Your output chain should have a default of ACCEPT, so you shouldn't need those output chains... Try changing those rules to: ipchains -A input -i eth0 -p tcp -s any/0 -d 12.27.41.52 25 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 25 -d 12.27.41.52 -j ACCEPT I removed the 1024:65535 in each rule. I don't think it's guaranteed that the source ports will be above 1024... You'd be better off if you moved to kernel 2.4 and used the stateful firewalling, would make your rules simpler and it's more secure. You really don't need any ip chains rules unless you are blocking specific IP's, just make sure you are only running services that you mean to be world accessible. My mailservers that I have outside the firewall don't have ipchains running, they only have an smtp daemon running and sshd so I can get to them, nothing else. Jay > -----Original Message----- > From: Brian [mailto:lxy at cloudnet.com] > Sent: Wednesday, March 14, 2001 9:40 AM > To: tclug-list at mn-linux.org > Subject: [TCLUG] firewalling around sendmail > > > I've got a sendmail server that I've given heavy firewalling through > IPchains. Apparently it was too heavy, because now sendmail > won't work at > all. I've got: > > ipchains -A input -i eth0 -p tcp -s any/0 80 -j ACCEPT > ipchains -A input -i eth0 -p tcp -s any/0 25 -j ACCEPT > ipchains -A input -i eth0 -p tcp -s any/0 110 -j ACCEPT > ipchains -A input -i eth0 -p tcp -s any/0 6667 -j ACCEPT > > and sendmail was firewalled out. After consulting the book "linux > firewalls", I was reminded that e-mail uses some ports > 1023 > (at least > Groupwise does, so it made sense) so now I've got: > > ipchains -A output -i eth0 -p tcp -s 12.27.41.52 1024:65535 > -d any/0 25 -j ACCEPT > ipchains -A output -i eth0 -p tcp ! -y -s 12.27.41.52 25 -d > any/0 1024:65535 -j ACCEPT > ipchains -A input -i eth0 -p tcp -s any/0 1024:65535 -d > 12.27.41.52 25 -j ACCEPT > ipchains -A input -i eth0 -p tcp ! -y -s any/0 25 -d > 12.27.41.52 1024:65535 -j ACCEPT > > and it's still firewalled out. Any ideas? Sendmail works 100% when I > ipchains -F. > > -Brian > > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list >