is there any way to block port 25 from outside my LAN?

is there any way to block port 25 from outside my LAN?

Post by Marco » Wed, 11 Jul 2001 00:51:07



Hi,

i just started my new job and found an ultra1 solaris box 2.4 or 2.5 (no
monitor, must access it by telnet..) with spamming problems. It runs a
Netscape Mail Server 2.0 that is SMPT/POP3 servee for users in the LAN, and
it seems to be lacking of any defense against spammers, and also our
connectivity provider told so.. :-(
is there any way, by the OS, to make port 25 accessible only from a range of
IP numbers and a particular domain? Just while we change our mail server
software...
or what other solutions may i find?

Thx
Marco

 
 
 

is there any way to block port 25 from outside my LAN?

Post by Logan Sh » Wed, 11 Jul 2001 02:08:22



>i just started my new job and found an ultra1 solaris box 2.4 or 2.5 (no
>monitor, must access it by telnet..) with spamming problems. It runs a
>Netscape Mail Server 2.0 that is SMPT/POP3 servee for users in the LAN, and
>it seems to be lacking of any defense against spammers, and also our
>connectivity provider told so.. :-(
>is there any way, by the OS, to make port 25 accessible only from a range of
>IP numbers and a particular domain? Just while we change our mail server
>software...

The simplest and most straightforward way would be to go get IP Filter
from http://www.ipfilter.org/ , install it, and add a rule that looks
something like this:

        block in on hme0 proto tcp from any to any port = 25
        pass in on hme0 proto tcp from 10.20.30.0/255.255.255.0 to any port = 25

The first rule says that by default, all tcp connections through
interface hme0 to port 25 should be ignored (i.e. packets dropped).
The second says that ones coming from the network 10.20.30.0 should be
exceptions, i.e. should be allowed in.

Actually, it might be more friendly (to others' mail servers) to refuse
the connection instead of just ignoring its packets, which you could do
by changing the first rule to this:

        block return-rst in on hme0 proto tcp from any to any port = 25

The problem with the port-blocking approach is that you're refusing all
connections from the outside, legitimate or not.  So, you're not going
to get any mail from the outside at all, unless maybe you have an MX
machine that can relay it onward.  (If so, you'll want to make sure you
allow it to connect, probably using with a special rule.)

Hope that helps.

  - Logan
--
my  your   his  her   our   their   _its_
I'm you're he's she's we're they're _it's_

 
 
 

is there any way to block port 25 from outside my LAN?

Post by rob » Wed, 11 Jul 2001 03:43:53




> >i just started my new job and found an ultra1 solaris box 2.4 or 2.5 (no
> >monitor, must access it by telnet..) with spamming problems.
<snip>
> The simplest and most straightforward way would be to go get IP Filter
> from http://www.ipfilter.org/
<snip>
>   - Logan

Are you sure he doesn't just need to turn off mail forwarding?
Or is his server so old as not to disable forwarding?
 
 
 

is there any way to block port 25 from outside my LAN?

Post by Barry Margoli » Wed, 11 Jul 2001 05:01:52







>> >i just started my new job and found an ultra1 solaris box 2.4 or 2.5 (no
>> >monitor, must access it by telnet..) with spamming problems.
><snip>
>> The simplest and most straightforward way would be to go get IP Filter
>> from http://www.ipfilter.org/
><snip>
>>   - Logan

>Are you sure he doesn't just need to turn off mail forwarding?
>Or is his server so old as not to disable forwarding?

The OP said he was looking for a solution *until* he figures out how to fix
the mail software itself.

--

Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

is there any way to block port 25 from outside my LAN?

Post by Marco » Fri, 13 Jul 2001 17:36:54


Quote:> The simplest and most straightforward way would be to go get IP Filter
> from http://www.ipfilter.org/ , install it, and add a rule that looks
> something like this:
> block in on hme0 proto tcp from any to any port = 25
> pass in on hme0 proto tcp from 10.20.30.0/255.255.255.0 to any port = 25
> The first rule says that by default, all tcp connections through
> interface hme0 to port 25 should be ignored (i.e. packets dropped).
> The second says that ones coming from the network 10.20.30.0 should be
> exceptions, i.e. should be allowed in.
ok
> Actually, it might be more friendly (to others' mail servers) to refuse
> the connection instead of just ignoring its packets, which you could do

i don't fully understand this..

Quote:> by changing the first rule to this:
> > block return-rst in on hme0 proto tcp from any to any port = 25

what does this rule means?

Quote:> The problem with the port-blocking approach is that you're refusing all
> connections from the outside, legitimate or not.  So, you're not going
> to get any mail from the outside at all, unless maybe you have an MX
> machine that can relay it onward.  (If so, you'll want to make sure you
> allow it to connect, probably using with a special rule.)

I have an internal mail server (a dns MX machine) that only needs to send
internal user's mail and receive internal user from whoever wants..
i am quiet sure i don't need any connection from autside to my SMTP server..

may U help me a little more?
thx

Marco

 
 
 

1. port 25 not responding to outside

Hello. I'm having a very strange error regarding sendmail and outside
connections. I have it running on a gateway, and normally it's been fine
accepting mail from the outside. However, just recently (somewhere around
the last time I switched IP addresses, a day or two ago) it stopped
accepting connections from the outside. It still accepts connections from
localhost, and from other hosts on the internal LAN. It also accepts
connections from the outside on other ports like 22 (SSH) fine. But when
an outside host on the internet tries to connect to port 25 of my host, it
simply hangs and times out. I've tried opening my firewall completely,
allowing everything to smtp in /etc/hosts.allow, shutting down and
restarting sendmail completely several times, and rebooting altogether. It
still persists, and is driving me bananas.

I'm on a Slackware 9.0.0 box. Here are outputs of relevant commands and
file contents:

$ ps -ef | grep sendmail
root       144     1  0 03:43 ?        00:00:00 sendmail: accepting connections
smmsp      147     1  0 03:43 ?        00:00:00 sendmail: Queue

$ netstat -an|grep 25
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN

/etc/hosts.allow:
sshd: ALL
smtp: ALL #I added this when the problem started, even though I know
          #sendmail isn't run from Inetd

I opened my iptables firewall completely to see if it would help:
$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     all  --  anywhere             anywhere           state
  RELATED,ESTABLISHED

----------------EOF------------
I also run Portsentry, which I tried shutting down, to no avail.

Anyway, help as to whatever (probably obvious and trivial) thing I'm
overlooking is appreciated.

Oh, and please don't reply by email until after it's fixed, as I obviously
can't receive your reply until then =o)

Thanks.

--
Blitzen

2. Benchmarking hard drive - Solaris Sparc

3. Block tcp/25 Services (telnet host 25)

4. Help on Netscape for Linux

5. Port 25 is blocked

6. Connect-Time Accounting !!!

7. RedHat 7.1 and port 25 blocked?

8. good book

9. Odd iptables blocking on port 25

10. Using ipfwadm to block port 25

11. using iptables to block OUTBOUND port 25?

12. mail server, isp blocks port 25 workaround

13. Port 25 blocked externally with Redhat 7.1