> > Mike Lander wrote:
> > > 
> > >> I have a two Isp's setup that send mail to another two Isp firewall.
> > >> For Ilustration I will call the firewall with the mail server in its dmz 
> > >> using proxy arp,
> > >> (Firewall A). I will call the dependant firewall which sends mail to 
> > >> Firewall A, (Firewall B.)
> > >> These two Firewall's have a openvpn tunnel between them. Firewall B is 
> > >> loc:10.5.198.0/24.
> > >>     What I would like to do is route any port 25 traffic from Firewall B 
> > >> through openvpn,
> > >> to Firewall A's mail server in its Dmz.
> > >> I am thinking that Firewall A will know to reply to 10.5.198.0/24 
> > >> (Firewall B)
> > >> because of the entry in Firewall A's route rules entry below.
> > >> -                        10.5.198.0/24           main            1000
> > >>
> > >> If this where possible with the below statement may make things clear,
> > >> what I want to do. As a reminder the mail server is in Firewall A Dmz.
> > >>
> > >> In tcrules with eth1 local on Firewall B
> > >>
> > >> tun4     eth1:<local subnet>      <mail servers FQIP>   tcp     25
> > >> I know the above wont work, What Will?
> > >>
> > >>
> > >> Thanks
> > >> Mike
> > >>  
> > > 
> > > I just thought of this instead of mangle tables maybe just add this route?
> > > route add <65.42.53.203 mail server> 255.255.255.255 gw 172.16.1.2 (ip of 
> > > firewall B tun)
> > > Just thought someone on this list may have done this through shorewall.
> > 
> > You want to establish that route in the OpenVPN configuration using the
> > 'route' directive. Shorewall can't do anything for you since the OpenVPN
> > tunnel isn't one of the provider interfaces.
> > 
> 
> 
> Fixed with route add -net <FQIP Mail Host IP> 255.255.255.255 gw $5
> in my vpn.conf
> 
> However had to adjust my <vpn> to <dmz> polices before it would work.
> 
> Is it good practice to add vpn in providers?
> 
> Thanks 


< usually not

Tom

Thought I would wrap this up and tell the results came out very successful. 
Now I found the offending machines in Firewall B that where sending spam out 
I suspect from a virus or trojan. This way the mail is more secure and the mail
server logs the natted Ip so you can tell whats going on when you have mail from
different networks using your mail server. 
    I just monitor their firewall, their admins now have to find the offensive 
machines.

Thank you,

Mike



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to