Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I block port 25 for all outgoing traffice except from my mail server

Posted on 2008-10-22
7
2,067 Views
Last Modified: 2013-11-30
I have a sonic wall tz190. I have created an access rule that deny's any lan to wan on port 25 except for my exchange server. Actually it is 2 rules (my server is at 10.0.0.51) one that block 1-50 and one that blocks 52-254.  This should do it right? There is a rule that allows any to any though.  And it is enabled.  Does this overwrite the deny or do deny rules take priority, like in Windows. If it is setup how can I test it?
0
Comment
Question by:degoodwin
  • 4
  • 3
7 Comments
 
LVL 16

Accepted Solution

by:
btassure earned 500 total points
ID: 22782203
Rules will be processed in order. If the first rule is permit any to any then it will match that traffic, permit it and ignore the rest. If you had the list like the attached for example it would allow smtp from the mail server, block it from anywhere else and permit all other traffic.
permit from mail server to any on port 25
deny from any to any on port 25
permit from any to any

Open in new window

0
 

Author Comment

by:degoodwin
ID: 22782352
The rules are listed as follows:

 # Priority  Source                        Destination       Service                   Action     Users    
 1 1            Bottom Range SMTP All WAN IP         SMTP (Send E-Mail) Deny     All      
 2 2           Top Range SMTP       All WAN IP         SMTP (Send E-Mail) Deny     All      
 3 3            Any                           Any                   Any                         Allow     All      
     

All are enabled.  This is correct, right? How can I test it?
0
 

Author Comment

by:degoodwin
ID: 22782356
Bottom Range SMTP is 10.0.0.1-50
Top Range SMTP is 10.0.0.51-254
The Exchange server is at 10.0.0.51
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:btassure
ID: 22783559
They are processed in priority order. The system you have will work equally well but is less efficient as you add more rules and is not really in best practice.
0
 

Author Comment

by:degoodwin
ID: 22784680
So does the system check each packet against the rules and if it finds one it mathces then stops processing any more rules. The way you have the rules setup all traffic from mail server on 25 would be allowed first, then it would not bother to look at rules 2 and 3. If the packet is not from mail server and not on port 25 then it would move to rule 2, if it was port 25 traffic from anywhere else it would then get blocked.  If it was any other sort of traffic it wold progress onto 3 which would allow all. Is that how it works.  I understand the subtle difference as to how mine are setup. So if it finds a rule it applies to it stops processing anymore rules?  Is there any way to test port 25 traffic? Can I try telnet on port 25 from a workstation to an outside address and see if it connects? If it fails can I assume that it is being blocked?
0
 
LVL 16

Expert Comment

by:btassure
ID: 22787723
Yes to every question :o) That's how pretty much all firewalls work. And yes, telnet to port 25 on an upstream mail server. If it lets you in then it isn't blocked, otherwise your blocks are working.
0
 

Author Closing Comment

by:degoodwin
ID: 31508996
Thanks.  Looks like it is working after I restarted the server. The rules changes didn't take till after restart.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question