Zywall 110 - Blocking outgoing port 25 (SMTP)

NoelOlson
NoelOlson Posts: 4  Freshman Member
First Comment
edited April 2021 in Security
I must be doing something wrong. I want to block outgoing port 25 for certain IP addresses outgoing to the wan.
I setup an address rule in objects:
name: _BlockPort25_3-10
address type: range
Start IP:192.168.1.3
End IP: 192.168.1.10

Then in security policy I setup:
enabled-yes
from: lan1 (this is correct)
to: wan
source _BlockPort25_3-10 (the IP address object I setup earlier)
destination: WAN1-IP
service: SMTP
user: any
schedule: none
Action: deny
log:

Yet I can still telnet out of any of the machines involved to port 25 on another internet based system running a mail server.

What am I doing wrong?


Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hello NoelOlson,
    You should modify the configuration as you mentioned.
    destination: WAN1-IP==>destination:any
    Also, make sure this rule is on first priority.
    Charlie
  • NoelOlson
    NoelOlson Posts: 4  Freshman Member
    First Comment
    Thank you, I figured that out a few days ago as well.
    But I do not understand why the destination is 'any' instead of 'wan1-IP.
    What are you referring to when you say 'destination'?
    To me, a not very knowledgeable user, the rule I want is:
    Anything going out the wan, originating on certain IP address's on port 25 should be blocked.
    So when I look at the configuration and see it asking for destination, to me that destination would be the wan interface. So why would not 'block traffic from 'lan to wan on port 25', with wan being the public IP address of wan1-IP, work?
    I am confused, when you say 'destination' what do you mean?
    why would a destination going to the public IP address (WAN1-IP) not work
    but a destination of 'any' does work?
    Symantics, no doubt.. but I can find no real explanation anywhere in your documentation.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2018

    Because your blocking outgoing from source IP WAN1 so any is correct for destination.

    Here's an example

    LAN IP source 192.168.0.2 > destination 8.8.8.8 NAT WAN1 source 5.0.0.2 > destination 8.8.8.8

    so in the rule source would be 192.168.0.2 but the true source after NAT is 5.0.0.2 and destination would be 8.8.8.8

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Hi NoelOlson,
    as reported you would block outgoing traffic for port 25, and the ZYWALL check the rules in the order you have set them.
    If you have dedicated FQDN's that should be able to reach from the LAN site, you can also configure a "content filter", to allow only access to the configured URLs (FQDNs).
    Another option is to set a user account on the rule - so a pre-authentication at the usg web interface is required to grand access to the port 25 at the WAN site.

    Perhapse it help you to implement your required solution on the USG.

    Regards
    Christian
  • NoelOlson
    NoelOlson Posts: 4  Freshman Member
    First Comment
    Thank you, everything is working correctly but I was confused as to the terminology used. Or actually with your definition of the terms.
    To me, when originally setting up the rule (and based on my searches and other similar questions, a pretty common misconception on the part of those just knowledgeable enough to cause themselves problems) when you asked for destination, my thought was the destination of the packet in respect to the lan side of things. That destination would be the WAN, as referenced by the object WAN1-IP.
    So the destination is the wan port. That seems to be incorrect thinking.
    Your definition (likely the common definition) of destination is AFTER the NAT translation, where should we allow the packet to go (or not go). And  the correct answer to that is Anywhere.
    The problem is a pretty common one. The uneducated not understanding what the educated are talking about and the educated not really making much of an effort to explain it all, but assuming that  'Hey!, if your doing this, you must understand what we are talking about!!'
    Unfortunately, often we do not. But we strive to learn.
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    @NoelOlson,
    no problem, if some definitions are not known. you have fixed the issue.
    In my case, i've a rule not based on source IP Adresses that are blocked. I've by default blocked the outgoing port 25. only users that are logged on to the USG grandet to a destination at the WAN site on port 25.

    I wish you lots of fun and a issue free time with the USG 110 :)

    Regards
    Christian

Security Highlight