Adrian Cornish's questions

I am trying to stop some hosts on the network from going outside/calling home.

So I have 2 zones.

[root@eagle ~]# firewall-cmd --get-active-zones 
external
  interfaces: enp2s0
internal
  interfaces: eno1

With masquerading on for external

[root@eagle ~]# firewall-cmd --zone=internal --query-masquerade
no
[root@eagle ~]# firewall-cmd --zone=external --query-masquerade
yes

And I have a rich rule to drop data for the MAC address I want

[root@eagle ~]# firewall-cmd --zone=external --list-rich-rules 
rule source mac="40:16:3B:63:72:E0" drop

But it doesn't seem to be working. Obvious things I checked are adding them as permanent and making sure I reloaded the rules.

Any help appreciated

I am trying to configure haproxy to accept a connection from a client - parse a URL from GET params and then proxy that connection. So this was the client IP is hidden from the 3rd party and headers can be adjusted.

I've tried various configs but cannot get it to work. This is my latest effort. The redirects did not work as these allow the 3rd party to discover the clients real IP address.

frontend client
    mode http
    bind 192.168.202.207:80
    log                     global
    option                  httplog
    default_backend         proxy

backend proxy
    mode http
    option transparent
    acl need_redirect urlp(goelsewhere) -m found
    http-request add-header TestHeader %[urlp(goelsewhere),url_dec]
    http-request del-header User-Agent
#    http-request redirect location %[urlp(goelsewhere),url_dec] if need_redirect
    server servA 0.0.0.0

I've googled this error and nothing I've read/tried works - anyone know what it is

Error log:

Feb 23 22:35:36 localhost postfix/smtpd[5278]: connect from localhost.localdomain[127.0.0.1]
Feb 23 22:35:36 localhost postfix/smtpd[5278]: warning: SASL: Connect to smtpd failed: No such file or directory
Feb 23 22:35:36 localhost postfix/smtpd[5278]: fatal: no SASL authentication mechanisms
Feb 23 22:35:37 localhost postfix/master[5214]: warning: process /usr/libexec/postfix/smtpd pid 5278 exit status 1
Feb 23 22:35:37 localhost postfix/master[5214]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

postfix/main.cf:

queue_directory = /var/spool/postfix
smtpd_sasl_type = dovecot
smptd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes

dovecot/conf.d/10-master.conf:

  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

Dovecot is available in postfix:

[root@localhost ~]# postconf -a
cyrus
dovecot

Socket:

[root@localhost conf.d]# ls -l /var/spool/postfix/private/auth
srw-rw-rw-. 1 postfix postfix 0 Feb 23 22:46 /var/spool/postfix/private/auth

Telnet time out straight away:

[root@localhost ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

Auth works:

[root@localhost ~]# doveadm auth adrian
Password:
passdb: adrian auth succeeded
extra fields:
  user=adrian

OS: Centos 6.4 Dovecot: 2.1.17 Postfix: 2.6.6

Edit result of postconf -n:

[root@localhost ~]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 192.168.124.0/24 168.100.189.0/28, 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = hash:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks        permit_sasl_authenticated        reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_type = dovecot
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

I have a linux box which is setup as firewall/gateway for the network. Was just wondering why ss and other iproute2 tools show much less than iptables conntrack. Is it because the router function is happening in kernel only?

ss -na

Shows only two established connections where as a

conntrack -L -n

Shows 18 Established connections.