topic Re: IOS FW: how to block port 25? in Network Security

IOS FW: how to block port 25?

cluovpemb — Tue, 12 Mar 2019 00:18:22 GMT

Typing sucks on iPad, plz forgive for short sentences.

I want to block all internal LAN systems from sending to port 25 outbound to Internet, except the mail server which is on same LAN. 192.168.0.0/24. This is to prevent an unknown inside PC infected with a spambot from sending mail.

Have 891w isr, using zbfw. Outside int to internet is gig0, inside int to LAN is vlan1, just a bridge group combining switch ports fa 0-7

Vlan1=inside zone, gig0=outside zone
Two zone pairs, inside-outside and outside-inside

Inside-outside has permit ip any any from an ACL, no other match criteria. Policy map is set to inspect. Need to add the blocking to this zone pair, I assume to same ACL?

Outside-inside zone pair probably doesn't,t impact this but let me know if it does or should be mentioned here.

Thank you for your help.

Sent from Cisco Technical Support iPad App

IOS FW: how to block port 25?

Marvin Rhoads — Sat, 03 Nov 2012 02:34:23 GMT

Yes just modify the ACL called out on inside-outside to add a line preceding the permit any-any with one telling it to deny any-any eq 25.

You may need to modify it to be an extended ACL vs. the current type (likely standard)

Re: IOS FW: how to block port 25?

cluovpemb — Sat, 03 Nov 2012 02:46:26 GMT

But to allow the mail server that,s on that same LAN, would it be something like:

Deny tcp any any eq 25
Permit top host 192.168.0.123 any eq 25
Permit ip any any

?
I should mention I am a bit new to zbfw so am not sure how the sequence of these lines work except there is an implicit deny-all for this inside-outside pair at the end of the ACL (I think)

Thank you again!

Oh also, yes it is an extended (named)ACL already.
Sent from Cisco Technical Support iPad App

IOS FW: how to block port 25?

Marvin Rhoads — Sat, 03 Nov 2012 02:51:20 GMT

Oh yes sorry - neglected to mention the legitimate mail server. The line for that needs to go first. access-list works on a first match basis - once a match is made, that ACL is not parsed further for a given flow.

And yes, there is an implicit "deny any". Some people like to make it explicit to see hits but since you are preceding it with a "permit any" it should never get a hit.

Re: IOS FW: how to block port 25?

cluovpemb — Sat, 03 Nov 2012 03:39:46 GMT

Ok I will give that a try then. Actually I,like to log what I can so I catch the offending infected spambot oc on my network but hits against deny all I guess won,t be the way, the explicit deny on 25 might be closer. I havn,t actually learned logging yet :). Still a newbie here. But I know in theory how it should help here hough. I,ll update the ACL now.

Sent from Cisco Technical Support iPad App

Re: IOS FW: how to block port 25?

cluovpemb — Sat, 03 Nov 2012 04:03:18 GMT

Alright done. Here,s the ACL

Extended IP access list INSIDE-OUTSIDE
5 permit tcp host 192.168.0.123 any eq smtp
9 deny tcp any any eq smtp
10 permit ip any any (439 matches)

Used sh ip access-list for this output.

Using smtp instead of eq 25 should be ok I think?

This router won,t go live until new ISP switchover and DNS and MX record changes propagate in the next day, so will test this tomorrow. Will post results here. Thanks again!

IOS FW: how to block port 25?

cluovpemb — Mon, 05 Nov 2012 14:55:49 GMT

Looks like all went well with the ISP switchover, except two things which I'll work on myself. One, I can no longer RDP to the internal servers, yet if I modify the same NAT rules to point to a PC for example, that works. From said PC, I can no longer RDP to the server. It's a server issue, yet is extremely coincidental that after putting this router online this weekend, access to the server stops. There are no update cycles or other, and it was rebooted with no effect.

Anyway, also, I have to still figure out how to log what system is a spambot (via logging who hits port 25).

IOS FW: how to block port 25?

cluovpemb — Tue, 13 Nov 2012 16:21:17 GMT

Ok figured out how to log the offending system, and also the lack of remote abilkity to the server is the servers fault in some way, nothing to do with the router at all.