DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Firewall filter to allow connections on port 25 from
- garycomputerbloke
- Topic Author
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
01 Nov 2011 14:57 #69886
by garycomputerbloke
Firewall filter to allow connections on port 25 from was created by garycomputerbloke
I need to create a firewall rule to allow SMTP in on port 25 only from these IPs and to block everything else
216.104.20.0/24
150.70.149.32/27
150.70.224.0/20
150.70.160.0/20
150.70.176.0/20
So under the default data filter I created five different rules all allowing port 25 in from these IP addresses, however I think it's my block
rule which is incorrect:
It reads:
Block Immediatley
Branch to Other Filter Set None
Direction In
Protocol TCP
Source Any
Subnet Mask 255.255.255.255(/32)
Operator !=
Start Port 25
End Port 25
Destination 192.168.0.100 (Server IP Address)
Subnet Mask 255.255.255.0 (/24)
Operator =
Start Port
End Port
Keep State
Fragments Don't Care
It seems my block rule blocks everything, another thing whilst I am on the matter, if I am blocking port 25 where should I be placing the start port and end port? Within the Source or the Destination?
Hope someone clever can help!
Cheers
Gary
216.104.20.0/24
150.70.149.32/27
150.70.224.0/20
150.70.160.0/20
150.70.176.0/20
So under the default data filter I created five different rules all allowing port 25 in from these IP addresses, however I think it's my block
rule which is incorrect:
It reads:
Block Immediatley
Branch to Other Filter Set None
Direction In
Protocol TCP
Source Any
Subnet Mask 255.255.255.255(/32)
Operator !=
Start Port 25
End Port 25
Destination 192.168.0.100 (Server IP Address)
Subnet Mask 255.255.255.0 (/24)
Operator =
Start Port
End Port
Keep State
Fragments Don't Care
It seems my block rule blocks everything, another thing whilst I am on the matter, if I am blocking port 25 where should I be placing the start port and end port? Within the Source or the Destination?
Hope someone clever can help!
Cheers
Gary
Please Log in or Create an account to join the conversation.
- nealuk
- Offline
- Member
Less
More
- Posts: 465
- Thank you received: 0
01 Nov 2011 22:01 #69891
by nealuk
Replied by nealuk on topic Re: Firewall filter to allow connections on port 25 from
Here is how I approach this scenario:
Under NAT in either Port Redirection or Open Ports the port 25 traffic is forwarded to 192.168.0.100
Under IP Object, I set and Index for each of the email providers.
Friendly Name
WAN
IP Range
Under IP Group, I great an Index called "Incoming SMTP" Interface Any (handy for VPN intercompany mail) and add in the trusted indexees.
Under Service Type Object, I create and Index called SMTP
Name SMTP
Protocol TCP
Source Port = 1 - 65535
Destination Port = 25 - 25
Firewall >> Filter Setup
Index 2 "Default Data Filter"
Extend this as follows:
Index 2
Comments: Block SMTP
Direction: WAN > LAN
Source IP: Any
Destination IP: Any
Service Type: SMTP
Fragments Don't Care
Application
Filter: Block If No Further Match
Index 3
Comments: Trusted SMTP
Direction: WAN > LAN
Source IP: Incoming SMTP (choose the IP Group created earlier)
Destination IP: Any
Service Type: SMTP
Fragments Don't Care
Application
Filter: Pass Immediately
I think that's it. Seems long winded to start with, but it does make on-going changes much easier to handle in the future imo.
Regards, Neal
Under NAT in either Port Redirection or Open Ports the port 25 traffic is forwarded to 192.168.0.100
Under IP Object, I set and Index for each of the email providers.
Friendly Name
WAN
IP Range
Under IP Group, I great an Index called "Incoming SMTP" Interface Any (handy for VPN intercompany mail) and add in the trusted indexees.
Under Service Type Object, I create and Index called SMTP
Name SMTP
Protocol TCP
Source Port = 1 - 65535
Destination Port = 25 - 25
Firewall >> Filter Setup
Index 2 "Default Data Filter"
Extend this as follows:
Index 2
Comments: Block SMTP
Direction: WAN > LAN
Source IP: Any
Destination IP: Any
Service Type: SMTP
Fragments Don't Care
Application
Filter: Block If No Further Match
Index 3
Comments: Trusted SMTP
Direction: WAN > LAN
Source IP: Incoming SMTP (choose the IP Group created earlier)
Destination IP: Any
Service Type: SMTP
Fragments Don't Care
Application
Filter: Pass Immediately
I think that's it. Seems long winded to start with, but it does make on-going changes much easier to handle in the future imo.
Regards, Neal
Please Log in or Create an account to join the conversation.
- garycomputerbloke
- Topic Author
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
02 Nov 2011 11:05 #69901
by garycomputerbloke
Replied by garycomputerbloke on topic Re: Firewall filter to allow connections on port 25 from
Hi Neal
Many thanks for your reply, unfortunatley the Draytek router I am using is very old, it is a Vigor 2600 plus series annex A using firmware version 2.5.6_UK so many of the options you advise are unavailable.
I already have port redirection enabled for port 25 but I don't have the option of "IP Object" so i'm a little stuck
Gary
Many thanks for your reply, unfortunatley the Draytek router I am using is very old, it is a Vigor 2600 plus series annex A using firmware version 2.5.6_UK so many of the options you advise are unavailable.
I already have port redirection enabled for port 25 but I don't have the option of "IP Object" so i'm a little stuck
Gary
Please Log in or Create an account to join the conversation.
- voodle
- Offline
- Big Contributor
Less
More
- Posts: 1139
- Thank you received: 0
07 Nov 2011 22:45 #69975
by voodle
Replied by voodle on topic Re: Firewall filter to allow connections on port 25 from
On that old one it's easy and the UK guides are still relevant
http://draytek.co.uk/support/kb_vigor_filtering.html
You'd need two rules to start with, give one these settings:
Comment: Block SMTP
Pass or Block: Block if no further match
Direction: IN
Protocol: TCP
Source: Any - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25
In the next rules you can set up which sites to allow:
Comment: Allow SMTP #1
Pass or Block: Pass Immediately
Direction: IN
Protocol: TCP
Source: 216.104.20.0/24 - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25
You'd need six rules in total which is why the later router's objectiness is good but it'll work
Looks like you were close but you need to leave the source port blank and specify the destination port because source port will almost always be a pseudoport
You'd need two rules to start with, give one these settings:
Comment: Block SMTP
Pass or Block: Block if no further match
Direction: IN
Protocol: TCP
Source: Any - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25
In the next rules you can set up which sites to allow:
Comment: Allow SMTP #1
Pass or Block: Pass Immediately
Direction: IN
Protocol: TCP
Source: 216.104.20.0/24 - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25
You'd need six rules in total which is why the later router's objectiness is good but it'll work
Looks like you were close but you need to leave the source port blank and specify the destination port because source port will almost always be a pseudoport
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek