Re: [leaf-user] Qmail questions

Tom Eastep Thu, 25 Dec 2003 19:08:35 -0800

On Thu, 25 Dec 2003, Kory Krofft wrote:

I'll comment on the Shorewall configuration.


>
> /etc/shorewall/rules
>
> #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  ORIGINAL
> #                                                       PORT    PORT(S) DEST
> #
> #       Accept DNS connections from the firewall to the network
> #
> DROP            net             fw              tcp     67,68

If the idea behind the above rule is to silently drop DHCP, the protocol
should be UDP.

> DROP            net             fw              tcp     4662
> DROP            net             fw              udp     4662
> DROP            net             fw              icmp    8
> ACCEPT          fw              net             tcp     80
> ACCEPT          fw              net             tcp     53
> ACCEPT          fw              net             udp     53
> ACCEPT          dmz             net             tcp     53
> ACCEPT          dmz             net             udp     53
> ACCEPT          dmz             fw              tcp     53
> ACCEPT          dmz             fw              udp     53
> #
> #       Accept SSH connections from the local network for administration of the DMZ
> #
> ACCEPT          loc             dmz             tcp     22
> #
> # Bering specific rules:
> # allow loc to fw udp/53 for dnscache to work
> # allow loc to fw tcp/80 for weblet to work
> #
> ACCEPT          loc             fw              udp     53
> ACCEPT          loc             fw              tcp     80
> #
> #Enable Samba ports
> ACCEPT          loc             fw              udp     137,138
> ACCEPT          loc             fw              tcp     139
> #
> #Open http and mail ports on dmz
> DNAT            net             dmz:192.168.10.1:80 tcp 80
> DNAT            net             dmz:192.168.10.1 tcp    25
> DNAT            net             dmz:192.168.10.1 udp    25

SMTP is TCP only. Also, you don't have a rule allowing you to send mail
from the DMZ.

> ACCEPT          dmz             fw              tcp    113 #Added for qmail reverse 
> lookup

Surely Qmail isn't using Auth is it?

> ACCEPT          loc             dmz             tcp     25
> ACCEPT          dmz             net             tcp    110
> ACCEPT          loc             dmz             tcp    110
> ACCEPT          loc             dmz             udp    110

Pop3 is TCP only.

> ACCEPT          loc             dmz             tcp     80
> DNAT            net             dmz:192.168.10.1 tcp   110
> DNAT            net             dmz:192.168.10.1 udp   110

Again, Pop3 is TCP only.

> DNAT            loc             dmz:192.168.10.1:80 tcp 80 - 24.210.193.152
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Qmail questions

Reply via email to