Re[2]: [Exim] Home network mailhub

Top Page
Delete this message
Reply to this message
Author: Richard Welty
Date:  
To: exim-users
Subject: Re[2]: [Exim] Home network mailhub
On Mon, 18 Mar 2002 10:51:55 -0800 Harry Putnam <reader@???> wrote:

> Phil Pennock <Phil.Pennock@???> writes:
>
> > On 2002-03-17 at 18:06 -0800, Harry Putnam wrote:
> >> It seems one would want to limit exsposer of local private addresses
> for
> >> security reasons too... yes?


> > It depends. How are the internal addresses reachable? The NAT box
> > _does_ prevent source-routing, yes?


> I don't really know what source-routing is.


source routing is an old IP option, which falls into the category of "it
seemed like a good idea at the time". it allows you to set the source
address in the IP packet to other than the place where the packet truly
originated. good firewalls discard source routed packets, as do properly
configured internet servers. source routing can be misused both in DoS
attackes (e.g., the smurf) and in fooling bad firewalls by providing a
source address that will leak past a ruleset.

> So somehow port 25 traffic gets thru on request but not if initiated
> from outside. Far as I know the internal machines cannot be contacted
> from outside. I have made no special setting at the firewall
> involving port 25 other than to say that all internal machines can
> send packets out unhampered.


ok, you're not understanding how the system of ports works. it may be to
your advantage to acquire a copy of a reference like _TCP/IP Illustrated_
and learn this stuff. however, the outbound connection won't be dealing
with the same firewall rules situation as the inbound ones.

i don't know what your firewall situation is, but if it's OpenBSD based, i
have a draft HowTo i've been working on for OpenBSD 3.0/PF at
http://www.averillpark.net/OpenBSD/FW-HowTo.html

> The only thing I have actually NATed, (Hope that is the correct term)
> is traffic on ssh port 22 to a specific internal machine.


redirect is probably a better term. probably everything internal that goes
out is being NATed.

> > Not an IP. The hostname which that IP resolves to in reverse DNS, and
> > for which forward DNS already exists.


> Showing the true depths of my ignorance here, but what does `reverse
> DNS' really mean? Just getting alphabetical name from number?


yes. reverse DNS is supposed to be done for every IP that might be seen on
the public internet, but is often neglected by ISPs.

richard
--
Richard Welty
rwelty@???                                 Averill Park Networking
rwelty@???           Unix, Linux, IP Network Engineering, Security
rwelty@???                                     518-573-7592