From: Ean Kingston (no email)
Date: Tue Jun 01 2004 - 10:28:59 EDT
Your problem most likely belongs on the FreeBSD IPFW list, not the postfix list. BUT since I have a similar configuration, I'm going to try and help.
Assuming this is your diagram:
<SMTP Server>--+-------------<NAT Firewall>---------------<Internet>
192.68.1.10 | 192.168.1.A 200.yyy.xxx.www
|
<Inside Host>--+
192.168.1.9
AND assuming you are using a fairly standard NAT configuration on your Firewall
AND assuming you are using IPFW + NAT (as opposed to IPFirewall or IPF)
AND assuming your Internet address is configured on an interface of the firewall
The NAT implementation for FreeBSD (or more accurately the IPFW filtering) happens when traffic enters or leaves a physical interface. Generally, the 'divert' rule (which sends the packet to the NAT engine) is configured on the Internet facing interface (200.yyy.xxx.www). So, traffic must enter or leave the physical interface on the Internet side of your firewall.
When you send traffic from an inside host to an outside interface, the traffic enters the physical interface on the inside of your firewall, goes through whatever IPFW rules you have setup for that interface and (presumably) winds up in the IP Stack inside your FreeBSD system. The FreeBSD system looks at the destination address (200.yyy.xxx.www) and realizes the packet is destined for the itself (the firewall). The packet is then delivered without going through IPFW again (in your case to port 25 on the firewall). Since your firewall doesn't run a mail server, you get a failed to connect.
There are a few ways around this:
1) Add a store and forward mail server on your firewall to service internal clients.
2) Add a divert rule that gets processed for traffic inbound on the internal interface. NOTE that this may add extra overhead on your firewall.
3) Run an internal DNS server so that your internal addresses are used internally AND a separate external DNS server for external queries. Not very elegant.
4) If you have more than one IP address for the Internet side, do not put the mail server's address on your firewall and make sure your firewall is configured to route traffic out the external interface when it is destined for the external mail server address. This will get it to go through the NAT filter and (if everything is setup just right) it should wind up going back to your internal addressed mail server.
This last option is probably the most difficult to setup (since it requires a thorough understanding of how IPFW, NATD, and FreeBSD interact). It also means that communications between two internal hosts need to go all the way through your firewall (adding unneeded traffic to the firewall). This is, IMHO, the most elegant solution.
My solution was the first one. My firewall runs a simple store and forward SMTP server that provides service for internal systems only. Essentially it is my outbound mail relay. I can also use it as an inbound relay when I need to do work on the real mail server.
> -----Original Message-----
> From: Eicke [mailto:]
> Sent: Monday, May 31, 2004 2:55 PM
> To:
> Subject: relay or network
>
>
> Hi folks,
>
> I have a postfix server. This server is protect by a FreeBSD firewall
> running NAT.
> The server have an valid IP and a false IP.
>
> When I try to connect from my machine (192.168.1.9) to the server:
>
> Invalid IP:
> >telnet 192.168.1.10 25
> 220 ns.server.com.br ESMTP Postfix
>
> Valid IP
> >telnet 200.yyy.zzz.www 25
> Connecting To 200.yyy.zzz.www ...Could not open connection to
> the host, on
> port 25: Connect failed
>
> If I try to connect inside of my lan I successfully conect to
> the server.
>
> My problem is that I have another server in my Lan and I did
> not connect the
> two servers.
>
> May 31 14:37:15 server2 postfix/smtp[862]: CB1247C5A0:
> to=<>, relay=none, delay=0,
> status=deferred (connect
> to ns.server1.com.br[200.xxx.yyy.zzz]: Connection refused)
>
>
> Could you help?
>
>
|
|
|