[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
qmail behind pf firewall
Hi,
I really would appreciate any help regarding this. I've been trying for two
days and no result. I have tried what I have found on the net, and help from
others,
and no luck yet.
Thanks!! Jose
Problem: I would like to receive my me@mydomain.com mail in my qmail server
- I have a server with qmail-SMTP and qmail-POP3 working in my
local network.
- I can receive me@mydomain internally already.
- My email server has the address 192.168.0.100 in my internal network.
- My local network has a firewall to connect to the internet
- My firewall is an OpenBSD 3.0. I am using pf and nat to firewall
and filter/translate.
- My firewall has IP: 192.168.0.1 in my internal network
- Same problem with my httpd server.
Question
- Should I have to have the smtp port open at the firewall in order to
redirect it?
My inetd.con, pf.conf and nat.conf are below.
Thanks!
INETD.CONF
----------
# $OpenBSD: inetd.conf,v 1.41 2001/09/25 01:00:21 deraadt Exp $
#
# Internet server configuration database
#
# define *both* IPv4 and IPv6 entries for dual-stack support.
#
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -US
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd -k
#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd -k
#shell stream tcp nowait root /usr/libexec/rshd rshd -L
#shell stream tcp6 nowait root /usr/libexec/rshd rshd -L
#login stream tcp nowait root /usr/libexec/rlogind rlogind
#login stream tcp6 nowait root /usr/libexec/rlogind rlogind
#exec stream tcp nowait root /usr/libexec/rexecd rexecd
#uucpd stream tcp nowait root /usr/libexec/uucpd uucpd
#finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -lsm
#finger stream tcp6 nowait nobody /usr/libexec/fingerd fingerd -lsm
#ident stream tcp nowait nobody /usr/libexec/identd identd -el
#ident stream tcp6 nowait nobody /usr/libexec/identd identd -el
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot
#comsat dgram udp wait root /usr/libexec/comsat comsat
#comsat dgram udp6 wait root /usr/libexec/comsat comsat
#ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
#bootps dgram udp wait root /usr/sbin/bootpd bootpd
#pop3 stream tcp nowait root /usr/sbin/popa3d popa3d
# Internal services
#echo stream tcp nowait root internal
#echo stream tcp6 nowait root internal
#discard stream tcp nowait root internal
#discard stream tcp6 nowait root internal
#chargen stream tcp nowait root internal
#chargen stream tcp6 nowait root internal
#daytime stream tcp nowait root internal
#daytime stream tcp6 nowait root internal
#time stream tcp nowait root internal
#time stream tcp6 nowait root internal
#echo dgram udp wait root internal
#echo dgram udp6 wait root internal
#discard dgram udp wait root internal
#discard dgram udp6 wait root internal
#chargen dgram udp wait root internal
#chargen dgram udp6 wait root internal
#daytime dgram udp wait root internal
#daytime dgram udp6 wait root internal
#time dgram udp wait root internal
#time dgram udp6 wait root internal
# Kerberos authenticated services
#klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k
#eklogin stream tcp nowait root /usr/libexec/rlogind rlogind -kx
#kshell stream tcp nowait root /usr/libexec/rshd rshd -k
#ekshell stream tcp nowait root /usr/libexec/rshd rshd -Lk
#ekshell2 stream tcp nowait root /usr/libexec/rshd rshd -Lk
#kauth stream tcp nowait root /usr/libexec/kauthd kauthd
# Encrypted X connections
#kx stream tcp nowait root /usr/X11R6/bin/kxd kxd
# RPC based services
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
#rusersd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad
8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
smtp stream tcp nowait root /usr/libexec/smtpd smtpd -H -m smtp.mextrex.com
PF.CONF
-------
#
# Interface:
# lo0 - loopback
# ep1 - internal to private network
# ep0 - external to cable modem
#
# Filtering policy ordering:
# + Block everything unless there are permit (pass) rules
# - Permit all loopback packets to flow freely
# - Permit all internal network packets to flow freely
# - Permit individual type of service to flow freely to outside world:
# ftp
# smtp
# whois
# dns
# http/https
# pop3
# traceroute
# ping
# dhclient
# + Since there are no permit(pass) rules at this stage, everything
# else is blocked!
#
# share and enjoy,
# hoang@muine.org
# Nov 25, 2001
#
# Some variables
loopback=lo0
internal=ep1
external=ep0
#
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
# Interface: all
# Block all incoming and outgoing packets unless they're allowed later.
#
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
block in log all
block out log all
# -------------------------------------------------------------------------
# Interface: $loopback
# Allow loopback to flow freely.
# -------------------------------------------------------------------------
pass in quick on $loopback all
pass out quick on $loopback all
# -------------------------------------------------------------------------
# -------------------------------------------------------------------------
# Interface: $internal
# Allow internal traffic to flow freely.
# -------------------------------------------------------------------------
pass in quick on $internal all
pass out quick on $internal all
# -------------------------------------------------------------------------
# -------------------------------------------------------------------------
# Interface: $external
# Allow _internal_ and fw initiated connections from hosts behind NAT to
# outside world. Additional permit individual type of service to flow
freely
