[Shorewall-users] newnotsyn drops smtp

Tom Eastep teastep at shorewall.net
Wed Dec 17 07:31:21 PST 2003


On Wednesday 17 December 2003 01:27 am, Jose Arteaga wrote:
> I have installed Mandake 9.2 with postfix 2.0.13, shorewall ver is
> 1.4.8.Ican send emails out and receive them within my local network. I can
> not received mail from the net. When I check shorewall status it shows.
>
> Dec 17 10:12:55 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154
> DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=8939 PROTO=TCP
> SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0
>
> Dec 17 10:13:08 newnotsyn:DROP:IN=eth1 OUT= SRC=65.54.167.154
> DST=81.BLA.BLA.BLA LEN=115 TOS=0x00 PREC=0x00 TTL=47 ID=23596 PROTO=TCP
> SPT=25 DPT=38132 WINDOW=17520 RES=0x00 ACK PSH FIN URGP=0
>
> The origin is the mail server and the destination is my mail server, but
> shorewall drops it. How can I fix this?
>
> This is how I have set up the rules file
>
> ACCEPT	masq	fw	tcp	21,22,23,25,3128,10000,20000,domain,bootps,http,https,63
>1,imap,pop3,nntp,ntp	-
> ACCEPT	masq	fw	udp	domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp	-
> ACCEPT	fw	masq	tcp	631,515,137,138,139	-
> ACCEPT	fw	masq	udp	631,515,137,138,139	-
> ACCEPT	net	fw	tcp	21,22,25,domain,http,https,10000,20000	-
> ACCEPT	net	fw	udp	21,22,25,domain,http,https,10000,20000	-
>

At least half the above rules are unnecessary. http and https are tcp only as 
are imap, pop3, smtp and nntp, ftp (21), ssh (22) and telnet (23).

bootps should be handled by specifying 'dhcp' for the internal interface in 
/etc/shorewall/interfaces.

The only port that you have listed there that is usually opened for both TCP 
and UDP is 53 (domain) because DNS uses both protocols.

See http://www.shorewall.net/samba.htm for rules for allowing SMB between your 
firewall and local network.

Finally to your problem -- The Shorewall ruleset is not "blocking smtp" -- it 
is blocking non-syn TCP packets that aren't part of an established connection 
and some of those just happen to be SMTP. I suspect that your postfix server 
is rejecting connections from the net -- you can confirm that by doing a 
"shorewall clear" then trying to "telnet BLA.BLA.BLA.BLA 25" from a host 
outside the firewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list