I remember quite some time ago hearing that spam mail on an infected internal system can use any port to send mail out. What I would like to setup is a set of firewall rules to only allow certain packets out through their correct ports, such as DNS request through port 53, smtp through 25, etc.. My question is if I do this will it stop any other traffic that attempts to open a port from the internal to the external.
What acl do I use to tell the router to only allow those packets that are allowed out?
What I have so far is:
ip nat inside source static tcp 192.168.xxx.xxx 25 203.xxx.xxx.xxx 25 extendable
If I have the following am I allowing all ip packets out?
description Local LAN Network
no ip address
ip access-group 101 in
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
bridge-group 1 spanning-disabled
hold-queue 32 in
So, if I'm right I'm allowing any ip packet in and out of any network and allowing ip packets out on network 192.168.xxx.xxx
access-list 101 permit ip any any
access-list 101 permit ip 192.168.xxx.xxx 0.0.0.255 any
If the above is true can I also have the following to allow smtp, ssh, dns, http and https? in other words to tighten the outgoing packets?
access-list 101 permit tcp 192.168.xxx.xxx any eq 25
access-list 101 permit tcp 192.168.xxx.xxx any eq 23
access-list 101 permit tcp 192.168.xxx.xxx any eq 53
access-list 101 permit tcp 192.168.xxx.xxx any eq 80
access-list 101 permit tcp 192.168.xxx.xxx any eq 143
Thanks for any assistance.
ACL listing is very important. The router will read from the top down and as soon as it finds a match it will forward/drop depending on the ACL. If a user is infected and wants to send email out, the source port will be between 1025 and 65535. However the destination port will be 25. On your router, using the ACL, allow your email server to send out on port 25 and block everyone else-
access-list 101 permit tcp host 192.168.x.y any eq 25 (your email server)
access-list 101 deny tcp any any eq 25
You will want to remove (better) the ip any any ACE or move it to the bottom.
That is correct, to enhance security, you can just specify the traffic that needs to be allowed from inside to outside and the rest of the non-required ports would be blocked automatically. You are right.