Ray,
Sorry I was not clearer about the overall config. Comments inline.
>Kory -- Because (I think) your setup involves two separate LEAF
>systems --
>one running as a router/firewall, the other as a DMZ/Qmail server --
>you
>might want to be a bit clearer about which system you are reporting
>each
>detail about. For example:
>
>>>Local mail client is at 192.168.1.1 qmail is on the dmz host at
>>>192.168.10.1 The dmz host is running Bering 1.2 without
>>>shorewall.
>>>hosts.allow is set to all:all
>
>This setting is relevant (and for the purposes at hand, correct) on
>the
>DMZ/Qmail server but not on the router.
Correct. 192.168.1.1 is a Win2K machine using Pocomail.
>>>I have these rules set in /etc/shorewall/rules
>>>ACCEPT loc dmz tcp 110
>>>ACCEPT loc dmz udp 110
>>>ACCEPT dmz loc tcp 110
>>>ACCEPT dmz loc udp 110
>>>to allow pop3 access and the shorewall logs do not show anything
>>>after I
>>>make the attempt.
>
>But this information makes sense only with respect to the router
>(since the
>DMZ host is, as you say, not running Shorewall).
Correct assumption.
>As to the rules themselves, the first two are fine: they will get
>port-110
>traffic *to* the DMZ as you intend. They are probably sufficient to
>get the
>return traffic to the LAN (since Shorewall normally handles
>responses to
>ACCEPTed traffic right).
My thought as well but I added the others in case.
>But if not, the latter two don't do the
>job,
>because they ACCEPT traffic *to* port 110 on the LAN, not *from*
>port 110
>on the DMZ. I'm not the best source for Shorewall rules, but I think
>that
>in order to ACCEPT traffic *from* DMZ port 110, the rules need to be:
>
>ACCEPT dmz loc tcp - 110
>ACCEPT dmz loc udp - 110
>
>(the added - skips the dport value and puts the 110 into the sport
>location).
I can change them, but I agree they are most likely unneeded.
>The Shorewall logs are helpful here but not definitive. Much better
>is to
>run "status shorewall" before and after an unsuccessful attempt to
>connect
>and see what rules are being incremented.
I reset the counters and tried to connect. Shorewall status afterward shows:
�[H�[JShorewall-1.4.2 Status at markii - Sun Dec 21 16:49:15 UTC 2003
Counters reset Sun Dec 21 16:47:00 UTC 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
9 639 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
21 3966 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1212 212K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
7 496 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 208 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
3 168 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
9 639 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
1252 419K all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
7 580 all2all all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:OUTPUT:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (7 references)
pkts bytes target prot opt in out source destination
1256 419K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
3 213 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:all2all:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
3 213 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.1.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.10.255
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
7 496 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2loc (1 references)
pkts bytes target prot opt in out source destination
3 168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:110
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
21 3966 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
8 2770 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
13 1196 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
13 1196 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
5 208 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
5 208 loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
1212 212K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
1212 212K loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
3 168 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 dmz2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
3 168 dmz2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
7 496 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
7 496 dmz2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source destination
4 160 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.1
state NEW tcp dpt:80
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
1212 212K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:137
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:139
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:rfc1918:DROP:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:net2all:DROP:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.1
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.1
state NEW tcp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.1
state NEW udp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.1
state NEW tcp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.10.1
state NEW udp dpt:110
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:67
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:68
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:4662
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:4662
