RE: [m0n0wall] Help with dual mail server setup in m0n0wall

From:	"James W. McKeand" <james at mckeand dot biz>
To:	"'mika'" <mikata at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Help with dual mail server setup in m0n0wall
Date:	Thu, 9 Dec 2004 14:23:27 -0500

mika wrote:
>>> picosecond.com. 86400 IN MX 20 mail.picosecond.com.
>>> picosecond.com  86400 IN MX 10 web.picosecond.com.
>>> web.picosecond.com   86400 IN A 64.207.38.2
>>> mail.picosecond.com. 86400 IN A 64.207.38.4
>>> 
>>> above mail servers have an internal address of 192.168.1.55 and
>>> 192.168.160 respectively.
>>    External port range  from:    SMTP
>>                           to:    SMTP
>>    NAT IP:  192.168.1.55
>>    Local port:  SMTP
>>    Description:  SMTP to Web
> 
> Thats Wrong! The External port must not be set to SMTP, because
every
> TCP connection by a normal computer has a starting port of > 1024 !
So
> leave this free!
> 

A NAT rule is different than the firewall rule. The NAT rule defines
what external port is forwarded to what internal port. The NAT rules I
described specify that port 25 on public IP x will be forwarded to
port 25 on private IP y. 

Firewall rules allow or disallow traffic based on source (IP and/or
port) and/or destination (IP and/or port). The firewall rule that will
be automatically created (if the auto-create checkbox is checked) will
have the correct source IP of "any" and port of "any". The destination
of the firewall rule will be the private IP and port 25. (The
auto-created rules will also have NAT in the beginning of the
description...)

Theoretically, if you define a NAT rule with a external port of ANY
and allow a firewall rule to be created you will be opening that
private IP to the world on all ports. (Not a best practice...)

_________________________________
James W. McKeand