[Gllug] ipchains/smtp acceptance from Demon

Wed Aug 15 21:13:06 UTC 2001

On Wed, Aug 15, 2001 at 01:07:29PM +0000, t.clarke wrote:
> Sean wrote:
> >I want to allow Demon to initiate smtp connection  .. so
> >ipchains -A input -i $extint -s 194.217.242.0/8 smtp -p TCP -l -j ACCEPT
> 
> 
> I believe I am somewhat late entering the debate, but nevertheless my
> tuppence worth ( for what its worth)!! :-
> 
> ipchains -A input -i $extint -s 194.217.242/24 -dport smtp -j ACCEPT
> 
> would seem to to the trick

but wouldn't the /24 allow a far greater range than I need to ?

> 
> The default policy on the firewall input chain should relly be DENY, with only
> the things you want explicity allowed

It is - I am not sure why I got some mail through - I hope that I meesed up
and manually set a default allow while I was reconfiguring... 

> Not a bad idea to disallow anything on the internal interface that purports to
> come from your 'internal ip address range, also

I do that too (script more or less straight from linuxdoc - or man apafes or something)

> 
> I left out -p TCP  on the basis that SMTP should not be listening on a udp
> port anyway !
> 
> I left out -l, 'cos with it in I believe you may get loads and loads of messages
> for every smtp ip packet that arrives ??
>

well - yes and no I had -y set too - so only one log entry per message.

I think I have been getting generally confused between source ports and destination 
ports - the docs I read suggested stopping incoming connections by rejecting SYN
requests (with the -y flag)...

It seems like I could in fact block all connections to low numbered ports on my ppp0
interface ? 

Apart from incoming mail from demon - and any other specific connections.

What ports do I have to allow to connect for things like outgoing http ftp ssh ...?

I feel like I ought to be using iptables - but there doesn't seem to be much info
about that yet.

-- 

Sean

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug