telnet on local LAN question

Tim ignored_mailbox at yahoo.com.au
Fri Aug 19 07:15:45 UTC 2011 

On Thu, 2011-08-18 at 21:49 -0700, Paul Allen Newell wrote:
> I am not longer certain whether the telnet testing failure is a
> blocker to getting mail between machines. But it still remains a
> mystery to me why I can't tell iptables "you like telnet / port 23
> inside your LAN".

Your firewall rules don't care what (telnet, mail, webserving) you're
doing over the ports, its rules are based on connections to or from
ports and/or addresses.

So to allow or disallow mail, for instance, you can set rules by port
numbers that the server uses (port 25 for SMTP).  And those rules can be
set on the server to allow or block access coming into to port 25.
Also, rules can be set on clients to allow or block access going out to
port 25.  Likewise, with other ports.

If you're unsure of what ports are commonly used for what.  Have a look
at the /etc/services file.  Firewall rules can also be set using the
port names.  i.e. You can set a rule blocking access to the smtp port,
by name, and iptables will apply the rule to port 25 (because it's using
the data listed in the /etc/services file to translate names and port
numbers).

If you use a configurator tool to set your firewall rules, it will
probably list common services by name, already.

With some services, you may also have to reconfigure your SELinux rules
to allow them to function.

                      ----------------------------

If you can telnet to a service, it shows that you can at least make a
connection to it.  If you can issue commands to it, and get appropriate
responses, then the service should be fully functional.  Though being
able to send a message to a server is part of the equation.  If you
expect it to pass it along to the next link in the chain, that's yet
another thing for you to check works.

Mail serving is a complex beast, and really does require you to read up
on how it's supposed to work, as well as how easily it can be exploited
(especially if your mail server may be externally accessible!).

If you're using sendmail, as I am, it has its own website (which is
probably best source for finding out about it).  Others swear *at* it,
and have switched to postfix.  Sendmail users seem to be divided between
those who prefer it, and those who've learned enough about it that they
don't want to bother learning another service.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

More information about the users mailing list