[ previous ] [ next ] [ threads ]
 
 From:  krt <kkrrtt at gmail dot com>
 To:  "simon dot vetterli at hotelplan dot ch" <simon dot vetterli at hotelplan dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help to block port 25 and more
 Date:  Sun, 17 Dec 2006 22:40:47 -0800
You should need four rules to control SMTP if you only have one SMTP
server and two interfaces.  You will have to add rules to each
interface to control inbound traffic flows.

If you have a WAN/LAN setup:

On the WAN Interface Ruleset:
WAN-1) Permit anyone to talk to the Exchange server for inbound mail:
Source: any
Source: Exchange-Server
Destination Protocol/Port: TCP 25 (SMTP)
Action: Pass

WAN-2) Drop all SMTP Traffic with this rule
Source: any
Destination: any
Destination Protocol/Port: TCP 25 (SMTP)
Action: Block




On the LAN (or applicable) Interface ruleset:
LAN-1) Permit the Exchange Server to speak SMTP to anyone:
Source: Exchange-Server
Destination: Anyone (or, !local-networks, if you have internal
networks that are across routeable boundaries)
Destination Protocol/Port: TCP 25 (SMTP)
Action: Pass

LAN-2) Drop all other SMTP Traffic
Source: any
Destination: any
Destination Protocol/Port: TCP 25 (SMTP)
Action: Block
(You might want to consider logging this rule, as it will indicated
misbehavioring equipment/virus/worm infested hosts, etc. - pretty much
anything that's trying to do SMTP from the inside segment will show up
in your logs)




If you have internal networks that require access to your Exchange
Server for relaying purposes and those networks are across a routed
boundary:
Add in a rule on the inbound interface (source) interface.  If you
added in the above rules, be sure to put this rule before that
interfaces ANY/ANY/SMTP/BLOCK rule.

RELAY-1
Source: (Specific network or hosts to allow)
Destination: Exchange-Server
Destination Protocol/Port: TCP 25(SMTP) or whatever port your server
utilizes for relaying purposes.
Action: Accept

If you have a different port than TCP 25 in RELAY-1, then you need
RELAY-2 to lock down access to the Exchange-Server.  I don't recommend
locking the non-standard port down across the board.

RELAY-2
Source: Any
Destination: Exchange-Server
Destination Protocol/Port: (WHAT IT IS)
Action: Block







On 12/17/06, simon dot vetterli at hotelplan dot ch <simon dot vetterli at hotelplan dot ch> wrote:
> I have the follow situation:
>
> No DMZ; NAT and behind an Exchange-Server. I like to block the port 25
> for all the workstation in my LAN for outgoing.
>
> How can I black my network from outside, that I don't have a
> relay-function?
>
> Kind Regards.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>