Tango01
asked on
Block outbound port 25 traffic on Netopia Model 4522 T1 Router
Hi everybody,
We have an Exchange Server 2000 and were on a few blacklists. To prevent this from happening again, I would like to block outbound port 25 traffic from the workstations but obviously I would still like to be able to send out mail through our exchange server. We're using a Linksys Netopia Model 4522 T1 Router at this time. How we can configure it to do this? Filters?
Thanks in advance!
We have an Exchange Server 2000 and were on a few blacklists. To prevent this from happening again, I would like to block outbound port 25 traffic from the workstations but obviously I would still like to be able to send out mail through our exchange server. We're using a Linksys Netopia Model 4522 T1 Router at this time. How we can configure it to do this? Filters?
Thanks in advance!
Configure an IP access list to block 25 outbound by all except the static IP of your EX Server.
ASKER
Thanks, JDLoaner. Do you know how to do it in the Netopia Model 4522 specifically?
Thanks, again.
Thanks, again.
RTFM
you need to create a rule to allow the exchange server,
then create a rule to block all machines.
the exchange rule must be listed before the blocking rule otherwise the exchange will be blocked as well.
Creating a Filter Rule for Exchange
From the Main Menu:
---> Quick Menus...
---> IP Filter Sets...
---> Display/Change IP Filter Set...
---> Basic Firewall...
---> Add Input Filter to Filter Set...
Hit the "Enter" or "Return" key after each entry to save the change.
"Leave Enabled set to Yes
"(Tab) Forward to set to Yes
"leave Source IP Address: set as {ip of exchange}
"leave Source IP Mask: set as 255.255.255.255
"change Dest. IP Address: set as 172.20.10.216 NOTE: This address is used here as an example only. Substitute the actual IP address assigned by your ISP for forwading, if not using forwarding then set to 0.0.0.0.
"change Dest. IP Mask: set as 255.255.255.255 NOTE: If not using forwarding then set to 0.0.0.0
"Protocol Type: (type in) TCP
"leave Source Port Compare... set as No Compare
"leave Source Port ID... set as 0
"change Destination Port Compare... to set to Equal
"change Destination Port ID... to set to 25
"leave Established TCP Conns. Only: set to No
"(Enter) ADD THIS FILTER NOW
After creating this filter rule, you should move the rule from the bottom of the list to a position above the rules allowing TCP and UDP traffic above port 1023 to enter by default. After going back into the Basic Firewall, go to:
---> Move input filter...
Hit "Enter" and highlight the filter rule you've just created. Hit "Enter" again and use the "up arrow" key to move the filter rule up two spaces. Hit enter again to save this change. Repeat this process for subsequent filters.
You have now created a filter rule to allow telnet access to your Netopia Router when you activate the Basic Firewall on your internet connection profile. When you view the filter rules in the Display/Change Input Filter..., this one will appear as follows:
the do the same to block all others.
Cheers
from http://www.netopia.com/support/hardware/technotes/NQG_039.html
you need to create a rule to allow the exchange server,
then create a rule to block all machines.
the exchange rule must be listed before the blocking rule otherwise the exchange will be blocked as well.
Creating a Filter Rule for Exchange
From the Main Menu:
---> Quick Menus...
---> IP Filter Sets...
---> Display/Change IP Filter Set...
---> Basic Firewall...
---> Add Input Filter to Filter Set...
Hit the "Enter" or "Return" key after each entry to save the change.
"Leave Enabled set to Yes
"(Tab) Forward to set to Yes
"leave Source IP Address: set as {ip of exchange}
"leave Source IP Mask: set as 255.255.255.255
"change Dest. IP Address: set as 172.20.10.216 NOTE: This address is used here as an example only. Substitute the actual IP address assigned by your ISP for forwading, if not using forwarding then set to 0.0.0.0.
"change Dest. IP Mask: set as 255.255.255.255 NOTE: If not using forwarding then set to 0.0.0.0
"Protocol Type: (type in) TCP
"leave Source Port Compare... set as No Compare
"leave Source Port ID... set as 0
"change Destination Port Compare... to set to Equal
"change Destination Port ID... to set to 25
"leave Established TCP Conns. Only: set to No
"(Enter) ADD THIS FILTER NOW
After creating this filter rule, you should move the rule from the bottom of the list to a position above the rules allowing TCP and UDP traffic above port 1023 to enter by default. After going back into the Basic Firewall, go to:
---> Move input filter...
Hit "Enter" and highlight the filter rule you've just created. Hit "Enter" again and use the "up arrow" key to move the filter rule up two spaces. Hit enter again to save this change. Repeat this process for subsequent filters.
You have now created a filter rule to allow telnet access to your Netopia Router when you activate the Basic Firewall on your internet connection profile. When you view the filter rules in the Display/Change Input Filter..., this one will appear as follows:
the do the same to block all others.
Cheers
from http://www.netopia.com/support/hardware/technotes/NQG_039.html
ASKER
Thank you for your reply Andrew. However, help me to understand something: You said "Add Input Filter to Filter Set". Right? I expected "output" instead. Also, NAT is more to allow certain "incoming traffic" to the network rather than limiting the outgoing traffic. Right? which it's precisely what I am trying to accomplish by blocking port 25 (outbound traffic) for all the computers in the LAN, but the Exchange Server. I remember doing the same in other routers without seting rules in the NAT, but I'm in a different model right now. I would appreciate you feedback.
Thank you very much!
