already had this as well. Sorry forgot to mention it.  and i actually believe the layer 7 is still for outbound only as i can see the rogue device still hitting my spam filter. But i can see responses from my spam filter being blocked. 

Meraki has an odd design philosophy, and maybe it is a greater network design philosophy of blocking as close to the destination device as possible. 

In your case, blocking outgoing traffic to that IP would achieve the same result as blocking incoming traffic from that IP.  But I agree, it is seemingly less secure since the traffic would reach the destination server and just not get returned.  

Begs the question, what if the traffic is malicious or malformed.  If that is the case I wouldn't even want the traffic getting to my server so blocking incoming would be most ideal. 

exactly my concern! 

@NSGuru @Adam Sorry to interrupt, but are you guys sure adding an outbound rule stops return traffic? That's not generally the way _stateful_ firewalls work... If traffic is permitted in one direction the return traffic is allowed regardless of configured ACL's in the return direction. If the MX works that way then that is counter to my expectations...

http://blog.brokennetwork.ca | @jdsilva

@jdsilva earlier after setting the rule on L7 and outbound i believe that it was blocking the traffic after i built the rule.  Im watching it again now though and i see no packets hitting that rule now.... Luckily i have IP reputation turned on for my Spam Filter so it knows the IP is malicious and blacklisted. But the logs are piling up because i cant get my meraki firewall to block this on the front end. 

@NSGuru Ok, that's interesting. Definitely not what I would expect. 

http://blog.brokennetwork.ca | @jdsilva

@jdsilva I do want to redact my previous statement. I had forgotten that i built a group policy specifically for this clien(Spam Filter) I created the rule in the group policy it stopped sending or receiving from the blacklisted public IP.... and began sending through as another public IP. So now im working through stopping the malicious attacks in general. 

Its hard to lock down SMTP when you are an MSP and your clients are utilizing it as a relay.

@NSGuru Ahh, OK then I would be confident return traffic is blocked. The GP L3 rules are stateless so they should be blocking that absolutely.

http://blog.brokennetwork.ca | @jdsilva

@NSGuru give Meraki Support a ring and ask about running the No-NAT, still a beta feature they can enable for you if it fits with your network design, and you can have configurable inbound firewall rules as well as make the MX more like a routing device without NATting on the uplink/WAN.  Just like you have outbound rules to filter traffic from the LAN side towards the WAN/Internet or other VLANs for example, you can also have inbound rules to filter traffic coming from the WAN/Internet inbound with the same ability to specify protocol, source and destination addresses and port numbers.  

OK, confirmed. A Layer 3 outbound firewall rule does not block the return traffic to an inbound initiated flow. 

Good. I can sleep easy at night again 🙂

http://blog.brokennetwork.ca | @jdsilva