DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2820 - Change default firewall to block?

  • martindt
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
23 May 2012 21:46 #72327 by martindt
2820 - Change default firewall to block? was created by martindt
New to this product (2820) but I have set up an SMTP server Nat'd using "Open Ports" behind the router. This works fine but additionally I need to limit the allowed Internet IP addresses that can talk to this SMTP server (due to using an external SPAM filter provider who forwards our spam-filtered Email from several IP subnets that they have given to me).

The default firewall rules in the 2820 are to Allow all packets. If I set the default to "Block", I then need to set "Allow" filters for the incoming SMTP traffic, but do I then have to also set "Allow" filters for all of the other traffic?

Thanks.

Please Log in or Create an account to join the conversation.

More
24 May 2012 13:42 #72339 by nealuk
Replied by nealuk on topic Re: 2820 - Change default firewall to block?
Here is how I approach this scenario:

Under NAT in either Port Redirection or Open Ports the port 25 traffic is forwarded to MAIL.SERVER.LAN.IP

Under IP Object, I set and Index for each of the email providers.

Friendly Name
WAN
IP Range

Under IP Group, I create an Index called "Incoming SMTP" Interface Any (handy for VPN intercompany mail) and add in the trusted indexees.

Under Service Type Object, I create and Index called SMTP

Name SMTP
Protocol TCP
Source Port = 1 - 65535
Destination Port = 25 - 25

Firewall >> Filter Setup

Index 2 "Default Data Filter"

Extend this as follows:

Index 2

Comments: Block SMTP

Direction: WAN > LAN
Source IP: Any
Destination IP: Any
Service Type: SMTP
Fragments Don't Care

Application
Filter: Block If No Further Match

Index 3

Comments: Trusted SMTP

Direction: WAN > LAN
Source IP: Incoming SMTP (choose the IP Group created earlier)
Destination IP: Any
Service Type: SMTP
Fragments Don't Care

Application
Filter: Pass Immediately

I think that's it. Seems long winded to start with, but it does make on-going changes much easier to handle in the future imo.

Regards, Neal

Please Log in or Create an account to join the conversation.

  • martindt
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
26 May 2012 19:48 #72357 by martindt
Replied by martindt on topic Re: 2820 - Change default firewall to block?
Nealuk

It's taken mea few days to get round to doing this, but I would like to say many thanks for your advice. Your helpful post also makes an excellent tutorial on using IP objects and groups.

I am just beginning to get the hang of the Draytek product, having been used to much simpler firewalls in other routers, but I can see how powerful the Draytek firewall is.

Thanks once again for your help.

Martin

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami