[Shorewall-users] newbie question: SMTP on DMZ zone

Eduardo Ferreira duda@icatu.com.br
Wed, 10 Apr 2002 17:50:55 -0300


This is a multipart message in MIME format.
--=_alternative 007285C183256B97_=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I=B4m trying to setup a tree interface shorewall firewall.  in the dmz side=
,=20
there will be a Domino Server running smtp and web services.  The problem=20
occurs when I try to send a message from this server to the internet.  the =

smtp connection is stablished but hangs and after a while is closed.=20
could someone help me?

tks,

Eduardo Ferreira

 these are my configuration files:

-------------- zones file ---------------------------------
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
dmz     DMZ             Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

------------- interface file ------------------------------
#ZONE    INTERFACE      BROADCAST       OPTIONS
net      eth0           detect          noping, norfc1918,multi
loc      eth1           192.168.8.255   routestopped
dmz      eth2           192.168.9.4     routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

-------------- policy file ------------------------------
#CLIENT         SERVER          POLICY          LOG LEVEL
loc             net             ACCEPT
#loc            dmz             ACCEPT
dmz             loc             REJECT          info
dmz             net             REJECT          debug
net             dmz             REJECT          debug
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

---------------- masq file ------------------------
#INTERFACE              SUBNET          ADDRESS
eth0                    192.168.8.0/24  200.157.40.137
eth0                    192.168.9.0/30  200.157.40.137
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

----------------- rules file -------------------------
#-------------------
# a) loc->fw
# permite ssh (2222), ntp, www e https
#
ACCEPT          loc       $FW           tcp     2222,ntp,www,https

#------------------
# b) net->dmz
# permite portas smtp, html, https, notes
#
ACCEPT          net      dmz:192.168.9.2   tcp  25      -       all
ACCEPT          net      dmz:192.168.9.2   tcp  80      -       all
ACCEPT          net      dmz:192.168.9.2   tcp  443     -       all
ACCEPT          net      dmz:192.168.9.2   tcp  1352    -       all
# envia tr=E1fego na porta 2922 para porta 5800 no servidor notes (VNC)
ACCEPT          net      dmz:192.168.9.2:5800 tcp       2922    - all

#------------------
# c) dmz->net
# permite portas 25 (smtp), ntp e domain
#
ACCEPT          dmz      net            tcp     smtp,ntp,domain,1352
ACCEPT          dmz      net            udp     ntp,domain
#------------------
# d) loc->dmz
# permite notes (1352) e ftp para backup
#
ACCEPT          loc     dmz             tcp     1352,ftp,ftp-data
ACCEPT          loc     dmz             icmp    -
#------------------
# e) net->fw
# permite ssh da internet para o firewall utilizando a porta 2222
#
ACCEPT          net       $FW           tcp     2222

#------------------
# f) fw->net
# permite ntp
#
ACCEPT          $FW       net           udp     ntp,domain
ACCEPT          $FW       net           tcp ntp,ftp,ftp-data,2161,domain
#-----------------
# g) net->loc
# permite portas 2822 (vnc p/ w2k file server) e 2823 (vnc p/ w2k sql 2k)
#
ACCEPT          net     loc:192.168.8.1:5800    tcp     2822    - all
ACCEPT          net     loc:192.168.8.2:5800    tcp     2823    - all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

