DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Firewall filter to allow connections on port 25 from

  • garycomputerbloke
  • Topic Author
  • Offline
  • New Member
  • New Member
More
01 Nov 2011 14:57 #69886 by garycomputerbloke
Firewall filter to allow connections on port 25 from was created by garycomputerbloke
I need to create a firewall rule to allow SMTP in on port 25 only from these IPs and to block everything else

216.104.20.0/24
150.70.149.32/27
150.70.224.0/20
150.70.160.0/20
150.70.176.0/20

So under the default data filter I created five different rules all allowing port 25 in from these IP addresses, however I think it's my block
rule which is incorrect:

It reads:

Block Immediatley
Branch to Other Filter Set None
Direction In
Protocol TCP

Source Any
Subnet Mask 255.255.255.255(/32)
Operator !=
Start Port 25
End Port 25

Destination 192.168.0.100 (Server IP Address)
Subnet Mask 255.255.255.0 (/24)
Operator =
Start Port
End Port
Keep State
Fragments Don't Care

It seems my block rule blocks everything, another thing whilst I am on the matter, if I am blocking port 25 where should I be placing the start port and end port? Within the Source or the Destination?

Hope someone clever can help!

Cheers
Gary

Please Log in or Create an account to join the conversation.

More
01 Nov 2011 22:01 #69891 by nealuk
Here is how I approach this scenario:

Under NAT in either Port Redirection or Open Ports the port 25 traffic is forwarded to 192.168.0.100

Under IP Object, I set and Index for each of the email providers.

Friendly Name
WAN
IP Range

Under IP Group, I great an Index called "Incoming SMTP" Interface Any (handy for VPN intercompany mail) and add in the trusted indexees.

Under Service Type Object, I create and Index called SMTP

Name SMTP
Protocol TCP
Source Port = 1 - 65535
Destination Port = 25 - 25

Firewall >> Filter Setup

Index 2 "Default Data Filter"

Extend this as follows:

Index 2

Comments: Block SMTP

Direction: WAN > LAN
Source IP: Any
Destination IP: Any
Service Type: SMTP
Fragments Don't Care

Application
Filter: Block If No Further Match

Index 3

Comments: Trusted SMTP

Direction: WAN > LAN
Source IP: Incoming SMTP (choose the IP Group created earlier)
Destination IP: Any
Service Type: SMTP
Fragments Don't Care

Application
Filter: Pass Immediately

I think that's it. Seems long winded to start with, but it does make on-going changes much easier to handle in the future imo.

Regards, Neal

Please Log in or Create an account to join the conversation.

  • garycomputerbloke
  • Topic Author
  • Offline
  • New Member
  • New Member
More
02 Nov 2011 11:05 #69901 by garycomputerbloke
Replied by garycomputerbloke on topic Re: Firewall filter to allow connections on port 25 from
Hi Neal

Many thanks for your reply, unfortunatley the Draytek router I am using is very old, it is a Vigor 2600 plus series annex A using firmware version 2.5.6_UK so many of the options you advise are unavailable.

I already have port redirection enabled for port 25 but I don't have the option of "IP Object" so i'm a little stuck :-(

Gary

Please Log in or Create an account to join the conversation.

More
07 Nov 2011 22:45 #69975 by voodle
On that old one it's easy and the UK guides are still relevant :)

http://draytek.co.uk/support/kb_vigor_filtering.html

You'd need two rules to start with, give one these settings:

Comment: Block SMTP
Pass or Block: Block if no further match
Direction: IN
Protocol: TCP
Source: Any - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25

In the next rules you can set up which sites to allow:
Comment: Allow SMTP #1
Pass or Block: Pass Immediately
Direction: IN
Protocol: TCP
Source: 216.104.20.0/24 - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25

You'd need six rules in total which is why the later router's objectiness is good but it'll work :)

Looks like you were close but you need to leave the source port blank and specify the destination port because source port will almost always be a pseudoport

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami