Blocking port 25. . . except for 1 server

Quimax
Getting noticed

Blocking port 25. . . except for 1 server

So, I've been trying to block port 25 on our network.

 

InkedScreenshot_2019-11-22 Firewall Configuration - Meraki Dashboard_LI.jpgIf I don't have rules 5 & 6 then everything is indeed blocked on port 25. With rule 5 or rule 6 or both, then port 25 works for any system on the network.

I'm confused, but also assuming that the issue is with me, not the MX. Help?

5 REPLIES 5
AjitKumar
Head in the Cloud

Hi @Quimax

 

Following is my understanding

 

Rule 5 Says
"Allow" protocol "TCP" for ["IP Address=x.x.x.75" + port "25"] to destination ["Any IP Address" + port "Any"] - Means a specific IP Address from your LAN can access port 25 service.

 

Rule 6 Says
"Allow" protocol "TCP" for ["Any IP Address" + port "25"] to destination ["IP Address x.x.x.75" + port "Any"] - Means all IP Addresses from your LAN can use port 25 service for a specific destination.

 

Rule 7 Says

"Deny" protocol "TCP" for ["Any IP Address" + port "25"] to destination ["Any IP Address" + port "Any"] - Means No IP Address from your LAN can use port 25 service


I believe if you remove Rule 6. You may achieve the desired result.

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network

I'm with @AjitKumar , mostly.

 

If what you're trying to do is just allowing one server to communicate to outside SMTP servers, then imo you need rule 7 and a slightly modified version of rule 5. I wouldn't specify the source port, leave that set to any. The return traffic will automatically be allowed thanks to the magic of stateful firewalling.

 

If you want to allow incoming connections to your server (initiated by the outside world), then you'll need more settings in the NAT section, but you'd have to be very careful when messing with those. You wouldn't want your server to end up filling the internets with spam.

PhilipDAth
Kind of a big deal
Kind of a big deal

There is some inconsistent information here.

 

If this is outbound SMTP then rules 5 and 6 should have "any" for th esource port.  Only the destination port should be filled in with port 25.

 

Once rule 6 is fixed it will allow every host to send SMTP to the .75 host.  This does not sound like the description of what you were trying to achieve of only allowing one host to communicate out.

 

Also if you make a rule change it will only affect new flows.  You'll need to wait for any existing flows in progress to be timed out.  So after making a change you might need to wait 10 minutes and test.

In 99% of cases you never need to specify a source port only the destination port. 

Quimax
Getting noticed

Quimax_0-1574894936241.png

So this is how it's set now. Everything on the network, regardless of group policy (normal or otherwise), and connect to remote smtp servers on port 25.

 

If I remove rule #5 (.75 allow access) then nothing and get to port 25. Perhaps I will have to live with this and find how to get this single server to send reports via another method.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels