With ACL applied all e-mail is blocked

In order to stop hack attempts on our exchange (5.5) server I would like to apply an ACL.  I know that a PIX firewall is the best solution but the company is not in the position to purchase this for a while.  After I build the below list e-mail smtp is allowed to flow in but can not be delivered.
      The error message on the bounce back indicates “Host Unknown”


Extended IP access list 101
     
 
    permit tcp any any eq stmp
    permit tcp any any eq domain
    permit tcp any any eq telnet
    permit tcp any any eq www
    permit tcp any any eq pop3
    permit udp any any eq 443
    permit tcp any any eq 8080
    permit tcp any any eq ftp-data
    permit tcp any any eq ftp
    permit tcp any any eq 143
    permit tcp any any eq 443
    permit tcp any any eq 3389
    permit tcp any any eq 42
    permit tcp any any eq 389
    permit tcp any any eq 1723
    permit tcp any any established


I am willing to try anything that is suggested I have set a maintenance window up every day until I get this working.

JaysonJacksonAsked:
Who is Participating?
 
mikebernhardtConnect With a Mentor Commented:
Change
permit udp any any eq domain
to
permit udp any eq domain any

Since you're tightening things up, I would also remove all the lines for www, pop3, etc unless you have servers with those services that the outside world needs to reach. permit tcp any gt 1023 any established will allow return traffic from any of those services back to your users. You also don't need to allow echo unless you want others to be able to send you pings. You will need echo-reply though.
0
 
mikebernhardtCommented:
You are allowing tcp domain traffic, which is DNS zone transfers. You need to allow udp domain, which is lookups. Your mail server is trying to look up the ip address of domains to deliver mail but never gets an answer.

Add
permit udp any any eq domain

But if you are trying to make this access list serve as your firewall for a while, you should tighten it up a lot more. For example, don't allow "any any" for all these services. If you have a DNS server, only allow lookups to and from that. Unless you have a secondary DNS outside somewhere, don't allow domain tcp. Only allow smtp to and from your mail server. Etc. Never allow inbound telnet or ftp, unless you have a server that you want accessible to the public. This is a huge subject but there are some basic things you can do.
0
 
mikebernhardtCommented:
Oh-- you also won't get very far allowing stmp (first line). It's smtp.
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
JaysonJacksonAuthor Commented:
i will give that a try. and i will change my new protocol stmp to smtp.... :-)
0
 
PennGwynCommented:
stmp vs smtp : It's always a good idea to have the router show you its config, and confirm that it matches what you think you set.  Configs sent to forums like this or other support folks should be cutr and pasted from there.
0
 
lrmooreConnect With a Mentor Commented:
Mike,
For DNS replys, I like to use instead of this:
>permit udp any any eq domain
This:
permit udp any eq domain any

The source port for a nameserver return response will be 53, but the destination port for that response may not be.

You also may  need to permit udp 113 IDENT
permit udp any any eq ident




0
 
mikebernhardtCommented:
Very true. But I know from an earlier question that he is currently applying the same access list inbound and outbound, so he has to do it this way. Ident is a good idea though.

Since this list is being applied both inbound and outbound, it's not even really worth having- pretty much every service that you'd want to deny inbound is being specifically allowed. You should have an inbound list that is far more restrictive than the outbound list.
0
 
lrmooreCommented:
It is never a good idea to apply the same acl in and out. Sort of defeats the whole purpose..
0
 
JaysonJacksonAuthor Commented:
so if i remove this from the outbound we should be good??
0
 
mikebernhardtCommented:
Well yes. Unless you want to restrict what your people can do on the internet, you don't need an outbound list at all. If you want to be a good citizen, you should put a simple list that permits any traffic from your own public IP addresses, and denies anything else. This prevents someone on your network from spoofing IP addresses.

You still need to make the changes I told you inbound on your current list.

Your inbound list is way too permissive. Unless you need to let the world telnet, www, ssl, pop, and ftp and ftp-data and the other service INTO your network, don't allow those services inbound. The permit TCP established will take care of return traffic from those applications. Even that can be tighter:
permit tcp any gt 1023 any established

If you remove those services inbound but you want ftp to work, you have 2 choices: Make everyone use passive ftp, or use the folloowing statement:
permit tcp any eq ftp-data any gt 1023
That's because ftp data is FROM port 20, not TO port 20

Add the 2 lines lrmoore suggested.
Remove tcp domain unless you have a slave or primary outside that you do zone transfers with. Lookups (normal DNS traffic) is UDP.

You need to allow some ICMP traffic and a couple of other UDP ports in or things like ping, traceroute and normal control messages won't work. Get a sniffer and figure out how some of these protocols work so you can make your list nice and tight. It's worth the work if you value the integrity of your network.

0
 
JaysonJacksonAuthor Commented:
Hey guys I am missing something here.  I have applied the below ACL to S0/0 in.  with this applied e-mail is still not flowing out bound. I am able to receive mail the outbound failure indicates " Host Unknown"

Extended IP access list 101
    permit icmp any any echo-reply
    permit icmp any any echo
    permit icmp any any ttl-exceeded
    permit icmp any any packet-too-big
    permit icmp any any unreachable
    permit udp any any eq 113
    permit udp any any eq domain
    permit tcp any any eq smtp
    permit tcp any gt 1023 any established
    permit tcp any eq ftp-data any gt 1023
    permit tcp any any eq www
    permit tcp any any eq pop3
    permit tcp any any eq 8080
    permit tcp any any eq 143
    permit tcp any any eq 443
    permit tcp any any eq 3389
    permit tcp any any eq 42
    permit tcp any any eq 389
0
 
JaysonJacksonAuthor Commented:
I have split the points between Mikebernhardt and lrmoore
After using a combination of both answers my ACL is now working. With logging on I found that someone was using our exchange server as a gaming server.  This whole process has giving me enough to information to convince our CFO to spend the 3k for a Cisco pix fire wall.
0
 
lrmooreCommented:
Good job!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.