ_SERVER0="udp $EXTERN_IP domain 192.168.2.253 domain"
DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.2.253 domain"
DMZ_SERVER2="tcp $EXTERN_IP www 192.168.2.253 www"
DMZ_SERVER3="tcp $EXTERN_IP smtp 192.168.2.253 smtp"
#DMZ_SERVER4="tcp 1.2.3.12 www 192.168.2.1 8080"
DMZ_OUTBOUND_ALL=YES
HOSTNAME=myrouter
HOSTS0="$eth1_IPADDR $HOSTNAME.private.network $HOSTNAME fw"
DOMAINS="private.network"
DNS0=127.0.0.1
EMAIL ERROR MESSAGES
Date: Fri, 27 Sep 2002 20:00:31 -0400
From: "Bob Skaroff comcast.net" <[EMAIL PROTECTED]>
Subject: test
To: [EMAIL PROTECTED]
Message-id: <000501c26682$1079e200$[EMAIL PROTECTED]>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
Your message is being returned; it has been enqueued and undeliverable for
3 days to the following recipients:
Recipient address: [EMAIL PROTECTED]
Reason: unable to deliver this message after 3 days
Delivery attempt history for your mail:
Tue, 1 Oct 2002 00:54:30 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Mon, 30 Sep 2002 20:51:20 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Mon, 30 Sep 2002 04:46:54 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Sun, 29 Sep 2002 13:25:19 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Sat, 28 Sep 2002 21:22:09 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Sat, 28 Sep 2002 19:18:59 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Sat, 28 Sep 2002 11:15:49 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Sat, 28 Sep 2002 03:12:18 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Fri, 27 Sep 2002 23:09:08 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Fri, 27 Sep 2002 22:05:58 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
Fri, 27 Sep 2002 20:02:48 -0400 (EDT)
TCP active open: Failed connect() Error: Connection timed out
**************************************************************************
kernel version 2.2.19-3-LEAF-RAID #4 Sat Dec 1 17:27:59 CST 2001 i386
unknown
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:04:00:ad:a6 brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:03:6d:11:04:ea brd ff:ff:ff:ff:ff:ff
inet 68.80.68.190/21 brd 68.80.71.255 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:03:6d:1a:0f:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:03:6d:1a:0e:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
68.80.64.0/21 dev eth0 proto kernel scope link src 68.80.68.190
default via 68.80.64.1 dev eth0
Chain input (policy DENY: 3 packets, 754 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
12921 4691K DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
2 668 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
68.80.68.190 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 113
156K 194M ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 161:162
1 75 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 68
0 0 DENY udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 67
3696 1148K ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
239 17597 ACCEPT icmp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
389 20212 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 161:162 -> *
113K 13M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
610 57768 MASQ all ------ 0xFF 0x00 eth2
192.168.1.0/24 192.168.2.0/24 n/a
8 576 MASQ all ------ 0xFF 0x00 eth0
192.168.2.0/24 0.0.0.0/0 n/a
0 0 MASQ udp ------ 0xFF 0x00 eth1
192.168.2.0/24 192.168.1.0/24 53 -> *
0 0 MASQ tcp ------ 0xFF 0x00 eth1
192.168.2.0/24 192.168.1.0/24 53 -> *
82 62117 MASQ tcp ------ 0xFF 0x00 eth1
192.168.2.0/24 192.168.1.0/24 80 -> *
0 0 MASQ tcp ------ 0xFF 0x00 eth1
192.168.2.0/24 192.168.1.0/24 25 -> *
107K 12M MASQ all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth2
0.0.0.0/0 192.168.2.0/24 n/a
0 0 DENY all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
271K 206M fairq all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
271K 206M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
3748 239K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
2323 191K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
610 57768 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
473 64759 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
fwmark rediraddr rport pcnt pref
prot localaddr rediraddr lport rport pcnt pref
UDP 68.80.68.190 192.168.2.253 53 53 9 10
TCP 68.80.68.190 192.168.2.253 25 25 10 10
TCP 68.80.68.190 192.168.2.253 80 80 1 10
TCP 68.80.68.190 192.168.2.253 53 53 10 10
Type Prot Low High Vis Hid Where Last CPto CPrt Timer Flags
/var/log/messages is 900 lines like this
Oct 5 20:22:43 myrouter kernel: Packet log: input DENY eth0 PROTO=17
10.93.176.1:67 255.255.255.255:68 L=362 S=0x00 I=53087 F=0x0000 T=255 (#8)
if you could tell me how to suppress these messages, I would appreciate that
also
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
