configure juniper 5gt for outbound smtp

hi there

we have a Netscreen 5GT and i want to configure the firewall as per our companies best practise.

we have an exchange server which obviously needs inbound and outbound port 25 traffic but I want to ensure no other machine in our network can send smtp traffic (to prevent a machine becoming a spam host).

Soo here's my config

Router is on 192.168.1.253
Exchange is on 192.168.1.210
All other machines in DHCP scope are below this so I want this rule to apply to 192.168.1.1-192.168.1.209.

Also from 192.168.1.211-253 are our other servers that don't require SMTP either.

It's a fairly well established network and the firewall was configured by a former tech.  Whilst I love playing, I don't really have a lot of time so if anybody knows how I can configure the rules quickly that would be great.

Cheers,
makingithappenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
You haven't mentioned about the public ip that you want to use.

Check this out (which I wrote for this kinda purpose) and see if it helps. If you have any further questions, please post it.

http://www.rsivanandan.com/?p=108

Cheers,
Rajesh
makingithappenAuthor Commented:
Hi Rajesh

I didn't find the guideline too easy for me as a bit of a layman so I practised and f'd around a bit until I got it right.  For those out there who want to do the same here is what I did.

I opened the Policies configuration page on the Juniper 5GT:

If you're new to this, you need to know that you are creating a Trust to Untrust Rules for the first 2 and Untrust to Trust for the last.  This works a treat for us now.

Also if you've been blacklisted by spamhaus or the CBL it's a good idea to do this ASAP and also check and ensure your reverse DNS is correct if you're running a mail server.  No doubt there is an article here on this somewhere.

Here are the rules (in this order)

1.      ALLOW outbound traffic from port 25 to the Internet from Server

Source Address = Server
Destination Address = Any
Service = SMTP
Action = Permit
Turn Logging ON


2.      Deny outbound traffic from Port 25 to the Internet for EVERYONE

Source Address = Any
Destination Address = Any
Service = SMTP
Action = Deny
Turn Logging ON


3.      Allow inbound traffic from port 25 to the Server

Source Address = Any
Destination Address = SERVER
Service = SMTP
Action = Permit
Turn Logging ON


hope this helps someone out.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.