[H-GEN] Problems with masq'ing sendmail

Marshall, Joshua MarshallJ at switch.aust.com
Wed Sep 1 00:35:41 EDT 1999


[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]

Hi all,

I've got my system set up as follows:

             +--------------+        +--------------+
             |              |        |              |
   Internet  |              |  MASQ  |              |
  <--------->|  Firewall    |<------>| Email server |
             |              |        |              |
             |              |        |              |
             +--------------+        +--------------+

I currently masquerade ports 25 and 113 (auth) into the email server (using
ipportfw on the firewall - it's a router-on-a-floppy deal) and to send all
emails out to the world I masquerade the smtp through the Firewall to the
destination mail servers.

All incoming emails are working great, however outgoing emails lose
connection after a period of time, so I'm unable to send anything > 100k.
Watching a tcpdump it all looks great and suddenly the remote host stops
acking.

I have noticed that the auth port gives me errors like:

Sep  1 14:07:02 server1 identd[14737]: Connection from xgate.ebi.it
Sep  1 14:07:02 server1 identd[14737]: from: 194.243.48.2 ( xgate.ebi.it )
for: 61142, 25
Sep  1 14:07:02 server1 identd[14737]: Returned: 61142 , 25 : NO-USER

Which doesn't really surprise me as the ports change as I go through the
firewall.  How I'd fix this I'm not sure (maybe run the auth on the
firewall?)

I have also noticed that sending files via ftp fail pretty bad after a while
also.  Incoming seems to work fine.

Here are my masq settings:

# Forwarding Rules
ipfwadm -F -f

# Set default Forwarding to deny
ipfwadm -F -p deny

# Add masquerading entries
# Forward email to internal mail server
ipfwadm -F -a accept -m -P tcp -D server1.ussbris 25
# Forward auth connects to internal mail server 
# this doesn't seem to work as auth doesn't get it right.
ipfwadm -F -a accept -m -P tcp -D server1.ussbris 113

#Allow internal email server to send emails out
ipfwadm -F -a accept -m -S server1.ussbris 

# Set masquerading timeouts
ipfwadm -M -s 1800 1800 1800

/usr/sbin/ipportfw -A -t 203.108.63.250/25 -R 10.10.10.1/25
/usr/sbin/ipportfw -A -t 203.108.63.250/113 -R 10.10.10.1/113

Routing rules etc are all ok - I do get through for quite a while.

I'm a bit concerned about the kernel - It's a 2.0.36pre version that was
supplied with the LRP distribution.  I have a feeling there were patches to
get certain things going, otherwise I'd just shove a new kernel in.

Can anyone shed some light on all of this?

Josh Marshall
Systems Support Engineer
Union Switch & Signal Pty Ltd
marshallj at switch.aust.com
Ph +61-7-3868-9371
Fax +61-7-3268-2219


--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.



More information about the General mailing list