ClearFoundation

Guys I'm pretty green to ClearOS. I basically implemented a ClearOS environment back in December for a few reasons. I needed a little better control over a few things, eventually some additional content filtering, and dual-wan. I tried to make a change today to the firewall and I'm running into a brick wall. Would appreciate some help at least getting me started down the right road. This started off as a friend recommending it to me to learn, to I had to use it to solve a few creative hurdles we had to tackle and this amazing piece of engineering has conquered.

I have a ClearOS machine running 5.2 ent. We have an in-house Exchange 2010 server. All mail is filtered externally through Postini. I have everything locked down except for the firewall. I decided today to try to tackle the firewall lockdown to allow port 25 traffic through the gatway to my Exchange server ONLY from Postini's IP range.

I disabled the port forward of port 25 to internal IP 192.168.0.2. Under Firewall> advanced - I added a new incoming rule. Basically I want to ONLY allow TCP 25 traffic to be accepted and passed along to 192.168.0.2 from Google's IP range of 64.18.0.0 - 64.18.15.255. I have tried entering it as a range, as 64.18.0.0/20 and 64.18.0.0 but nowhere can I see how to add my netmask with that IP. I tried it with a source and destination port and with only a destination port. No matter what I try I can't get it to work unless I just go back and enable the port forward. I promise I tried to follow the manual before I asked for help. it just isn't detailed enough to explain this one.


Can one of you genius' please tell me what I'm doing wrong? I'm 99% confident that I'm going to have to do this somewhere else, just don't know where that somewhere else is. I am at least somewhat familiar with SSH and can get through a little.


I appreciate any help you can give me. Thanks in advance..

You should be able to do an advanced rule on its own. The source IP should be 64.18.0.0/20. Why do you want to add a netmask? The /20 is equivalent to 255.255.240.0 Make sure you select the TCP protocol.

Nick that was the first thing I tried. It didn't seem to work. However I had the source port range 25 to 25 and a destination IP and port specified too. Didn't think it would matter if I had those extra entries.

I'll try it again today with only the source IP and destination port and IP and see what happens.

Thanks

Nick,

I tried making the adjustment and it definitely didn't work. As soon as I turn on my port forward it comes right back up. I'm attaching a screen shot. Will you please look over it and tell me if I'm doing something wrong or what.


Thanks for the help

Seth




After posting this I also tried 25 and 25 in the destination port just to make sure it wasn't waiting on a range and that didn't help either. The second I enable my port forward it works just fine. I'm stumped and I know it shouldn't be this hard.

Thanks again

Can you put 25 in both the source and destination ports? In this case the source should be read as the "original destination" so the rule allows you to rewrite the destination port as well (if you really want).

That was one of the first things I tried. I'm starting to wonder if the Postini documentation that I used maybe guided me on the wrong ip range or something. It would also make sense if the IP address was wrong.

Before we bark up this tree any more let me call for support today and make sure I have the correct range. Something just seems off about this. I also have RDP port 3389 masked through another custom forward. Let me also attempt to change that later today to only allow 3389 from my home IP and see if I can get that to work also.

I'll keep you posted. Thanks

So I've tried a few different things since I replied this morning. I called Postini to verify I'm using the correct IP range and I am. I also tried the following screen shot. Neither work.



I'm stumped. Any clue what to try next?

Thanks

I've just moved my original answer down for future reference because I've noticed something else. You have set up an advanced Incoming Allow rule and not an advanced Port Forward. When you add a rule, change the drop down box from Incoming Allow to Port Forward.

Original answer for future reference
I think that looks OK. I tried specifying a single ports and a port range here and they both looked OK. You could try adding a logging rule:Replace ethX with your WAN interface. or replace

If you do this rule at the command line it will survive until the firewall restarts. The firewall restarts for all sorts of reasons, one of which is if you change any firewall rule in the webconfig. To make it permanent add it to /etc/rc.d/rc.firewall.local as well as the command line. This will log to /var/log/messages among all the other messages there. There is a way to log to another file if necessary, but this should work for the short term.

Nick that worked like a charm. Good info to know.

Thanks for the help!!

Hey Nick (or anyone else out there) I'm back with a new version of this question.


My old 5.2 took a dive over the weekend and I'm back for more. This time I decided to try 6.3 instead.

I am now finding out that the advanced firewall is gone for some very valid reasons. I'm back to trying to get this rule written and am coming up short on good examples that will guide me.


Basically all of the information in this thread is the same, only with the exception of the COS version. Can someone please guide me in writing a custom rule for this scenario.

I only want to allow smtp traffic to internal IP 192.168.0.2 from the range of 64.18.0.0/20


Or, if anyone knows how I can yum advanced firewall module that would be wonderful. I know when to not do something I don't fully undersand.



Thanks in advance. You guys are freaking amazing.