--=_alternative 007285C183256B97_=
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<br><font size=3D2 face=3D"sans-serif">I=B4m trying to setup a tree interfa=
ce shorewall firewall. &nbsp;in the dmz side, there will be a Domino Server=
 running smtp and web services. &nbsp;The problem occurs when I try to send=
 a message from this server to the internet. &nbsp;the smtp connection is s=
tablished but hangs and after a while is closed. </font>
<br><font size=3D2 face=3D"sans-serif">could someone help me?</font>
<br>
<br><font size=3D2 face=3D"sans-serif">tks,</font>
<br>
<br><font size=3D2 face=3D"sans-serif">Eduardo Ferreira</font>
<br>
<br><font size=3D2 face=3D"sans-serif">&nbsp;these are my configuration fil=
es:</font>
<br>
<br><font size=3D2 face=3D"Courier New">-------------- zones file ---------=
------------------------</font>
<br><font size=3D2 face=3D"Courier New">#ZONE &nbsp; DISPLAY &nbsp; &nbsp; =
&nbsp; &nbsp; COMMENTS</font>
<br><font size=3D2 face=3D"Courier New">net &nbsp; &nbsp; Net &nbsp; &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; Internet</font>
<br><font size=3D2 face=3D"Courier New">loc &nbsp; &nbsp; Local &nbsp; &nbs=
p; &nbsp; &nbsp; &nbsp; Local networks</font>
<br><font size=3D2 face=3D"Courier New">dmz &nbsp; &nbsp; DMZ &nbsp; &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; Demilitarized zone</font>
<br><font size=3D2 face=3D"Courier New">#LAST LINE - ADD YOUR ENTRIES ABOVE=
 THIS ONE - DO NOT REMOVE</font>
<br>
<br><font size=3D2 face=3D"Courier New">------------- interface file ------=
------------------------</font>
<br><font size=3D2 face=3D"Courier New">#ZONE &nbsp; &nbsp;INTERFACE &nbsp;=
 &nbsp; &nbsp;BROADCAST &nbsp; &nbsp; &nbsp; OPTIONS</font>
<br><font size=3D2 face=3D"Courier New">net &nbsp; &nbsp; &nbsp;eth0 &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; detect &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;nopin=
g, norfc1918,multi</font>
<br><font size=3D2 face=3D"Courier New">loc &nbsp; &nbsp; &nbsp;eth1 &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; 192.168.8.255 &nbsp; routestopped</font>
<br><font size=3D2 face=3D"Courier New">dmz &nbsp; &nbsp; &nbsp;eth2 &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp; 192.168.9.4 &nbsp; &nbsp; routestopped</font>
<br><font size=3D2 face=3D"Courier New">#LAST LINE -- ADD YOUR ENTRIES BEFO=
RE THIS ONE -- DO NOT REMOVE</font>
<br>
<br><font size=3D2 face=3D"Courier New">-------------- policy file --------=
----------------------</font>
<br><font size=3D2 face=3D"Courier New">#CLIENT &nbsp; &nbsp; &nbsp; &nbsp;=
 SERVER &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;POLICY &nbsp; &nbsp; &nbsp; &nbsp=
; &nbsp;LOG LEVEL</font>
<br><font size=3D2 face=3D"Courier New">loc &nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=3D2 face=3D"Courier New">#loc &nbsp; &nbsp; &nbsp; &nbsp; &n=
bsp; &nbsp;dmz &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ACCEPT</font>
<br><font size=3D2 face=3D"Courier New">dmz &nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; loc &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; REJECT &nbsp; &nbs=
p; &nbsp; &nbsp; &nbsp;info</font>
<br><font size=3D2 face=3D"Courier New">dmz &nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; REJECT &nbsp; &nbs=
p; &nbsp; &nbsp; &nbsp;debug</font>
<br><font size=3D2 face=3D"Courier New">net &nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; dmz &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; REJECT &nbsp; &nbs=
p; &nbsp; &nbsp; &nbsp;debug</font>
<br><font size=3D2 face=3D"Courier New">net &nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; all &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; DROP &nbsp; &nbsp;=
 &nbsp; &nbsp; &nbsp; &nbsp;info</font>
<br><font size=3D2 face=3D"Courier New">all &nbsp; &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; all &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; REJECT &nbsp; &nbs=
p; &nbsp; &nbsp; &nbsp;info</font>
<br><font size=3D2 face=3D"Courier New">#LAST LINE -- ADD YOUR ENTRIES ABOV=
E THIS LINE -- DO NOT REMOVE</font>
<br>
<br><font size=3D2 face=3D"Courier New">---------------- masq file --------=
----------------</font>
<br><font size=3D2 face=3D"Courier New">#INTERFACE &nbsp; &nbsp; &nbsp; &nb=
sp; &nbsp; &nbsp; &nbsp;SUBNET &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ADDRESS</f=
ont>
<br><font size=3D2 face=3D"Courier New">eth0 &nbsp; &nbsp; &nbsp; &nbsp; &n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;192.168.8.0/24 &nbsp;200.157.40.137<=
/font>
<br><font size=3D2 face=3D"Courier New">eth0 &nbsp; &nbsp; &nbsp; &nbsp; &n=
bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;192.168.9.0/30 &nbsp;200.157.40.137<=
/font>
<br><font size=3D2 face=3D"Courier New">#LAST LINE -- ADD YOUR ENTRIES ABOV=