13 1196 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Dec 21 16:33:45 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32068 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:33:55 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=20606 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:35:40 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32075 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:35:43 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=43237 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:35:43 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32076 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:35:52 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=47031 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:35:52 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32078 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:36:02 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=51661 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:36:44 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32081 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:36:47 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=41397 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:36:47 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32082 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:36:56 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=64827 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:36:56 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32084 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:37:06 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=56671 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:37:17 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32085 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:37:20 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=44447 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:37:20 all2all:REJECT: IN=eth1 OUT= SRC=192.168.1.5 DST=192.168.1.254 LEN=328
TOS=00 PREC=0x00 TTL=128 ID=32086 PROTO=UDP SPT=68 DPT=67 LEN=308
Dec 21 16:37:27 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=39567 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:37:37 all2all:REJECT: IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.5 LEN=328
TOS=00 PREC=0x00 TTL=64 ID=37183 DF PROTO=UDP SPT=67 DPT=68 LEN=308
Dec 21 16:40:20 net2all:DROP: IN=eth0 OUT= SRC=63.236.29.228 DST=24.210.193.152
LEN=404 TOS=00 PREC=0x00 TTL=113 ID=27605 PROTO=UDP SPT=4555 DPT=1434 LEN=384
NAT Table
Chain PREROUTING (policy ACCEPT 23 packets, 2420 bytes)
pkts bytes target prot opt in out source destination
15 1876 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1 48 loc_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 10 packets, 687 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 12 packets, 852 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.10.0/24 0.0.0.0/0
Chain loc_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 24.210.193.152
tcp dpt:80 to:192.168.10.1:80
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 to:192.168.10.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 to:192.168.10.1
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:25 to:192.168.10.1
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:110 to:192.168.10.1
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:110 to:192.168.10.1
Mangle Table
Chain PREROUTING (policy ACCEPT 1257 packets, 218K bytes)
pkts bytes target prot opt in out source destination
21 3966 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state NEW
1257 218K pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1249 packets, 218K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 8 packets, 376 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1268 packets, 420K bytes)
pkts bytes target prot opt in out source destination
1268 420K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1273 packets, 420K bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:man1918:DROP:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
8 2770 RETURN all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 logdrop all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 198.18.0.0/15
0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 118 TIME_WAIT src=192.168.1.1 dst=192.168.10.1 sport=2805 dport=110
src=192.168.10.1 dst=192.168.1.1 sport=110 dport=2805 [ASSURED] use=1
tcp 6 430346 ESTABLISHED src=192.168.1.1 dst=192.168.10.1 sport=2672 dport=22
src=192.168.10.1 dst=192.168.1.1 sport=22 dport=2672 [ASSURED] use=1
tcp 6 431998 ESTABLISHED src=192.168.1.1 dst=192.168.1.254 sport=2531 dport=139
src=192.168.1.254 dst=192.168.1.1 sport=139 dport=2531 [ASSURED] use=1
udp 17 153 src=192.168.1.5 dst=192.168.1.254 sport=1026 dport=53
src=192.168.1.254 dst=192.168.1.5 sport=53 dport=1026 [ASSURED] use=1
udp 17 6 src=192.168.10.1 dst=192.168.1.254 sport=10714 dport=53
src=192.168.1.254 dst=192.168.10.1 sport=53 dport=10714 use=1
udp 17 12 src=10.44.128.1 dst=255.255.255.255 sport=67 dport=68 [UNREPLIED]
src=255.255.255.255 dst=10.44.128.1 sport=68 dport=67 use=1
udp 17 6 src=192.168.10.1 dst=192.168.10.254 sport=26651 dport=53 [UNREPLIED]
src=192.168.10.254 dst=192.168.10.1 sport=53 dport=26651 use=1
tcp 6 431858 ESTABLISHED src=192.168.1.6 dst=192.168.1.254 sport=1430 dport=139
src=192.168.1.254 dst=192.168.1.6 sport=139 dport=1430 [ASSURED] use=1
>
>>tcpdump shows this
>
>This is the key one -- where are you running tcpdump? The DMZ host?
>The
>router? The client? A fourth machine (on the DMZ or the LAN)?
>
>If this is from the router, or from any host on the LAN side, it
>pretty
>much indicates that the router is not the problem. But if it is from
>the
>DMZ host, then it does not indicates whether the POP responses are
>making
>it back to the LAN.
It was on the DMZ host. I ran tcpdump -s 2048 -Xni eth2 host 192.168.10.1 > trace2.txt
on the router and got
16:37:26.521575 192.168.1.1.2797 > 192.168.10.1.110: S 2189510220:2189510220(0) win
65535 <mss 1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 b294 4000 7f06 bce0 c0a8 0101 [EMAIL PROTECTED]
0x0010 c0a8 0a01 0aed 006e 8281 464c 0000 0000 .......n..FL....
0x0020 7002 ffff 22a4 0000 0204 05b4 0101 0402 p..."...........
16:37:26.521848 192.168.10.1.110 > 192.168.1.1.2797: S 1587026467:1587026467(0) ack
2189510221 win 5840 <mss 1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 436f 4000 4006 6b06 c0a8 0a01 [EMAIL PROTECTED]@.k.....
0x0010 c0a8 0101 006e 0aed 5e98 1a23 8281 464d .....n..^..#..FM
0x0020 7012 16d0 9307 0000 0204 05b4 0101 0402 p...............
16:37:26.522554 192.168.1.1.2797 > 192.168.10.1.110: . ack 1 win 65535 (DF)
0x0000 4500 0028 b296 4000 7f06 bce6 c0a8 0101 E..([EMAIL PROTECTED]
0x0010 c0a8 0a01 0aed 006e 8281 464d 5e98 1a24 .......n..FM^..$
0x0020 5010 ffff d69b 0000 P.......
