[ previous ] [ next ] [ threads ]
 
 From:  krt <kkrrtt at gmail dot com>
 To:  "simon dot vetterli at hotelplan dot ch" <simon dot vetterli at hotelplan dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Help to block port 25 and more
 Date:  Sun, 17 Dec 2006 22:43:14 -0800
Oh yes, as for the rest of the relaying problem, you'll have to setup
your Exchange-Server to either not relay or only relay for specific
networks.  Another method that I've deployed is to change what port
the Exchange Server utilizes for client to Exchange relaying.  This
makes it very simple to control with a firewall as well as
troubleshoot, as you won't have to filter out SPAM connections that
are also on TCP 25.

I hope this helps.

On 12/17/06, krt <kkrrtt at gmail dot com> wrote:
> You should need four rules to control SMTP if you only have one SMTP
> server and two interfaces.  You will have to add rules to each
> interface to control inbound traffic flows.
>
> If you have a WAN/LAN setup:
>
> On the WAN Interface Ruleset:
> WAN-1) Permit anyone to talk to the Exchange server for inbound mail:
> Source: any
> Source: Exchange-Server
> Destination Protocol/Port: TCP 25 (SMTP)
> Action: Pass
>
> WAN-2) Drop all SMTP Traffic with this rule
> Source: any
> Destination: any
> Destination Protocol/Port: TCP 25 (SMTP)
> Action: Block
>
>
>
>
> On the LAN (or applicable) Interface ruleset:
> LAN-1) Permit the Exchange Server to speak SMTP to anyone:
> Source: Exchange-Server
> Destination: Anyone (or, !local-networks, if you have internal
> networks that are across routeable boundaries)
> Destination Protocol/Port: TCP 25 (SMTP)
> Action: Pass
>
> LAN-2) Drop all other SMTP Traffic
> Source: any
> Destination: any
> Destination Protocol/Port: TCP 25 (SMTP)
> Action: Block
> (You might want to consider logging this rule, as it will indicated
> misbehavioring equipment/virus/worm infested hosts, etc. - pretty much
> anything that's trying to do SMTP from the inside segment will show up
> in your logs)
>
>
>
>
> If you have internal networks that require access to your Exchange
> Server for relaying purposes and those networks are across a routed
> boundary:
> Add in a rule on the inbound interface (source) interface.  If you
> added in the above rules, be sure to put this rule before that
> interfaces ANY/ANY/SMTP/BLOCK rule.
>
> RELAY-1
> Source: (Specific network or hosts to allow)
> Destination: Exchange-Server
> Destination Protocol/Port: TCP 25(SMTP) or whatever port your server
> utilizes for relaying purposes.
> Action: Accept
>
> If you have a different port than TCP 25 in RELAY-1, then you need
> RELAY-2 to lock down access to the Exchange-Server.  I don't recommend
> locking the non-standard port down across the board.
>
> RELAY-2
> Source: Any
> Destination: Exchange-Server
> Destination Protocol/Port: (WHAT IT IS)
> Action: Block
>
>
>
>
>
>
>
> On 12/17/06, simon dot vetterli at hotelplan dot ch <simon dot vetterli at hotelplan dot ch> wrote:
> > I have the follow situation:
> >
> > No DMZ; NAT and behind an Exchange-Server. I like to block the port 25
> > for all the workstation in my LAN for outgoing.
> >
> > How can I black my network from outside, that I don't have a
> > relay-function?
> >
> > Kind Regards.
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
>