Re: [m0n0wall] Problems with SMTP and FTP... ARGH!

From:	Chris Buechler <cbuechler at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Problems with SMTP and FTP... ARGH!
Date:	Tue, 3 Jan 2006 12:52:07 -0500
On 1/3/06, Chuck Mariotti <cmariotti at xunity dot com> wrote:
>
> I would like to only open ports that are needed (of course).
>
> I have two network cards, one public (eg. 211.211.211.130 -> 162) , one
> private (eg. 10.10.10.1 -> 254)... (not my real IP addresses, just
> examples)
>
> Firewall has two IP addresses 211.211.211.130 and 10.10.10.1...
> I have setup Server NAT... have all the public IP addresses listed
> there...

server NAT is just over complicating things.  Use 1:1, you seem to
have sufficient public IP's for all the servers involved.  That's more
than likely how you had the PIX set up ('static (inside,outside)
...'), otherwise you would have ended up with an even more complex
setup there.


> I have one Proxy ARP entry which specifies the whole Public IP Address
> Range (not sure I need this, or if this is right, see below).

that's correct.


>
> 1. Email / SMTP
>     I am running Exchange 2003... The SMTP server should be publically
> known as 211.211.211.140 and internally has 10.10.10.140 ... I have an
> Inbound Firewall rule setup for Port 25... All inbound email seems to be
> getting in (limited testing seems to work). However, this is where
> things get odd and I need a solution. Outbound messages are sent, but
> are using the public IP 211.211.211.130 (the firewall address) instead
> of .140 (the mailserver address).  I
> basically need a 1:1 mapping, but I only want SMTP traffic...
>

enter the 1:1 rules, then enter the appropriate firewall rules.


> 2. FTP

this might be of some help.  http://wiki.m0n0.ch/wikka.php?wakka=PasvFTP


> I did a 1:1 but that opened everything up for that
> external IP.

not unless your firewall rules say so.  anything that isn't explicitly
permitted, under any circumstance, is denied.  Just permit what you
need.

One thing to keep in mind, the destination IP, unlike the PIX and many
other firewalls, will be the private IP of the server, not the public
IP.  NAT applies first, then firewall rules.  Also pay attention to
the source port, which isn't apparent (or available at all) for many
firewalls.  Set this to any (or 1024-65535 if you're a stickler, the
ephemeral port range), not the same as the destination port.

In summary: Delete all the server NAT stuff you have in there now, add
1:1 NAT rules, and add firewall rules.

-Chris