16:37:26.524013 192.168.10.1.59258 > 192.168.1.254.53: 28701+ PTR?
1.10.168.192.in-addr.arpa. (43) (DF)
0x0000 4500 0047 5aa7 4000 4011 52af c0a8 0a01 [EMAIL PROTECTED]@.R.....
0x0010 c0a8 01fe e77a 0035 0033 cd7e 701d 0100 .....z.5.3.~p...
0x0020 0001 0000 0000 0000 0131 0231 3003 3136 .........1.10.16
0x0030 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar
0x0040 7061 0000 0c00 01 pa.....
16:37:29.546815 192.168.10.1.58547 > 192.168.10.254.53: 64722+ PTR?
1.10.168.192.in-addr.arpa. (43) (DF)
0x0000 4500 0047 51bd 4000 4011 5299 c0a8 0a01 [EMAIL PROTECTED]@.R.....
0x0010 c0a8 0afe e4b3 0035 0033 3a90 fcd2 0100 .......5.3:.....
0x0020 0001 0000 0000 0000 0131 0231 3003 3136 .........1.10.16
0x0030 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar
0x0040 7061 0000 0c00 01 pa.....
16:37:29.547086 192.168.10.254 > 192.168.10.1: icmp: 192.168.10.254 udp port 53
unreachable [tos 0xc0]
0x0000 45c0 0063 c3cf 0000 4001 1fbb c0a8 0afe [EMAIL PROTECTED]
0x0010 c0a8 0a01 0303 9391 0000 0000 4500 0047 ............E..G
0x0020 51bd 4000 4011 5299 c0a8 0a01 c0a8 0afe [EMAIL PROTECTED]@.R.........
0x0030 e4b3 0035 0033 3a90 fcd2 0100 0001 0000 ...5.3:.........
0x0040 0000 0000 0131 0231 3003 3136 3803 3139 .....1.10.168.19
0x0050 3207 696e 2d61 6464 7204 6172 7061 0000 2.in-addr.arpa..
0x0060 0c00 01 ...
16:37:31.515962 arp who-has 192.168.10.1 tell 192.168.10.254
0x0000 0001 0800 0604 0001 0060 97df a77e c0a8 .........`...~..
0x0010 0afe 0000 0000 0000 c0a8 0a01 ............
16:37:31.516087 arp reply 192.168.10.1 is-at 0:50:ba:af:a6:25
0x0000 0001 0800 0604 0002 0050 baaf a625 c0a8 .........P...%..
0x0010 0a01 0060 97df a77e c0a8 0afe 44b2 0100 ...`...~....D...
0x0020 0001 0000 0000 0000 0131 0131 0331 .........1.1.1
16:37:40.580296 192.168.10.1.54330 > 192.168.1.254.53: 50865+ PTR?
1.10.168.192.in-addr.arpa. (43) (DF)
0x0000 4500 0047 278a 4000 4011 85cc c0a8 0a01 E..G'[EMAIL PROTECTED]@.......
0x0010 c0a8 01fe d43a 0035 0033 8a2a c6b1 0100 .....:.5.3.*....
0x0020 0001 0000 0000 0000 0131 0231 3003 3136 .........1.10.16
0x0030 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar
>
>With respect to the router part, I can tell you that here (a Linux
>router,
>but not Bering or Shorewall), the only firewall rules I need to get
>POP3
>access are
>
>one that ACCEPTs dport 110 packets from the LAN to the DMZ
>one that ACCEPTs state ESTABLISHED packets from the DMZ to the
>LAN
>
>Of course, my rulesets overall are quite a bit different from the
>ones
>Shorewall generates ... but they do suggest that in the absence of
>specific
>DROP rules, some very basic rules are enough.
>
>As to Lynn's comments ... I assume "lrpqmail" is a test username you
>are
>using, so you have met the directory requirement. His suggestion to
>connect
>via telnet is a good one, but it does require that you know POP3
>command
>syntax. Thankfully, the basics are not very complicated. For a quick
>test,
>after the telnet connection is made, you want to try this sequence
>of commands:
>
>USER lrpqmail
>PASS <whatever the password is>
>LIST (this one lists messages waiting
>
>for download)
>RETR <something> (will retrieve a specific message
>
>from the LIST response)
>QUIT
>
Where can I get a telnet.lrp package? I have ssh running on the DMZ host but not
telnet.
>I'm not bothering with the corresponding detail for an SMTP
>connection,
>because your report seems to say that the SMTP connection does work.
>
If you make it through all this you are way to nice a guy. But I appreciate your
help.:-)
Kory
<SNIPPED>
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id�78&alloc_id371&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
