[TCLUG] firewalling around sendmail

Wed Mar 14 10:39:28 CST 2001

Your output chain should have a default of ACCEPT, so you shouldn't need
those output chains...

Try changing those rules to:
ipchains -A input -i eth0 -p tcp -s any/0 -d 12.27.41.52 25 -j ACCEPT
ipchains -A input -i eth0 -p tcp ! -y -s any/0 25 -d 12.27.41.52 -j ACCEPT

I removed the 1024:65535 in each rule.  I don't think it's guaranteed that
the source ports will be above 1024...  You'd be better off if you moved to
kernel 2.4 and used the stateful firewalling, would make your rules simpler
and it's more secure.  You really don't need any ip chains rules unless you
are blocking specific IP's, just make sure you are only running services
that you mean to be world accessible.  My mailservers that I have outside
the firewall don't have ipchains running, they only have an smtp daemon
running and sshd so I can get to them, nothing else.

Jay

> -----Original Message-----
> From: Brian [mailto:lxy at cloudnet.com]
> Sent: Wednesday, March 14, 2001 9:40 AM
> To: tclug-list at mn-linux.org
> Subject: [TCLUG] firewalling around sendmail
> 
> 
> I've got a sendmail server that I've given heavy firewalling through
> IPchains.  Apparently it was too heavy, because now sendmail 
> won't work at
> all.  I've got:
> 
> ipchains -A input -i eth0 -p tcp -s any/0 80 -j ACCEPT
> ipchains -A input -i eth0 -p tcp -s any/0 25 -j ACCEPT
> ipchains -A input -i eth0 -p tcp -s any/0 110 -j ACCEPT
> ipchains -A input -i eth0 -p tcp -s any/0 6667 -j ACCEPT
> 
> and sendmail was firewalled out.  After consulting the book "linux
> firewalls", I was reminded that e-mail uses some ports > 1023 
> (at least
> Groupwise does, so it made sense) so now I've got:
> 
> ipchains -A output -i eth0 -p tcp -s 12.27.41.52 1024:65535 
> -d any/0 25 -j ACCEPT
> ipchains -A output -i eth0 -p tcp ! -y -s 12.27.41.52 25 -d 
> any/0 1024:65535 -j ACCEPT
> ipchains -A input -i eth0 -p tcp -s any/0 1024:65535 -d 
> 12.27.41.52 25 -j ACCEPT
> ipchains -A input -i eth0 -p tcp ! -y -s any/0 25 -d 
> 12.27.41.52 1024:65535 -j ACCEPT
> 
> and it's still firewalled out.  Any ideas?  Sendmail works 100% when I
> ipchains -F.
> 
> -Brian
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 