-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kwon wrote: >> It's kind of hard to say exactly what rule you need without more info, >> but it looks like you're trying to talk to the mail server using the >> public IP of your firewall. If you want this to work, you'll have to >> craft a shorewall rule that allows DMZ -> firewall traffic on port 25, >> and you may have to craft some custom tweaks, as well (looping through >> the firewall and back to the same network is not usually done, and since >> I haven't personally done this, I can't tell you exactly what rule(s) >> you might need). >> > You have described my problem precisely! Currently I have a rule: > DNAT net dmz:192.168.73.76 tcp 25,80,110,143,443 - $IP_QC > allow net traffic to the dmz. But this rule does not allow traffic > from dmz -> firewall -> DNAT -> dmz?
It looks like your rule allows connections from the zone 'net', but you're DMZ system is probably trying to connect from a different zone (usually 'dmz'). You either need to change the from zone to 'all', or make a separate rule for DMZ traffic. This may be enough to get things working, or you may need some odd routing/rules for the return traffic. If the mail server sees the connection coming from your private IP DMZ range, it will try to send the traffic directly back to the asterisk box, bypassing the firewall. This will confuse the asterisk box, which will be expecting the return traffic to have the public IP of your firewall. If you run into this, you'll either have to craft some rule on the firewall to masq the traffic, or setup some odd routing rules on the mail system. >> I'd personally recommend you configure your asterisk box to talk to the >> private IP of the gentoo mail server directly, rather than try to relay >> traffic through the firewall, which is inefficient and may require >> custom tweaks. >> > I am trying to do that at the moment; but the Trixbox/Asterisk box > use sendmail, and the following rule in /etc/mail/sendmail.rc: > define(`SMART_HOST',`192.168.73.76') > may or may not work? I use Postfix mostly and not sure if the > above works? I will ask in another mailing list. I'm not a sendmail guru, but you don't necessarily need to use sendmail configs to fix this (although setting up sendmail to use a smarthost is heading down the right path if you choose to go that route). The more 'correct' solution is to fix the problem using name resolution. Basically, anyone *NOT* on your DMZ should get the public IP of your firewall when looking up your mail server, and hosts on the DMZ should get the private IP address. You can do this using split zones (in bind 9) or something as simple as an entry in /etc/hosts on the asterisk box. Just make my.mailserver.com (or whatever) resove to 192.168.73.76 on your asterisk box. Make sure to do this for all domain name(s) that might be used for mail. > Thanks Charles for your help and btw, how are the twins? Growing up fast! They turn 4 this July, and so far 3-1/2 has been a really fun age. :) - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJOFnLywbqEHdNFwRAg2VAJ9gNXbaAf2srvpg/v8sFgvi9MRRxgCg84OX Vh2xZDMZ0jz68WjwDdwhSis= =D9Nr -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
