[ previous ] [ next ] [ threads ]
 From:  "Chuck Mariotti" <cmariotti at xunity dot com>
 To:  "Chuck Mariotti" <cmariotti at xunity dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Problems with SMTP and FTP... ARGH!
 Date:  Tue, 3 Jan 2006 12:00:55 -0500
I am having a few problems that I hope someone can help me with... I've
searched the mailing lists but I haven't seen anything with these exact
problems (or a solution that works).
I have 32 public IP addresses... I run multiple services behind the
firewall and I am running into a few complications with monowall (didn't
have these problems before with PIX or Linux units).
I would like to only open ports that are needed (of course).
I have two network cards, one public (eg. -> 162) , one
private (eg. -> 254)... (not my real IP addresses, just
Firewall has two IP addresses and
I have setup Server NAT... have all the public IP addresses listed
I have one Proxy ARP entry which specifies the whole Public IP Address
Range (not sure I need this, or if this is right, see below).
I then setup Inbound Rules mapping the public IP to the internal IP for
specific ports for the services needed (SMTP, WWW, FTP, DNS, ETC)...
I have two specific problems...
1. Email / SMTP
    I am running Exchange 2003... The SMTP server should be publically
known as and internally has ... I have an
Inbound Firewall rule setup for Port 25... All inbound email seems to be
getting in (limited testing seems to work). However, this is where
things get odd and I need a solution. Outbound messages are sent, but
are using the public IP (the firewall address) instead
of .140 (the mailserver address). Mail, does get out (for the most
part), but most anti-spam software (yahoo, hotmail) sees this as a
problem and marks the messages as spam. As well, I used to be able to
telnet to port 25 on and I would get a HELO from the
mailserver, but I get nothing now (works inside though). Can someone
explain to me how to get this operational? I plan on having a few
outbound mailservers that need to be working in this proper manner... I
basically need a 1:1 mapping, but I only want SMTP traffic... 
2. FTP
    Basically, I have opened up inbound port 25, 20 and 1024-63553...
Public IP address is, Private You can
connect to the FTP server from the outside, but a directory listing
"locks up"/times out/gets nothing... There used to be a FixUp command on
PIX to resolve this issue.
In both of these cases, I tried setting up Outbound (I'm affraid I don't
understand this completely, same with Proxy ARP settings). I imagine the
solution is in there. I did a 1:1 but that opened everything up for that
external IP. Do I just put in a rule blocking everything, then another
rule opening the port(s) I need? Not sure this fixes both my problems...
Any help would be appreciated...