Sending mail from external firewall to external mail server (behind firewall)

Tue, 19 Feb 2008 21:08:00 -0800 

We have the following network layout:

                     ------------
                    |  Internet  |
                     ------------
                           |
                           |
                           |(fxp4: 67.95.107.117)
                           |     : 67.95.107.111)
                           |     : et. al.)
                   ---------------------
                  |  External Firewall  |(vlan104: 192.168.13.81)
                  |      (hammer)       |----------
                   ---------------------           \
                                                   | (em0: 192.168.13.82)
                                           ---------------------
                                          |    External Mail    |
                                          |       (emma)        |
                                           ---------------------

hammer% ifconfig fxp4
fxp4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:07:e9:5d:62:f8
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 67.95.107.117 netmask 0xffffffe0 broadcast 67.95.107.127
        inet6 fe80::207:e9ff:fe5d:62f8%fxp4 prefixlen 64 scopeid 0x6
        inet 67.95.107.111 netmask 0xffffffff broadcast 67.95.107.111
        ...

I have the following pf.conf rules applicable to this setup:
  ext_if = "fxp4"
  mail_ip = "67.95.107.111"
  emma_gw = "192.168.13.82"

  set skip on { lo0 }

  rdr pass log on $ext_if inet proto tcp from any to $mail_ip \
    port = smtp -> $emma_gw

>From the Internet, if I "telnet 67.95.107.111 25", everything works.
But, on hammer:
  hammer% telnet 67.95.107.111 25
  Trying 67.95.107.111...
  telnet: connect to address 67.95.107.111: Connection refused

Digging further:
  hammer% netstat -rn | grep 67.95.107.111
  67.95.107.111      127.0.0.1          UGHS        0      317  33224 lo0
  67.95.107.111/32   link#6             UC          0        0      - fxp4

So, I then did this:
  hammer% telnet 67.95.107.111 25
  Trying 67.95.107.111...
  telnet: connect to address 67.95.107.111: Connection refused

While running the telnet, tcpdump reported:
  hammer% tcpdump -n -i lo0
  18:06:44.364940 67.95.107.111.2877 > 67.95.107.111.25: S 71726850:71726850(0) 
win 16384 <mss 33184,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1184513159 
0> (DF) [tos 0x10]
  18:06:44.364949 67.95.107.111.25 > 67.95.107.111.2877: R 0:0(0) ack 71726851 
win 0 (DF)

Makes sense considering the netstat output. So, on hammer, how do I
get "telnet 67.95.107.111 25" working?

According to pf.conf(5):
     set skip on <ifspec>
           List interfaces for which packets should not be filtered.  Packets
           passing in or out on such interfaces are passed as if pf was dis-
           abled, i.e. pf does not process them in any way.  This can be use-
           ful on loopback and other virtual interfaces, when packet filtering
           is not desired and can have unexpected effects.  For example:

                 set skip on lo0

Is the standard solution to configure mail on hammer so delivery is
through 192.168.13.82, not 67.95.107.111?

-- 
albert chin ([EMAIL PROTECTED])

Reply via email to