E THIS LINE -- DO NOT REMOVE</font>
<br>
<br><font size=3D2 face=3D"Courier New">----------------- rules file ------=
-------------------</font>
<br><font size=3D2 face=3D"Courier New">#-------------------</font>
<br><font size=3D2 face=3D"Courier New"># a) loc-&gt;fw</font>
<br><font size=3D2 face=3D"Courier New"># permite ssh (2222), ntp, www e ht=
tps</font>
<br><font size=3D2 face=3D"Courier New">#</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;loc &nbsp; &nbsp; &nbsp; $FW &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tcp &=
nbsp; &nbsp; 2222,ntp,www,https</font>
<br>
<br><font size=3D2 face=3D"Courier New">#------------------</font>
<br><font size=3D2 face=3D"Courier New"># b) net-&gt;dmz</font>
<br><font size=3D2 face=3D"Courier New"># permite portas smtp, html, https,=
 notes</font>
<br><font size=3D2 face=3D"Courier New">#</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; &nbsp;dmz:192.168.9.2 &nbsp; tcp &nbsp;25 &nbsp; &n=
bsp; &nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; &nbsp;dmz:192.168.9.2 &nbsp; tcp &nbsp;80 &nbsp; &n=
bsp; &nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; &nbsp;dmz:192.168.9.2 &nbsp; tcp &nbsp;443 &nbsp; &=
nbsp; - &nbsp; &nbsp; &nbsp; all</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; &nbsp;dmz:192.168.9.2 &nbsp; tcp &nbsp;1352 &nbsp; =
&nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br><font size=3D2 face=3D"Courier New"># envia tr=E1fego na porta 2922 par=
a porta 5800 no servidor notes (VNC)</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; &nbsp;dmz:192.168.9.2:5800 tcp &nbsp; &nbsp; &nbsp;=
 2922 &nbsp; &nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br>
<br><font size=3D2 face=3D"Courier New">#------------------</font>
<br><font size=3D2 face=3D"Courier New"># c) dmz-&gt;net</font>
<br><font size=3D2 face=3D"Courier New"># permite portas 25 (smtp), ntp e d=
omain</font>
<br><font size=3D2 face=3D"Courier New">#</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;dmz &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=
tcp &nbsp; &nbsp; smtp,ntp,domain,1352</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;dmz &nbsp; &nbsp; &nbsp;net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=
udp &nbsp; &nbsp; ntp,domain</font>
<br><font size=3D2 face=3D"Courier New">#------------------</font>
<br><font size=3D2 face=3D"Courier New"># d) loc-&gt;dmz</font>
<br><font size=3D2 face=3D"Courier New"># permite notes (1352) e ftp para b=
ackup</font>
<br><font size=3D2 face=3D"Courier New">#</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;loc &nbsp; &nbsp; dmz &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tcp &=
nbsp; &nbsp; 1352,ftp,ftp-data</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;loc &nbsp; &nbsp; dmz &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; icmp =
&nbsp; &nbsp;-</font>
<br><font size=3D2 face=3D"Courier New">#------------------</font>
<br><font size=3D2 face=3D"Courier New"># e) net-&gt;fw</font>
<br><font size=3D2 face=3D"Courier New"># permite ssh da internet para o fi=
rewall utilizando a porta 2222</font>
<br><font size=3D2 face=3D"Courier New">#</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; &nbsp; $FW &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tcp &=
nbsp; &nbsp; 2222</font>
<br>
<br><font size=3D2 face=3D"Courier New">#------------------</font>
<br><font size=3D2 face=3D"Courier New"># f) fw-&gt;net</font>
<br><font size=3D2 face=3D"Courier New"># permite ntp</font>
<br><font size=3D2 face=3D"Courier New">#</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;$FW &nbsp; &nbsp; &nbsp; net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; udp &=
nbsp; &nbsp; ntp,domain</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;$FW &nbsp; &nbsp; &nbsp; net &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; tcp &=
nbsp; &nbsp; ntp,ftp,ftp-data,2161,domain</font>
<br><font size=3D2 face=3D"Courier New">#-----------------</font>
<br><font size=3D2 face=3D"Courier New"># g) net-&gt;loc</font>
<br><font size=3D2 face=3D"Courier New"># permite portas 2822 (vnc p/ w2k f=
ile server) e 2823 (vnc p/ w2k sql 2k)</font>
<br><font size=3D2 face=3D"Courier New">#</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; loc:192.168.8.1:5800 &nbsp; &nbsp;tcp &nbsp; &nbsp;=
 2822 &nbsp; &nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br><font size=3D2 face=3D"Courier New">ACCEPT &nbsp; &nbsp; &nbsp; &nbsp; =
&nbsp;net &nbsp; &nbsp; loc:192.168.8.2:5800 &nbsp; &nbsp;tcp &nbsp; &nbsp;=
 2823 &nbsp; &nbsp;- &nbsp; &nbsp; &nbsp; all</font>
<br><font size=3D2 face=3D"Courier New">#LAST LINE -- ADD YOUR ENTRIES BEFO=
RE THIS ONE -- DO NOT REMOVE</font>
<br>
--=_alternative 007285C183256B97_=--