Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

With ACL applied all e-mail is blocked

Posted on 2004-04-27
13
Medium Priority
?
258 Views
Last Modified: 2010-04-17
In order to stop hack attempts on our exchange (5.5) server I would like to apply an ACL.  I know that a PIX firewall is the best solution but the company is not in the position to purchase this for a while.  After I build the below list e-mail smtp is allowed to flow in but can not be delivered.
      The error message on the bounce back indicates “Host Unknown”


Extended IP access list 101
     
 
    permit tcp any any eq stmp
    permit tcp any any eq domain
    permit tcp any any eq telnet
    permit tcp any any eq www
    permit tcp any any eq pop3
    permit udp any any eq 443
    permit tcp any any eq 8080
    permit tcp any any eq ftp-data
    permit tcp any any eq ftp
    permit tcp any any eq 143
    permit tcp any any eq 443
    permit tcp any any eq 3389
    permit tcp any any eq 42
    permit tcp any any eq 389
    permit tcp any any eq 1723
    permit tcp any any established


I am willing to try anything that is suggested I have set a maintenance window up every day until I get this working.

0
Comment
Question by:JaysonJackson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10930411
You are allowing tcp domain traffic, which is DNS zone transfers. You need to allow udp domain, which is lookups. Your mail server is trying to look up the ip address of domains to deliver mail but never gets an answer.

Add
permit udp any any eq domain

But if you are trying to make this access list serve as your firewall for a while, you should tighten it up a lot more. For example, don't allow "any any" for all these services. If you have a DNS server, only allow lookups to and from that. Unless you have a secondary DNS outside somewhere, don't allow domain tcp. Only allow smtp to and from your mail server. Etc. Never allow inbound telnet or ftp, unless you have a server that you want accessible to the public. This is a huge subject but there are some basic things you can do.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10930450
Oh-- you also won't get very far allowing stmp (first line). It's smtp.
0
 

Author Comment

by:JaysonJackson
ID: 10930607
i will give that a try. and i will change my new protocol stmp to smtp.... :-)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:PennGwyn
ID: 10931755
stmp vs smtp : It's always a good idea to have the router show you its config, and confirm that it matches what you think you set.  Configs sent to forums like this or other support folks should be cutr and pasted from there.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1000 total points
ID: 10940229
Mike,
For DNS replys, I like to use instead of this:
>permit udp any any eq domain
This:
permit udp any eq domain any

The source port for a nameserver return response will be 53, but the destination port for that response may not be.

You also may  need to permit udp 113 IDENT
permit udp any any eq ident




0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10941223
Very true. But I know from an earlier question that he is currently applying the same access list inbound and outbound, so he has to do it this way. Ident is a good idea though.

Since this list is being applied both inbound and outbound, it's not even really worth having- pretty much every service that you'd want to deny inbound is being specifically allowed. You should have an inbound list that is far more restrictive than the outbound list.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10941472
It is never a good idea to apply the same acl in and out. Sort of defeats the whole purpose..
0
 

Author Comment

by:JaysonJackson
ID: 10943224
so if i remove this from the outbound we should be good??
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10943498
Well yes. Unless you want to restrict what your people can do on the internet, you don't need an outbound list at all. If you want to be a good citizen, you should put a simple list that permits any traffic from your own public IP addresses, and denies anything else. This prevents someone on your network from spoofing IP addresses.

You still need to make the changes I told you inbound on your current list.

Your inbound list is way too permissive. Unless you need to let the world telnet, www, ssl, pop, and ftp and ftp-data and the other service INTO your network, don't allow those services inbound. The permit TCP established will take care of return traffic from those applications. Even that can be tighter:
permit tcp any gt 1023 any established

If you remove those services inbound but you want ftp to work, you have 2 choices: Make everyone use passive ftp, or use the folloowing statement:
permit tcp any eq ftp-data any gt 1023
That's because ftp data is FROM port 20, not TO port 20

Add the 2 lines lrmoore suggested.
Remove tcp domain unless you have a slave or primary outside that you do zone transfers with. Lookups (normal DNS traffic) is UDP.

You need to allow some ICMP traffic and a couple of other UDP ports in or things like ping, traceroute and normal control messages won't work. Get a sniffer and figure out how some of these protocols work so you can make your list nice and tight. It's worth the work if you value the integrity of your network.

0
 

Author Comment

by:JaysonJackson
ID: 10949729
Hey guys I am missing something here.  I have applied the below ACL to S0/0 in.  with this applied e-mail is still not flowing out bound. I am able to receive mail the outbound failure indicates " Host Unknown"

Extended IP access list 101
    permit icmp any any echo-reply
    permit icmp any any echo
    permit icmp any any ttl-exceeded
    permit icmp any any packet-too-big
    permit icmp any any unreachable
    permit udp any any eq 113
    permit udp any any eq domain
    permit tcp any any eq smtp
    permit tcp any gt 1023 any established
    permit tcp any eq ftp-data any gt 1023
    permit tcp any any eq www
    permit tcp any any eq pop3
    permit tcp any any eq 8080
    permit tcp any any eq 143
    permit tcp any any eq 443
    permit tcp any any eq 3389
    permit tcp any any eq 42
    permit tcp any any eq 389
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 1000 total points
ID: 10950493
Change
permit udp any any eq domain
to
permit udp any eq domain any

Since you're tightening things up, I would also remove all the lines for www, pop3, etc unless you have servers with those services that the outside world needs to reach. permit tcp any gt 1023 any established will allow return traffic from any of those services back to your users. You also don't need to allow echo unless you want others to be able to send you pings. You will need echo-reply though.
0
 

Author Comment

by:JaysonJackson
ID: 10961846
I have split the points between Mikebernhardt and lrmoore
After using a combination of both answers my ACL is now working. With logging on I found that someone was using our exchange server as a gaming server.  This whole process has giving me enough to information to convince our CFO to spend the 3k for a Cisco pix fire wall.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 10965136
Good job!
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question