How do I block port 25 for all outgoing traffice except from my mail server

I have a sonic wall tz190. I have created an access rule that deny's any lan to wan on port 25 except for my exchange server. Actually it is 2 rules (my server is at 10.0.0.51) one that block 1-50 and one that blocks 52-254.  This should do it right? There is a rule that allows any to any though.  And it is enabled.  Does this overwrite the deny or do deny rules take priority, like in Windows. If it is setup how can I test it?
degoodwinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btassureCommented:
Rules will be processed in order. If the first rule is permit any to any then it will match that traffic, permit it and ignore the rest. If you had the list like the attached for example it would allow smtp from the mail server, block it from anywhere else and permit all other traffic.
permit from mail server to any on port 25
deny from any to any on port 25
permit from any to any

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
degoodwinAuthor Commented:
The rules are listed as follows:

 # Priority  Source                        Destination       Service                   Action     Users    
 1 1            Bottom Range SMTP All WAN IP         SMTP (Send E-Mail) Deny     All      
 2 2           Top Range SMTP       All WAN IP         SMTP (Send E-Mail) Deny     All      
 3 3            Any                           Any                   Any                         Allow     All      
     

All are enabled.  This is correct, right? How can I test it?
0
degoodwinAuthor Commented:
Bottom Range SMTP is 10.0.0.1-50
Top Range SMTP is 10.0.0.51-254
The Exchange server is at 10.0.0.51
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

btassureCommented:
They are processed in priority order. The system you have will work equally well but is less efficient as you add more rules and is not really in best practice.
0
degoodwinAuthor Commented:
So does the system check each packet against the rules and if it finds one it mathces then stops processing any more rules. The way you have the rules setup all traffic from mail server on 25 would be allowed first, then it would not bother to look at rules 2 and 3. If the packet is not from mail server and not on port 25 then it would move to rule 2, if it was port 25 traffic from anywhere else it would then get blocked.  If it was any other sort of traffic it wold progress onto 3 which would allow all. Is that how it works.  I understand the subtle difference as to how mine are setup. So if it finds a rule it applies to it stops processing anymore rules?  Is there any way to test port 25 traffic? Can I try telnet on port 25 from a workstation to an outside address and see if it connects? If it fails can I assume that it is being blocked?
0
btassureCommented:
Yes to every question :o) That's how pretty much all firewalls work. And yes, telnet to port 25 on an upstream mail server. If it lets you in then it isn't blocked, otherwise your blocks are working.
0
degoodwinAuthor Commented:
Thanks.  Looks like it is working after I restarted the server. The rules changes didn't take till after restart.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.