# to outside world should be added in this section.
# -------------------------------------------------------------------------
# Protection against spoofing
# block in all
block in quick on $external from { 10.0.0.0/8, 172.16.0.0/12, \
255.255.255.255/32, \
127.0.0.0/8, 0.0.0.0/8, \
169.254.0.0/16, 192.0.2.0/24 } to any
# pass in all
#------------------------------------------------------------------------
# Increase security
# Protecting ourselves from being used for spoofing
#------------------------------------------------------------------------
block in log quick on $external from 192.168.0.0/16 to any
block in log quick on $external from any to 192.168.0.0/16
block in log quick on $external from any to 192.168.0.255/32
# [passive ftp client to outside world step 1]
pass out quick on $external proto tcp from any to any port = 21 flags S
keep state
# [smtp to outside world]
pass out quick on $external proto tcp from any to any port = 25 flags S
keep state
# [whois to outside world]
pass out quick on $external proto tcp from any to any port = 43 flags S
keep state
# [domain to outside world]
pass out quick on $external proto tcp from any to any port = 53 flags S
keep state
pass out quick on $external proto udp from any to any port = 53 keep state
# [http to outside world]
pass out quick on $external proto tcp from any to any port = 80 flags S/SA
keep state
# [pop3 to outside world]
pass out quick on $external proto tcp from any to any port = 110 flags S
keep state
# [https to outside world]
pass out quick on $external proto tcp from any to any port = 443 flags S
keep state
# [passive ftp to outside world step 2 where the FTP server decides which
port
# for ftp data back]
pass out quick on $external proto tcp from any to any port > 1023 flags S
keep state
# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on $external proto udp from any to any port 33434 >< 33525
keep state
# [ping to outside world]
pass out quick on $external proto icmp from any to any keep state
# -------------------------------------------------------------------------
# Allow _external_ initiated connections from outside world to hosts behind
# NAT and the firewall.
# -------------------------------------------------------------------------
# [dhclient]
pass in quick on $external proto udp from any to any port = 68 keep state
# [traceroute to internal host 2nd stage: receiving error code of icmp-type
3
# (destination unreachable) and icmp-type 11 (time exceeded)]
pass in quick on $external inet proto icmp from any to any icmp-type 3 keep
state
pass in quick on $external inet proto icmp from any to any icmp-type 11
keep state
block in log quick on $external inet proto icmp from any to any
# Block rlogin port 513, rch 514, and telnet 23
block in log quick on $external proto tcp from any to 192.168.0.0/16 port =
513
block in log quick on $external proto tcp from any to 192.168.0.0/16 port =
514
block in log quick on $external proto tcp from any to 192.168.0.0/16 port =
23
block in log quick on $external proto udp from any to 192.168.0.0/16 port =
514
# -------------------------------------------------------------------------
# Interface: $external
# Since there are no permit(pass) rules at this stage, everything else is
# blocked!
# -------------------------------------------------------------------------
# [http from outside world]
pass in quick on $external proto tcp from any to any port = 80 flags S/SA
keep state
pass in quick on $external proto tcp from any to 192.168.0.100 port = 25
flags S/SA keep state
# Finally lock the rest down with a default deny
block in on $external from any to any
# and let out-going traffic out
pass out on $external from any to any
NAT.CONF
--------
# $OpenBSD: nat.conf,v 1.4 2001/07/09 23:20:46 millert Exp $
#
# See nat.conf(5) for syntax and examples
#
# replace ep0 with external interface name, 192.168.0.0/16 with internal
network
# and {} with external address
#
# nat: packets going out through ep0 with source address 10.0.0.0/8 will
get
# translated as coming from 192.168.1.1. a state is created for such
packets,
# and incoming packets will be redirected to the internal address.
#
# Interface:
# ep1 - internal to private network
# ep0 - external to cable modem
#
# share and enjoy,
# hoang@muine.org
# Dec 6, 2001
#
# NAT internal IP addresses of range 192.168.0.0/255 to external
# routable IP EXT.IP.ADD.RESS
nat on ep0 from 192.168.0.0/16 to any -> ep0
# Redirect ftp clients behind NAT on internal interface ``ep1'' to use
# ftp-proxy(8) daemon
rdr on ep1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
# Redirect incoming smtp traffic to Panda mail server behind NAT
#rdr on ep0 proto udp from any to any port 25 -> 192.168.0.100 port 25
#rdr on ep0 proto tcp from any to any port 25 -> 192.168.0.100 port 25
#rdr on ep0 proto tcp from any to any port 25 -> 192.168.0.100 port 25
rdr on ep0 proto tcp from any to ep0 port 25 -> 192.168.0.100 port 25
# Redirect incoming http traffic to Panda behind NAT
#rdr on ep0 from any to any port 80 -> 192.168.0.100 port 80
#rdr on ep0 proto tcp from any to any port 80 -> 192.168.0.100 port 80
#rdr on ep0 proto tcp from any to localhost port 80 -> 192.168.0.100 port
80
#rdr on ep1 proto tcp from any to 192.168.0.1 port 80 -> 192.168.0.100 port
80
J. Rivero
3629 203Rd Street
Langley, B.C.
V3A 6A6
(604) 514-9092
J. Rivero
3629 203Rd Street
Langley, B.C.
V3A 6A6
(604) 514-9092