Re: [m0n0wall] Problems with SMTP and FTP... ARGH!

From:	Alex Neuman van der Hans <alex at nkpanama dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Problems with SMTP and FTP... ARGH!
Date:	Tue, 03 Jan 2006 13:14:45 -0500
Is that IP address (211.211.211.130) your *real* IP address? I've had a 
couple of customers with 211.211.211.x as their network because someone 
saw 211.211.211.x as an example in a book somewhere and thought they 
could use it - even if that network belongs to someone in Korea.

You'd be surprised how many "Systems Engineers" and other IT-related 
college-degree-holding so-called "professionals" have no idea what a 
private net like 192.168.x.x or 172.16.x.y or 10.x.y.z are or what 
they're used for.


Chris Buechler wrote:

>On 1/3/06, Chuck Mariotti <cmariotti at xunity dot com> wrote:
>  
>
>>I would like to only open ports that are needed (of course).
>>
>>I have two network cards, one public (eg. 211.211.211.130 -> 162) , one
>>private (eg. 10.10.10.1 -> 254)... (not my real IP addresses, just
>>examples)
>>
>>Firewall has two IP addresses 211.211.211.130 and 10.10.10.1...
>>I have setup Server NAT... have all the public IP addresses listed
>>there...
>>    
>>
>
>server NAT is just over complicating things.  Use 1:1, you seem to
>have sufficient public IP's for all the servers involved.  That's more
>than likely how you had the PIX set up ('static (inside,outside)
>...'), otherwise you would have ended up with an even more complex
>setup there.
>
>
>  
>
>>I have one Proxy ARP entry which specifies the whole Public IP Address
>>Range (not sure I need this, or if this is right, see below).
>>    
>>
>
>that's correct.
>
>
>  
>
>>1. Email / SMTP
>>    I am running Exchange 2003... The SMTP server should be publically
>>known as 211.211.211.140 and internally has 10.10.10.140 ... I have an
>>Inbound Firewall rule setup for Port 25... All inbound email seems to be
>>getting in (limited testing seems to work). However, this is where
>>things get odd and I need a solution. Outbound messages are sent, but
>>are using the public IP 211.211.211.130 (the firewall address) instead
>>of .140 (the mailserver address).  I
>>basically need a 1:1 mapping, but I only want SMTP traffic...
>>
>>    
>>
>
>enter the 1:1 rules, then enter the appropriate firewall rules.
>
>
>  
>
>>2. FTP
>>    
>>
>
>this might be of some help.  http://wiki.m0n0.ch/wikka.php?wakka=PasvFTP
>
>
>  
>
>>I did a 1:1 but that opened everything up for that
>>external IP.
>>    
>>
>
>not unless your firewall rules say so.  anything that isn't explicitly
>permitted, under any circumstance, is denied.  Just permit what you
>need.
>
>One thing to keep in mind, the destination IP, unlike the PIX and many
>other firewalls, will be the private IP of the server, not the public
>IP.  NAT applies first, then firewall rules.  Also pay attention to
>the source port, which isn't apparent (or available at all) for many
>firewalls.  Set this to any (or 1024-65535 if you're a stickler, the
>ephemeral port range), not the same as the destination port.
>
>In summary: Delete all the server NAT stuff you have in there now, add
>1:1 NAT rules, and add firewall rules.
>
>-Chris
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>