On Sun, 10 Dec 2000, David Dyer-Bennet wrote:
> > # SMTP server (25)
> > # ----------------
> > ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> > --source-port $UNPRIVPORTS \
> > -d $IPADDR 25 -j ACCEPT
> >
> > ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> > -s $IPADDR 25 \
> > --destination-port $UNPRIVPORTS -j ACCEPT
>
> The ! -y means it's not open to *initiating* any outbound
> connections, doesn't it? I'm not an ipchains expert, but I run it
> with some simple rules, and I double-checked the docs just now.
Yes, and it's supposed to be there. (the rule says 'only allow traffic
from port 25 on my machine to an unpriviledged port on someone else's
machine if it's part of a connection that's already been established')
> Also, this particular pair of rules doesn't allow a connection from
> port 25 here to port 25 elsewhere, or vice versa.
Actually the rules needed were for connections from the local machine to
port 25 on a remote one since the above two rules only covered incoming
mail.
> Does qmail do that,
> or are the outbound connects always from non-priv ports? And do
> *other* people do that, or are the inbound connects always from
> non-priv ports?
All the Unix MTAs I've encountered do (and the log fragments posted showed
the connection qmail was attempting originating from one). On my own
server, I'd be tempted to leave out $UNPRIVPORTS (thus allowing all
possible ports implicitly) just in case though.
--Colin
Colin Palmer -- [EMAIL PROTECTED] -- http://raccoon.osoal.org.nz/
Systems Engineer -- [One Short Of A Llama] http://web.osoal.org.nz/
