Re: Current status?

In article <g9sigp$gs$1@xxxxxxxxxxxxxxxxx>, david20@xxxxxxxxxxxxxxxx
writes:

All mail I send anywhere via TCPIP goes through the host specified as
the alternate gateway. The highest-priority MX record is the WAN
address of my LAN, which gets forwarded to the cluster alias.

On my ROUTER, of course, not on my LAN.

So your alternate gateway and MX record host are your designated MTAs which
should be allowed to communicate with the outside world over port 25.

Right.

Any other systems on your internal network which wish to send mail out should
send out either directly or indirectly through the same alternate gateway.

That's what they do. To the outside world, it looks like everything
comes from the WAN address of the router.

Any mail for users on any other internal mail system should receive mail by it
first being passed to the MX system which then forwards it onto the internal
system.

Internal mail is directly within the cluster, i.e. no TCPIP.

Hence the other internal systems do not require to open connections
directly to port 25 on arbitrary external systems or to have arbitrary
external systems connecting directly to port 25 on them. Your firewall can
therefore block those other internal systems from attempting such port 25
connections.

The outside world can see only the WAN address, and that goes to the
cluster alias on the LAN. All systems have the same SMTP configuration,
in particular the same alternate gateway.

(You mention the WAN address of your LAN which suggests that you probably have
an internal network which is using dynamic NAT.

Right, NAT and PAT.

Hence NAT is probably taking
care of stopping direct external connections to your other internal systems on
port 25 anyway.)

Right.

.

Relevant Pages

  • Re: sonicwall port configuration
    ... It sounds as if you wish to keep the world out of your LAN... ... This blocks all traffic from the WAN to your LAN. ... ignore the port scans that you see logged. ... adding the rule "Deny File Transfer (FTP) LAN to WAN ...
    (comp.security.firewalls)
  • RE: Syntax to block TCP/UDP port 135-139 on D-Link NAT?
    ... Allow Allow to Ping WAN port WAN,* LAN,192.168.0.1 ICMP,8 ... By default dlink routers block all traffic from *,* to the LAN ... The Firewall rules control traffic between the lan and wan. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Linksys hacking?
    ... browser" on the standard HTTP port, ... LAN side management = 80/TCP connection via web browser ... WAN side locked down and would invite you to use any UDP ... >>on the WAN unless you have remote management enabled. ...
    (comp.security.firewalls)
  • Changing the way IIS answers to PASV commands?
    ... LAN IP address of server is 192.168.1.5 ... when I connect through the WAN (from 192.168.1.2 to ... Secondly, port 1024-4000~ are used for other things on my network, and I ... one, it didn't have an effect on the PASV replies, and two, that's just the ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: pf and ftp from gateway
    ... # ephemeral port, so that the remote SIP proxy knows what session we belong ... pass in quick on $ext_if inet proto udp from any port bootps to ... pass out quick on $ext_if inet proto udp from $ext_if to any port bootps ... # allow lan requests from lan clients to exit EXT ...
    (comp.unix.bsd.openbsd.misc)