I like your approach. Going head on the problem, not working around it.
But as for getting the cable connection white listed is a difficult process.
Many RBL have a listing on dynamic IP ranges. (I would suspect that this is
the case of Richard's cable connection) and they will not remove these
I would expect the 8Mbit connection to have a more "permanent" status and
therefore a recommended solution. Make it possible to get of the blacklists
should that occur.
I would recommend on getting a permanent IP/range registered to your
organization on a non "dynamic CABLE/xDSL IP pool" for a critical mail
system. (If this isn't already the case on the 8Mbit connection.) It's also
recommended to get the proper reverse IP lookup on that mail server to match
the hostname. Some servers may check to se if the mail servers reported
hostname is equal to the official reverse lookup of the IP. Some have had
this as a requirement, but has later removed this for the amount of "good"
servers being rejected.
[mailto:shorewall-users-admin@...] On Behalf Of Michael
Sent: 24. februar 2006 04:10
Subject: Re: [Shorewall-users] forcing specific protocols through specific
Richard Houston wrote:
> Hi all
> Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3
> Ethernet cards. One connects to a high speed radio service(8 mbit eth0)
> the second to a broadband cable provider (1.5 mbit eth2) and the other
> into our dmz (eth1) I have the two external lines balanced , both set at
> default weight.
> The issue I run into is the the cable providers ip addresses have been
> added to several RLB on the net so if the mail server, situated in the
> dmz, tries to send mail to gov addresses the mail gets bounce.
> What I would like to do is send all traffic for port 25 out on the 8 mbit
> eth0 line only. If it helps we can send all the traffic for a specific
> machine out via the 8 mbit eth0 interface, that works for me.
> Thanks all and appreciate your help.
I'm a pretty heavy duty sendmail admin who manages several large
My comments are unrelated to Shorewall (sorry).
While putting a protocol through a specific interface might work,
it's a really messy way of avoiding an RBL listing. The best way of
handling it would be to find out what RBLs are involved, and get
There are *several problems* and *RFC transgressions* that can
happen under the config you are proposing, and while you might be able
to avoid them through being meticulous, the best route really is to get
off the RBLs.
I would be suprised if the .gov servers you are referring to are
using the really aggressive RBLs. If they are it will be more reliable
long term to contact the administrators of the RBLs and go through the
clearing process, and/or contact the postmasters of those servers for
I've had to "cleanup" IP ranges a bunch of times as clients have
come and gone and my servers have moved around the country. It pays in
spades to do the RBL work up front.
And in your case, if the second connection gets blacklisted, you'll
have to de-pollute the IP range anyway. And that process, depending on
how bad things are (ISP/Number of listings), and whether your servers
are configured correctly, can take weeks.
Don't be without e-mail for weeks- deal with the RBL problem.
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
Shorewall-users mailing list