Thank you very much!
ASKER
Well, I set the filters in the router as your message said, and tried both ways input / output, but I still able to connect thru port 25 from any machine in the LAN. So, unfortunately it doesn't work for me yet. Any other thoughts? What may I be doing wrong?
Thanks a bunch!
Thanks a bunch!
How are you testing your connection to Port 25 outbound? What are you connecting to and with what?
ASKER
Hi! JDLoaner. I am testing the connection with a simple telnet mail.nameserver.com 25. If there were any traffic restriction, then only the Exchange should be able to connect and no any other machine/IP.
Now, I am considering installing a router in between the T1 router and the LAN, so I can handle better (easier interface) the traffic. Do you know any router that can handle the LAN coming out of the T1? A regular Linksys perhaps? Thanks!
Now, I am considering installing a router in between the T1 router and the LAN, so I can handle better (easier interface) the traffic. Do you know any router that can handle the LAN coming out of the T1? A regular Linksys perhaps? Thanks!
I believe that the main problem lies in the NAT. When a client on your LAN makes an outbound request to a host on the Internet, it receives a NAT'd address on the way out thus giving it the same IP for most if not all(depending on setup) hosts on the network.
You should be able accomplish this with the current setup. I am not familiar with your device but any router should be able to handle this. Under the IP Filter Sets is there a way to define an OUTBOUND set, rather than the INBOUND set listed above?
If you have the budget to put another device inline with your current setup, you might just want to look at something a little more enterprise-strength to consolidate them and have just one device be able to handle everything you are doing among any other additional needs.
However, if you are looking to keep costs low and are convinced it would be needed, or at least nicer to have another device to help mediate traffic my suggestion would be to buy a Linksys WRT54GL Router. This is a very basic router made by Linksys, however the L designation on the end means it's Linux based and a very good candidate for upgrading the firmware to DD-WRT(I use this in many places in my home). This firmware upgrade takes that $50 router and makes it about a $500 router with the functionality enabled.
That being said, I still think we can accomplish at least what you originally asked for with your current device. So please take a look at the IP Filter Outbound list section and let me know what you see.
You should be able accomplish this with the current setup. I am not familiar with your device but any router should be able to handle this. Under the IP Filter Sets is there a way to define an OUTBOUND set, rather than the INBOUND set listed above?
If you have the budget to put another device inline with your current setup, you might just want to look at something a little more enterprise-strength to consolidate them and have just one device be able to handle everything you are doing among any other additional needs.
However, if you are looking to keep costs low and are convinced it would be needed, or at least nicer to have another device to help mediate traffic my suggestion would be to buy a Linksys WRT54GL Router. This is a very basic router made by Linksys, however the L designation on the end means it's Linux based and a very good candidate for upgrading the firmware to DD-WRT(I use this in many places in my home). This firmware upgrade takes that $50 router and makes it about a $500 router with the functionality enabled.
That being said, I still think we can accomplish at least what you originally asked for with your current device. So please take a look at the IP Filter Outbound list section and let me know what you see.
ASKER
Basically, I do have capabilities of setting outbound filters. Actually, I've found a tech note from Netopia (see attached). What happens is that despite doing what they said, still doesn't work as expected. I'll try to contact them in the morning PST, since their chat room is closed at this time. I'll keep you posted. Thanks again! JDLoaner.
https---broadband.custhelp.pdf
https---broadband.custhelp.pdf
remember if there is a default allow all then your block must be listed above it.
I read through that paper, looks good to me so I am surprised it's not working. Would you mind posting your IP Filter Rules (as on pg 5) for me to look at?
ASKER
Sure. I'll be back on that. I believe that's the problem. It looks like whoever was the previous guy (always blaming the previous guy) used in a wrong way the IP block: the IP address is below the gateway and it works (??) I've verified that with Megapath. Thanks. I'll be back soon,
ASKER
No good by now. Something is not right with the rules (they are in perfect sequence). Port 25 gets blocked for exchange as well. Same with incoming for 110 regardles the input rules.
ASKER
OK. I found one of the problems. Today I was able to visit the site, and between the Netopia and the LAN, there is a Windows VPN server. Therefore, no matter what I do in the router, for him all the addrsses translate in the one coming from the VPN. So, there is no way to know who is trnasmitting if it is the Exchange or a PC. I think now I need to block the traffic by using routing & Remote Access and NAT/Basic Firewall in W2K3. Does anybody has experience on blocking/allowing port 25 in this way?
Thanks again! Folks.
Thanks again! Folks.
Ahh, yeah I thought it screamed NAT problem..
Unfortunately you cannot block outgoing connections with the Firewall in 2K3, only in 2008. However, I wouldn't consider this a worthwhile investment just for that feature as there are potentially still other ways to accomplish this.
Unfortunately you cannot block outgoing connections with the Firewall in 2K3, only in 2008. However, I wouldn't consider this a worthwhile investment just for that feature as there are potentially still other ways to accomplish this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We are looking at 25/30 workstations more or less, 2 DC W2K with AD, 1 Exchange W2K, 1 application server W2K, 1 application server W2K3, and 1 VPN W2K3. What do you think? GPO or IPSec-Policy?
Thank you! JDLoaner
Thank you! JDLoaner
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll give them a try, and let you know. Thank you! Andrew.
How did you go?
ASKER
Hi! Andrew, They were close doing inventory. I'll be able to do it before the end of this weelk. Thank you for asking. I'll keep you posted.