Hi Daniel, bottom-posting. On 8/1/2018 2:02 PM, daniel_1983--- via Shorewall-users wrote: > Hello Matt, > > The support page explicitly asks not to post configuration files but to post > dumps instead, which I did. Here's an excrept from the posted dump file which > seems to show that port 25 is open for net-fw connexions, line 11 : > > 1 Chain net-fw (1 references) > 2 pkts bytes target prot opt in out source > destination > 3 252 13604 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED > 4 249 13452 smurfs all -- * * 0.0.0.0/0 > 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED > 5 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpts:67:68 > 6 3008 714K tcpflags tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 > 7 1756 464K ACCEPT all -- * * 192.168.0.0/16 > 0.0.0.0/0 > 8 17 3878 ACCEPT all -- * * 172.16.0.0/12 > 0.0.0.0/0 > 9 644 110K ACCEPT all -- * * 10.10.10.0/24 > 0.0.0.0/0 > 10 830 165K ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 -m geoip --source-country DZ,US > 11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 22022,44044,25 > 12 45 2292 Drop all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 13 1 40 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net-fw:DROP:" > > > > > > > Sent with ProtonMail Secure Email. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On August 1, 2018 12:24 PM, Matt Darfeuille <matd...@gmail.com> wrote: > >> On 8/1/2018 12:35 PM, daniel_1983--- via Shorewall-users wrote: >> >>> Hello list, >>> Shorewall is installed on my mail server. Its policy is to ACCEPT all >>> traffic from $fw to net (same interface). Since the only thing I changed in >>> the configuration is the policy file, I will paste the policy file that it >>> working (mail is sent), and the policy file that is not working (mail is >>> not sent). >>> NON-WORKING POLICY >>> root@messagerie[10.10.10.19] ~ # cat /etc/shorewall/policy >>> [...] >>> $FW net ACCEPT >>> net $FW DROP INFO >>> root@messagerie[10.10.10.19] ~ # >> >> If you have the policy 'net $FW DROP' you will need to open those >> required ports in '/etc/shorewall/rules'.: >> >> net $FW tcp 25 >> >>> shorewall dump after doing a shorewall reset then trying to send mail to >>> host 192.162.70.68 : https://clbin.com/yO9h3. You can see that the >>> connexion isn't even listed. >>> WORKING POLICY >>> root@messagerie[10.10.10.19] ~ # cat /etc/shorewall/policy >>> [...] >>> $FW net ACCEPT >>> net $FW ACCEPT >>> root@messagerie[10.10.10.19] ~ # >> >> 'net $FW ACCEPT' means that all traffic is 'ACCEPT'ed on the firewall >> from the net zone. >> >
Looks like it indeed. The only thing that I could add is to insure that after 'shorewall clear' (FW will be wide open) you can successfully send e-mail. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
