If you don't already have an address in the firewall's address book for the email server, create one. E.g., supposing the IP address of the system, which is on the trusted, internal side of the firewall is 192.168.0.7 and it is named hugo, the command below could be used:
netscreen-> set address "Trust" "hugo" 192.168.0.7 255.255.255.255 netscreen->
255.255.255.255 address after the IP address is the
mask that is used for a host IP address. You can also include a comment at
the end of the command with some identifying information regarding the
system, if you wish, e.g.,
set address "Trust" "hugo" 192.168.0.7
255.255.255.255 "Email server".
You could view all addresses in the address book for the trusted side
of the firewall with the command
get address trust. If you just
want to see the newly created entry for hugo, you could use
get address trust | include hugo.
If you want to see the existing rules, aka policies, in the firewall,
you can use the
get policy command. To configure a new rule
to allow SMTP connections to the email server, you need to specify that
the service is "Mail" as that is the predefined service for connections to
port 25, the
well-known port used for SMTP. You can see the predefined services for
email using the command
get service | include Mail.
netscreen-> get service | include Mail get service | include Mail IMAP 6 143 email 30 Pre-defined MAIL 6 25 email 30 Pre-defined POP3 6 110 email 30 Pre-defined netscreen->
set policy command similar to the one below can be used to
set the policy:
netscreen-> set policy from untrust to trust Dragon hugo MAIL permit policy id = 18 netscreen->
In the above example, I am permitting connections on the MAIL port, i.e.
port 25, from the untrusted interface on the firewall to the trusted interface,
but I am only allowing that connectivity from one system on the untrusted side.
That system, which will be allowed to connect to port 25 on hugo, is named
Dragon, i.e., there's an address book entry that maps the name Dragon to
the IP address of the source system. If I wished to allow connectivity from
any system, I would use "any", instead of "Dragon". The policy id assigned
to the new policy is 18; I could have started the command with
policy id num and specified a particular number for
set policy id 3, if I knew from examining the
existing policies that there was currently none numbered "3". I can view
the details for the newly created policy with the command
get policy id
ns5xp-> get policy id 18 name:"none" (id 18), zone Untrust -> Trust,action Permit, status "enabled" src "Dragon", dst "hugo", serv "MAIL" Policies on this vpn tunnel: 0 nat off, url filtering OFF vpn unknown vpn, policy flag 0000, session backup: on traffic shapping off, scheduler n/a, serv flag 00 log no, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/0 priority 7, diffserv marking Off tadapter: state off, gbw/mbw 0/-1 No Authentication No User, User Group or Group expression set netscreen->
Be sure to enter the
save command, if you wish to save the
newly created firewall rule, else it will be gone if the firewall reboots.
If you configure the rule and need to verify the traffic is passing through
the firewall, you can use the debug command to do so as explained at