08-03-2008
ipfw - dynamic rules and multiple IP addresses with outgoing packets
Here's the problem: Some email-service providers (like
Google) have more than one server and distribute the load such that, e.g. the incoming mail server imap.gmail.com is assigned to more than one IP-address.
With stateful rules, the ipfw firewall correctly allows outgoing packages to one of the IP-addresses of the mail server. However, packages to the same port but to a different IP-address are consistently rejected.
I suspect that following the establishment of the initial connection, dynamic rules tables will not match because of the inconsistent IP address, and therefore outgoing packages to the second IP-address are always denied.
Does anyone know a solution to this problem?
Many Thanks.
Here are the relevant parts of my rule set:
...
#allow packet through if it has previously been added to the dynamic rules table
ipfw -q add 0010 check-state
#allow out get & send email function
ipfw -q add 0040 allow tcp from any to any 993 out via $nic setup keep-state
...
And here's the log:
Aug 3 18:44:33 xxx Firewall[38]: 42 Accept TCP my.ip.address:50201 209.85.147.111:993 out via en1
Aug 3 18:44:33 xxx Firewall[38]: 70 Deny TCP my.ip.address:49866 209.85.199.109:993 out via en1
9 More Discussions You Might Find Interesting
1. IP Networking
I'd like to find out how to redirect Outbound packets.
So instead of having packets go to IP1 as they normally would, have them go to IP2 instead.
I believe this is possible using IPFW but I'm not sure. I've played with it, but haven't gotten too far.
Any ideas would be appreciated. (1 Reply)
Discussion started by: Seraph
1 Replies
2. Cybersecurity
Hello.
I hope you can help me please.
We are about to bring a few servers online which will be hosting different things...
For one server, it will be hosting a HTTPd, and just wanted to know whether these rules are correct that I have?
To ensure the right interfaces etc, here's a copy of... (1 Reply)
Discussion started by: DanUK
1 Replies
3. Shell Programming and Scripting
Hi,
If I want my script to send a mail to multiple recipients I can do the following:
if
then
echo $err_string1 | mailx -s "UAT CPU ALERT" 1@email.com
echo $err_string1 | mailx -s "UAT CPU ALERT" 2@email.com
fi
Can this also be done something like:
... (1 Reply)
Discussion started by: runnerpaul
1 Replies
4. IP Networking
hello,
i am searching a way to delay the incoming packets before it goes out of the system may i know how can i approach to this problem? (3 Replies)
Discussion started by: sameer kulkarni
3 Replies
5. Red Hat
Hi,
We have a router and devices for testing. We route devices with below command
iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 80 -s 10.111.111.22 -j DNAT --to-destination 10.13.0.16:3128
where 10.111.111.22 is device IP. and 10.13.0.16 is our Linux box machine.
Likewise we... (4 Replies)
Discussion started by: Dhruvak
4 Replies
6. Windows & DOS: Issues & Discussions
Hello
Is there an easy way to login to various ip's..one after the other. I need to login to about 30 aix boxes and put a file in each one...
Cheers (1 Reply)
Discussion started by: Grueben
1 Replies
7. UNIX for Dummies Questions & Answers
Hello
Is there an easy way to login to various ip's..one after the other. I need to login to about 30 aix boxes and put a file in each one...
Cheers (1 Reply)
Discussion started by: Grueben
1 Replies
8. Red Hat
Hello Friends,
I am running Sendmail 8.14 on rhel6. I have one simple question regarding domain masquerading, i would want to masquerade different domains with different addresses. By that what i mean is that lets say i have 3 domains as home.com, example.com, test.com and i would want to... (0 Replies)
Discussion started by: Rohit Bhanot
0 Replies
9. UNIX for Dummies Questions & Answers
Hi,
I have ip addresses from 192.168.0.1 to 192.168.0.10.
I have to ping those series of IP address in single command? Which command i can use? (2 Replies)
Discussion started by: thomasraj87
2 Replies