This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing Packet-Filter??

Hey together,
I've Astaro v5 with severel Packet Filter Rules, the last one declares the "Block all"-Rule.
One Rule i.e. is: Allow SMTP from DMZ to WAN.
For testing I deactivated this rule, but: THe SMTP-Traffic was still fine and running. But why? The only "allow SMTP"-rule was unguilty...
For translating the private Network thereis of course a Masquerading-NAT-Rule, but that shouldn't be point...

About that I got the feeling that nothing from internal is blocked from Astaro...
Is that correct??

thx alot!!!
Domi

This thread was automatically locked due to age.

Parents

0 BarryG over 20 years ago

In ASL, Nothing should be able to talk to anything unless you allow it.

Describe your MASQ/NAT rules.
(you shouldn't NAT DMZ to INT, for example)

Do you have the SMTP Proxy enabled?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Xeno over 20 years ago in reply to BarryG

Do you use the SMTP proxy in transparent mode? This would catch all smtp traffic and redirect it to the proxy handles it automatically.

Note1: You do not need a drop all rule a the end of your rule set, because there is one by default.
Note2: ASL defines some automatic packet filter rules which have higher priority than manually defined rules. There are used to make sure the proxies and thing like that are able to communicate. Anyway, these rules should not allow port 25 for routed traffic.

Xeno
Cancel
Vote Up 0 Vote Down

Cancel
0 domi over 20 years ago in reply to Xeno

Hey and thanks for your answers.
My Masquerading Rule from DMZ to WAN looks like this:

DMZ (Network) -> All / All MASQ__DSL None

All other NAT-Rules aro from outside to the inside...
Will every outgoing traffic also be defined by a SNAT-Rule??

I don not use the SMTP-Proxy... But perhaps I should use it...? [:S]

thx
Domi
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 domi over 20 years ago in reply to Xeno

Hey and thanks for your answers.
My Masquerading Rule from DMZ to WAN looks like this:

DMZ (Network) -> All / All MASQ__DSL None

All other NAT-Rules aro from outside to the inside...
Will every outgoing traffic also be defined by a SNAT-Rule??

I don not use the SMTP-Proxy... But perhaps I should use it...? [:S]

thx
Domi
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Simon Shaw over 20 years ago in reply to domi

Suggest strongly you use the SMTP proxy.

Also point to it for your mail server MX records so all incoming mail gets routed thru the proxy so you can take advantage of ASL's great anti spam features.
Cancel
Vote Up 0 Vote Down

Cancel
0 domi over 20 years ago in reply to Simon Shaw

Thanks for the SMTP-Proxy. I'll implement this soon...
But what about the DNAT & Masquerading-Rules??

Bye
Domi
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to domi

Your DNAT rule looks fine.
Please post a screenshot of your packetfilter rules.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 domi over 20 years ago in reply to BarryG

Here we go... This is page 2/3 with allowed SMTP (i.e.)
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to domi

Hi,

first, group your services, you dont have to make one rule for one service, when source and destination are the same for multiple services.

Second, the filters are handled from top to down. So a normal configuration should always have the form:
-allow known_source service known_target
-block any_internal to any_internal
-allow known_souce service to_any

With all those rules you have, I guess you opened smtp somewhere else. (Rule 24/25?)

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 domi over 20 years ago in reply to NimmdirKeks

The two SMTP-Rules are: One from LAN to DMZ (internal Mailserver to DMZ-Mailserver) and the other from DMZ to external...
But I tried to disable the Masquerading and added for each Port a SNAT-Rule... So I got a workaround for this. But I don't think that this is the correct way??
And I guess that the rules aren't redundant, but this could be the only reason...
Cancel
Vote Up 0 Vote Down

Cancel