So, I installed Fedora Core 19 for the first time as a replacement for an older system whose disk had finally died. The system serves as a web server and gateway / firewall, protecting internal systems. Because it has a lot of network configuration, I got an introduction to – and found I really like – the new firewall daemon, firewalld.
I thought everything was going well (that's always when trouble strikes) when suddenly I spotted the internal mail server's maillog file going crazy – it was only luck I happened to still be watching it some 6 hours after getting things working.
Investigation showed the issue was that my internal mail system (protected behind the firewall) somehow thought all the outbound mail was coming from the gateway system, it was therefore an "internal" system and spammers found it to be an open relay. I noticed also that somehow or other that BOTH the internal and external zones were marked "masquerade" and that in fact the perceived IP addresses in the maillog file were the IP of the gateway. Logging in through a forwarded ssh port also confirmed that the wrong IP was being used on the internal side.
NO PROBLEM!" I thought errantly. YES, turning off masquerading on the internal zone did fix the wrong IP being handed to the internal systems when coming through the gateway. However, it did NOT fix the problem because, inexplicably (so far!) it appears as though port 25 is no longer being forwarded!
OTHER ports are being forwarded, at least the easily tested ssh port I spoke of is. SO, I thought, I'll just turn on that fancy logging feature! Here's the command:
firewall-cmd --zone=external --add-rich-rule='rule family="ipv4" forward-port port="25" protocol="tcp" to-port="25" to-addr="192.168.1.1" log prefix="smtp-to-inside" level="info"'
I tried it with the permanent option, and not, etc. NOTHING shows up in /var/log/messages – or any other logfile I could think of looking in. It's as if the kernel is just ignoring that port. I thought maybe the internal mail system might possibly block the foreign traffic with its firewall, BUT the gateway SHOULD be logging the connection attempts, but I get nothing.
Any and all help appreciated.
Best Answer
This problem has nothing to do with firewalld, though it DID illuminate a bug with firewalld logging.
The issue was that for the duration of the upgrade, I'd switched the default route of the internal system providing mail services to a different gateway / firewall, uninvolved in the upgrade. I had thought that this was a good idea because the new system was having problems, I thought.
When I returned the internal SMTP serving system to use the new gateway machine as its default route, it all started working! It turns out there's a requirement nobody tells you about - never yet found it documented, but now that I've found it, some old timers confirm - that either the default route has to be set to the same as where the packets are forwarded from OR you have to have special routes set up to return the packets in the same path from whence they came. THAT is the requirement: the return route must equal source route.
Good luck out there!