smtpd firewall rules...

Furmanek, Greg Greg.Furmanek@hit.cendant.com
Tue, 9 Jan 2001 10:10:08 -0500 

well it seems you are DENYING anything on ports 0:1024 therefore
if this rule is first in the chain the consecutive rules will not
get executed.  I guess you should rearange the order and put the
smtp before you start denying the rest.

-> -----Original Message-----
-> From: Deepak Saxena [mailto:deepak@csociety.purdue.edu]
-> Sent: Tuesday, January 09, 2001 1:17 AM
-> To: plug-discuss@lists.PLUG.phoenix.az.us
-> Subject: smtpd firewall rules...
-> 
-> 
-> 
-> I'm trying to get smtpd(postfix) to receive email from the outside
-> world but limiting my system to only accept things on certain ports
-> for security reasons.  I've only got incoming ports 
-> 80(http), 25(smtp),
-> and 42(named, running my domain primary) open, and when I do a 
-> telnet to port 25 on my machine, I get zip, zero nada.  If I open
-> up all incoming ports, i can connect with no problem. So there must
-> be something other than just port 25 that's required to access the
-> mail server...however, running ethereal on my outside ethernet card
-> shows no activity other than smtp and some outgoing DNS when I telnet
-> in with all ports open....so what am I doing wrong.  Here's a
-> dump of my current IPCHAINS config:
-> 
-> [root@arrakis dsaxena]# ipchains -L
-> Chain input (policy ACCEPT):
-> target     prot opt     source                destination    
->        ports
-> DENY       tcp  ------  anywhere             anywhere        
->       any ->
-> 0:1024
-> ACCEPT     tcp  ------  anywhere             
-> dyn-dsl1-148-phx.bazillion.com
-> any ->   smtp
-> ACCEPT     tcp  ------  anywhere             
-> dyn-dsl1-148-phx.bazillion.com
-> any ->   nameserver
-> ACCEPT     tcp  ------  anywhere             
-> dyn-dsl1-148-phx.bazillion.com
-> any ->   www
-> Chain forward (policy ACCEPT):
-> target     prot opt     source                destination    
->        ports
-> MASQ       all  ------  anywhere             192.168.0.0/24  
->       n/a
-> MASQ       all  ------  192.168.0.0/24       anywhere        
->       n/a
-> Chain output (policy ACCEPT):
-> 
-> ~Deepak
-> 
-> -- 
-> Deepak Saxena - deepak@csociety.purdue.edu - phone://602.790.0500
-> 
-> "Imagination is more important than knowledge" - Einstein
-> 
-> ________________________________________________
-> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your 
-> mail doesn't post to the list quickly and you use Netscape 
-> to write mail.
-> 
-> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
-> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
->