[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] pmfirewall , IPCHAINS, CDONTS and mail forwarding
- Subject: RE: [cobalt-security] pmfirewall , IPCHAINS, CDONTS and mail forwarding
- From: "Sean Ward" <planxty@xxxxxxxx>
- Date: Mon, 22 Apr 2002 21:18:27 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I'm pretty sure you're right, but I'll have to research how to do an NS
lookup from the command line later.
I had to manually edit the pmfirewall.conf file, because when I had it
set to automatically detect IPs, it would lock all ports. Same thing
happens if I manually enter the IP for the nameserver ns.netriffic.net
as OUTERIP and OUTERIP1. The firewall only works if I omit the
nameserver IP from the top of the list. SO--what you say makes perfect
sense if the nameservers aren't part of the equation. Strange, I haven't
had this problem on the other box.
I haven't tried placing the nameservers in a different order in the
list. Maybe I should give that a try, but I think I need to change the
firewall settings first--so it doesn't start from boot. Don't want to
lock myself out.
OUTERIP=xxx.xxx.xxx.xxx
OUTERIP1= xxx.xxx.xxx.xxx
OUTERIP2= xxx.xxx.xxx.xxx
OUTERIP3= xxx.xxx.xxx.xxx
OUTERIP4= xxx.xxx.xxx.xxx
OUTERIP5= xxx.xxx.xxx.xxx
OUTERIP6= xxx.xxx.xxx.xxx
OUTERMASK=255.255.255.0
OUTERNET=$OUTERIP1/$OUTERMASK
OUTERNET2=$OUTERIP2/$OUTERMASK
OUTERNET3=$OUTERIP3/$OUTERMASK
OUTERNET4=$OUTERIP4/$OUTERMASK
OUTERNET5=$OUTERIP5/$OUTERMASK
OUTERNET6=$OUTERIP6/$OUTERMASK
I'll look for info on IPCHAINS and DNS.
Any other suggestions?
Thanks,
Sean
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Network
Manager
Sent: Monday, April 22, 2002 8:36 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] pmfirewall , IPCHAINS, CDONTS and mail
forwarding
Hi,
One word.. DNS.. is the mail server receiving mail at all or sending
mail at all? .. Reason I ask is, if your default input policy is DENY
then you need more than tcp/domain port to be open in order for DNS
to function. If DNS does not function on the RaQ then mail will not
work since you need a valid host name in order for mail to be
received or sent. (It wont send because it cant look up the name
you want to send it to. It wont receive because of anti-spam rules
in the mail server).
Try telnetting to the server and doing an NS Lookup. If it succeeds
then my theory is wrong. If it times out or fails outright then
do a google for DNS issues with IPChains Firewalls (I cant remember
what you need exactly for DNS to work but I think its udp/domain)
Regards,
Michael Kovalik - Network Manager
Webdesign105.com Online Solutions
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Sean Ward
Sent: Tuesday, 23 April 2002 10:02
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] pmfirewall , IPCHAINS, CDONTS and mail
forwarding
I installed pmfirewall with this:
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 25 -j ACCEPT
When pmfirewall is running, the mail won't forward
Any clues?
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security