Solved

With ACL applied all e-mail is blocked

Posted on 2004-04-27
13
236 Views
Last Modified: 2010-04-17
In order to stop hack attempts on our exchange (5.5) server I would like to apply an ACL.  I know that a PIX firewall is the best solution but the company is not in the position to purchase this for a while.  After I build the below list e-mail smtp is allowed to flow in but can not be delivered.
      The error message on the bounce back indicates “Host Unknown”


Extended IP access list 101
     
 
    permit tcp any any eq stmp
    permit tcp any any eq domain
    permit tcp any any eq telnet
    permit tcp any any eq www
    permit tcp any any eq pop3
    permit udp any any eq 443
    permit tcp any any eq 8080
    permit tcp any any eq ftp-data
    permit tcp any any eq ftp
    permit tcp any any eq 143
    permit tcp any any eq 443
    permit tcp any any eq 3389
    permit tcp any any eq 42
    permit tcp any any eq 389
    permit tcp any any eq 1723
    permit tcp any any established


I am willing to try anything that is suggested I have set a maintenance window up every day until I get this working.

0
Comment
Question by:JaysonJackson
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
You are allowing tcp domain traffic, which is DNS zone transfers. You need to allow udp domain, which is lookups. Your mail server is trying to look up the ip address of domains to deliver mail but never gets an answer.

Add
permit udp any any eq domain

But if you are trying to make this access list serve as your firewall for a while, you should tighten it up a lot more. For example, don't allow "any any" for all these services. If you have a DNS server, only allow lookups to and from that. Unless you have a secondary DNS outside somewhere, don't allow domain tcp. Only allow smtp to and from your mail server. Etc. Never allow inbound telnet or ftp, unless you have a server that you want accessible to the public. This is a huge subject but there are some basic things you can do.
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Oh-- you also won't get very far allowing stmp (first line). It's smtp.
0
 

Author Comment

by:JaysonJackson
Comment Utility
i will give that a try. and i will change my new protocol stmp to smtp.... :-)
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
stmp vs smtp : It's always a good idea to have the router show you its config, and confirm that it matches what you think you set.  Configs sent to forums like this or other support folks should be cutr and pasted from there.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
Comment Utility
Mike,
For DNS replys, I like to use instead of this:
>permit udp any any eq domain
This:
permit udp any eq domain any

The source port for a nameserver return response will be 53, but the destination port for that response may not be.

You also may  need to permit udp 113 IDENT
permit udp any any eq ident




0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Very true. But I know from an earlier question that he is currently applying the same access list inbound and outbound, so he has to do it this way. Ident is a good idea though.

Since this list is being applied both inbound and outbound, it's not even really worth having- pretty much every service that you'd want to deny inbound is being specifically allowed. You should have an inbound list that is far more restrictive than the outbound list.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It is never a good idea to apply the same acl in and out. Sort of defeats the whole purpose..
0
 

Author Comment

by:JaysonJackson
Comment Utility
so if i remove this from the outbound we should be good??
0
 
LVL 28

Expert Comment

by:mikebernhardt
Comment Utility
Well yes. Unless you want to restrict what your people can do on the internet, you don't need an outbound list at all. If you want to be a good citizen, you should put a simple list that permits any traffic from your own public IP addresses, and denies anything else. This prevents someone on your network from spoofing IP addresses.

You still need to make the changes I told you inbound on your current list.

Your inbound list is way too permissive. Unless you need to let the world telnet, www, ssl, pop, and ftp and ftp-data and the other service INTO your network, don't allow those services inbound. The permit TCP established will take care of return traffic from those applications. Even that can be tighter:
permit tcp any gt 1023 any established

If you remove those services inbound but you want ftp to work, you have 2 choices: Make everyone use passive ftp, or use the folloowing statement:
permit tcp any eq ftp-data any gt 1023
That's because ftp data is FROM port 20, not TO port 20

Add the 2 lines lrmoore suggested.
Remove tcp domain unless you have a slave or primary outside that you do zone transfers with. Lookups (normal DNS traffic) is UDP.

You need to allow some ICMP traffic and a couple of other UDP ports in or things like ping, traceroute and normal control messages won't work. Get a sniffer and figure out how some of these protocols work so you can make your list nice and tight. It's worth the work if you value the integrity of your network.

0
 

Author Comment

by:JaysonJackson
Comment Utility
Hey guys I am missing something here.  I have applied the below ACL to S0/0 in.  with this applied e-mail is still not flowing out bound. I am able to receive mail the outbound failure indicates " Host Unknown"

Extended IP access list 101
    permit icmp any any echo-reply
    permit icmp any any echo
    permit icmp any any ttl-exceeded
    permit icmp any any packet-too-big
    permit icmp any any unreachable
    permit udp any any eq 113
    permit udp any any eq domain
    permit tcp any any eq smtp
    permit tcp any gt 1023 any established
    permit tcp any eq ftp-data any gt 1023
    permit tcp any any eq www
    permit tcp any any eq pop3
    permit tcp any any eq 8080
    permit tcp any any eq 143
    permit tcp any any eq 443
    permit tcp any any eq 3389
    permit tcp any any eq 42
    permit tcp any any eq 389
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 250 total points
Comment Utility
Change
permit udp any any eq domain
to
permit udp any eq domain any

Since you're tightening things up, I would also remove all the lines for www, pop3, etc unless you have servers with those services that the outside world needs to reach. permit tcp any gt 1023 any established will allow return traffic from any of those services back to your users. You also don't need to allow echo unless you want others to be able to send you pings. You will need echo-reply though.
0
 

Author Comment

by:JaysonJackson
Comment Utility
I have split the points between Mikebernhardt and lrmoore
After using a combination of both answers my ACL is now working. With logging on I found that someone was using our exchange server as a gaming server.  This whole process has giving me enough to information to convince our CFO to spend the 3k for a Cisco pix fire wall.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Good job!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now