G
Guest
Guest
Archived from groups: uk.comp.os.linux,comp.security.firewalls (More info?)
Hi, I'm hoping someone else has seen this before...
I've got to machines, call them bar.foo.com and baz.foo.com. Both boxes
run Debian stable, and the MTA on both is Sendmail. One is a primary
mail server and the other is a secondary mail server for many of the
same domains. These machines have real world addresses, call then
22.22.22.22 and 22.22.22.23, but since we've instituted IPCop as our
firewall and used NAT, the machines don't really have these addresses
any more, they're now really 192.168.1.22 and 192.168.1.23. They're on
the same subnet and can talk to one another easily by address.
I've set them up in each others /etc/hosts files so that from bar I can
ping baz.foo.com and from baz I can ping bar.foo.com and that just
works. But when they try to transfer mail to each other the connection
times out, and when from the command line on bar I try
telnet baz.foo.com 25
it times out, although if I try
telnet 192.168.1.23
it works perfectly.
The IPCop is set up to allow traffic on port 25 both outbound and inbound
to the two boxes, and each of the boxes have the IPCop box set up as
their default gateway, so I don't understand why the SMTP traffic
doesn't just get routed out to the IPCop box and back in again, but it
doesn't: if I try
telnet 22.22.22.23 25
that doesn't get through either.
But the other thing I don't understand is why Sendmail (and telnet) are
preferring addresses they're getting from DNS to addresses they're
getting from the hosts file, while ping is preferring addresses from the
hosts file.
So, please, can anyone suggest either
(i) a means of configuring IPCop so that it will pass this traffic;
or
(ii) a means of configuring the boxes so that sendmail uses the DMZ
addresses to talk to each other rather than the real world ones;
or
(iii) a popular, reliable and reasonably well supported open source
firewall which can bind multiple addresses to a single NIC (so Linux
2.4 or 2.6 and iptables, rather than 2.2 and ipchains) and which does
not insist on NATting everything.
--
simon@jasmine.org.uk (Simon Brooke) http://www.jasmine.org.uk/~simon/
;; "If I were a Microsoft Public Relations person, I would probably
;; be sobbing on a desk right now" -- Rob Miller, editor, /.
Hi, I'm hoping someone else has seen this before...
I've got to machines, call them bar.foo.com and baz.foo.com. Both boxes
run Debian stable, and the MTA on both is Sendmail. One is a primary
mail server and the other is a secondary mail server for many of the
same domains. These machines have real world addresses, call then
22.22.22.22 and 22.22.22.23, but since we've instituted IPCop as our
firewall and used NAT, the machines don't really have these addresses
any more, they're now really 192.168.1.22 and 192.168.1.23. They're on
the same subnet and can talk to one another easily by address.
I've set them up in each others /etc/hosts files so that from bar I can
ping baz.foo.com and from baz I can ping bar.foo.com and that just
works. But when they try to transfer mail to each other the connection
times out, and when from the command line on bar I try
telnet baz.foo.com 25
it times out, although if I try
telnet 192.168.1.23
it works perfectly.
The IPCop is set up to allow traffic on port 25 both outbound and inbound
to the two boxes, and each of the boxes have the IPCop box set up as
their default gateway, so I don't understand why the SMTP traffic
doesn't just get routed out to the IPCop box and back in again, but it
doesn't: if I try
telnet 22.22.22.23 25
that doesn't get through either.
But the other thing I don't understand is why Sendmail (and telnet) are
preferring addresses they're getting from DNS to addresses they're
getting from the hosts file, while ping is preferring addresses from the
hosts file.
So, please, can anyone suggest either
(i) a means of configuring IPCop so that it will pass this traffic;
or
(ii) a means of configuring the boxes so that sendmail uses the DMZ
addresses to talk to each other rather than the real world ones;
or
(iii) a popular, reliable and reasonably well supported open source
firewall which can bind multiple addresses to a single NIC (so Linux
2.4 or 2.6 and iptables, rather than 2.2 and ipchains) and which does
not insist on NATting everything.
--
simon@jasmine.org.uk (Simon Brooke) http://www.jasmine.org.uk/~simon/
;; "If I were a Microsoft Public Relations person, I would probably
;; be sobbing on a desk right now" -- Rob Miller, editor, /.