[ previous ] [ next ] [ threads ]
 
 From:  "Chuck Mariotti" <cmariotti at xunity dot com>
 To:  "Chuck Mariotti" <cmariotti at xunity dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Problems with SMTP and FTP... ARGH!
 Date:  Tue, 3 Jan 2006 12:00:55 -0500
I am having a few problems that I hope someone can help me with... I've
searched the mailing lists but I haven't seen anything with these exact
problems (or a solution that works).
 
I have 32 public IP addresses... I run multiple services behind the
firewall and I am running into a few complications with monowall (didn't
have these problems before with PIX or Linux units).
 
I would like to only open ports that are needed (of course).
 
I have two network cards, one public (eg. 211.211.211.130 -> 162) , one
private (eg. 10.10.10.1 -> 254)... (not my real IP addresses, just
examples)
 
Firewall has two IP addresses 211.211.211.130 and 10.10.10.1...
I have setup Server NAT... have all the public IP addresses listed
there...
I have one Proxy ARP entry which specifies the whole Public IP Address
Range (not sure I need this, or if this is right, see below).
I then setup Inbound Rules mapping the public IP to the internal IP for
specific ports for the services needed (SMTP, WWW, FTP, DNS, ETC)...
 
I have two specific problems...
 
1. Email / SMTP
    I am running Exchange 2003... The SMTP server should be publically
known as 211.211.211.140 and internally has 10.10.10.140 ... I have an
Inbound Firewall rule setup for Port 25... All inbound email seems to be
getting in (limited testing seems to work). However, this is where
things get odd and I need a solution. Outbound messages are sent, but
are using the public IP 211.211.211.130 (the firewall address) instead
of .140 (the mailserver address). Mail, does get out (for the most
part), but most anti-spam software (yahoo, hotmail) sees this as a
problem and marks the messages as spam. As well, I used to be able to
telnet to port 25 on 211.211.211.140 and I would get a HELO from the
mailserver, but I get nothing now (works inside though). Can someone
explain to me how to get this operational? I plan on having a few
outbound mailservers that need to be working in this proper manner... I
basically need a 1:1 mapping, but I only want SMTP traffic... 
 
2. FTP
    Basically, I have opened up inbound port 25, 20 and 1024-63553...
Public IP address is 211.211.211.151, Private 10.9.8.151... You can
connect to the FTP server from the outside, but a directory listing
"locks up"/times out/gets nothing... There used to be a FixUp command on
PIX to resolve this issue.
 
In both of these cases, I tried setting up Outbound (I'm affraid I don't
understand this completely, same with Proxy ARP settings). I imagine the
solution is in there. I did a 1:1 but that opened everything up for that
external IP. Do I just put in a rule blocking everything, then another
rule opening the port(s) I need? Not sure this fixes both my problems...
 
Any help would be appreciated...
 
Regards,


Chuck