Zywall 110 - Blocking outgoing port 25 (SMTP)
I must be doing something wrong. I want to block outgoing port 25 for certain IP addresses outgoing to the wan.
I setup an address rule in objects:
name: _BlockPort25_3-10
address type: range
Start IP:192.168.1.3
End IP: 192.168.1.10
Then in security policy I setup:
enabled-yes
from: lan1 (this is correct)
to: wan
source _BlockPort25_3-10 (the IP address object I setup earlier)
destination: WAN1-IP
service: SMTP
user: any
schedule: none
Action: deny
log:
Yet I can still telnet out of any of the machines involved to port 25 on another internet based system running a mail server.
What am I doing wrong?
I setup an address rule in objects:
name: _BlockPort25_3-10
address type: range
Start IP:192.168.1.3
End IP: 192.168.1.10
Then in security policy I setup:
enabled-yes
from: lan1 (this is correct)
to: wan
source _BlockPort25_3-10 (the IP address object I setup earlier)
destination: WAN1-IP
service: SMTP
user: any
schedule: none
Action: deny
log:
Yet I can still telnet out of any of the machines involved to port 25 on another internet based system running a mail server.
What am I doing wrong?
0
Comments
-
Hello NoelOlson,
You should modify the configuration as you mentioned.
destination: WAN1-IP==>destination:any
Also, make sure this rule is on first priority.
Charlie0 -
Thank you, I figured that out a few days ago as well.
But I do not understand why the destination is 'any' instead of 'wan1-IP.
What are you referring to when you say 'destination'?
To me, a not very knowledgeable user, the rule I want is:
Anything going out the wan, originating on certain IP address's on port 25 should be blocked.
So when I look at the configuration and see it asking for destination, to me that destination would be the wan interface. So why would not 'block traffic from 'lan to wan on port 25', with wan being the public IP address of wan1-IP, work?
I am confused, when you say 'destination' what do you mean?
why would a destination going to the public IP address (WAN1-IP) not work
but a destination of 'any' does work?
Symantics, no doubt.. but I can find no real explanation anywhere in your documentation.0 -
Because your blocking outgoing from source IP WAN1 so any is correct for destination.
Here's an example
LAN IP source 192.168.0.2 > destination 8.8.8.8 NAT WAN1 source 5.0.0.2 > destination 8.8.8.8
so in the rule source would be 192.168.0.2 but the true source after NAT is 5.0.0.2 and destination would be 8.8.8.8
0 -
Hi NoelOlson,
as reported you would block outgoing traffic for port 25, and the ZYWALL check the rules in the order you have set them.
If you have dedicated FQDN's that should be able to reach from the LAN site, you can also configure a "content filter", to allow only access to the configured URLs (FQDNs).
Another option is to set a user account on the rule - so a pre-authentication at the usg web interface is required to grand access to the port 25 at the WAN site.
Perhapse it help you to implement your required solution on the USG.
Regards
Christian
0 -
Thank you, everything is working correctly but I was confused as to the terminology used. Or actually with your definition of the terms.
To me, when originally setting up the rule (and based on my searches and other similar questions, a pretty common misconception on the part of those just knowledgeable enough to cause themselves problems) when you asked for destination, my thought was the destination of the packet in respect to the lan side of things. That destination would be the WAN, as referenced by the object WAN1-IP.
So the destination is the wan port. That seems to be incorrect thinking.
Your definition (likely the common definition) of destination is AFTER the NAT translation, where should we allow the packet to go (or not go). And the correct answer to that is Anywhere.
The problem is a pretty common one. The uneducated not understanding what the educated are talking about and the educated not really making much of an effort to explain it all, but assuming that 'Hey!, if your doing this, you must understand what we are talking about!!'
Unfortunately, often we do not. But we strive to learn.0 -
@NoelOlson,
no problem, if some definitions are not known. you have fixed the issue.
In my case, i've a rule not based on source IP Adresses that are blocked. I've by default blocked the outgoing port 25. only users that are logged on to the USG grandet to a destination at the WAN site on port 25.
I wish you lots of fun and a issue free time with the USG 110
Regards
Christian
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight