Community discussions

MUM Europe 2020
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Block Port 25 or not ?

Mon Jun 27, 2016 9:32 am

We are an ISP with over 6000 IPv4 addresses and I see, over 2000+ IP are already on PBL, almost 3 of the /22 are completely showing on PBL list. 
How to avoid this happening or get the whole block whitelisted by PBL ?

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router. 
is that a solution ?

But I guess, every customer outlook will stop working. 

I checked this, 
http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output

But Im afraid, whether to block or not. 
 
rufee
newbie
Posts: 27
Joined: Mon Dec 10, 2012 2:41 pm

Re: Block Port 25 or not ?

Mon Jun 27, 2016 10:00 am

An option is writing a script that pulls IP's off a PBL and updates your block list, later you can inform the user that he might be infected with a virus and limit his service until he takes action, some ISP's do this, not the best option since PBL tend to put the whole subnet in rather than a specific IP.
Another option is to monitor traffic per specific user on port 25, legitimate users don't send tons of messages hence low number of packets per given time, if you see an abnormal increase in traffic on port 25 then its safe to assume that the user might be a spammer, just like that script you provided.
MTCNA
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 10:02 am

An option is writing a script that pulls IP's off a PBL and updates your block list, later you can inform the user that he might be infected with a virus and limit his service until he takes action, some ISP's do this, not the best option since PBL tend to put the whole subnet in rather than a specific IP.
Another option is to monitor traffic per specific user on port 25, legitimate users don't send tons of messages hence low number of packets per given time, if you see an abnormal increase in traffic on port 25 then its safe to assume that the user might be a spammer, just like that script you provided.
So put the script as wiki ?
 
rufee
newbie
Posts: 27
Joined: Mon Dec 10, 2012 2:41 pm

Re: Block Port 25 or not ?

Mon Jun 27, 2016 10:08 am

Yes try that, however not to disturb service first monitor how the script behaves and if it yields results then implement it. 
Don't just jump right in :)
MTCNA
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 10:18 am

Yes try that, however not to disturb service first monitor how the script behaves and if it yields results then implement it. 
Don't just jump right in :)
Oops, I still fear. 
Lets wait for some more insights. 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jun 27, 2016 10:27 am

The first step should be monitoring which IP usues 25 port and make some statistics and then you can inform "suspected" users that they generate traffic on port 25 and ask them to check if all is configured properly.
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 10:37 am

The first step should be monitoring which IP usues 25 port and make some statistics and then you can inform "suspected" users that they generate traffic on port 25 and ask them to check if all is configured properly.
So goto PPPoE router and goto CONNECTION TRACKING and see, who are connected to port 25 ?
And inform them ?
Isn't there a way, we can block 25 completely from the PPPoE router and then when someone emails us asking about it, we simply unblock the 25 for him for his MAC address only ?
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Block Port 25 or not ?

Mon Jun 27, 2016 12:19 pm

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router. 
is that a solution ?

But I guess, every customer outlook will stop working.
No, it won't. Or at least it should not. Nowadays, no ordinary customer should have legitimate reasons to make outgoing connections to port 25/tcp, unless they are running their own mail server. Most email providers use alternative ports for client ESMTP (587/tcp and 465/tcp - the latter is not officially assigned but is a de-facto standard anyways), which also usually assume mandatory encryption and authentication.

So, I'd suggest asking business customers if they are running an on-premises mail server, then allow outgoing 25/tcp for those who are, block for everyone else.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 12:28 pm

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router. 
is that a solution ?

But I guess, every customer outlook will stop working.
No, it won't. Or at least it should not. Nowadays, no ordinary customer should have legitimate reasons to make outgoing connections to port 25/tcp, unless they are running their own mail server. Most email providers use alternative ports for client ESMTP (587/tcp and 465/tcp - the latter is not officially assigned but is a de-facto standard anyways), which also usually assume mandatory encryption and authentication.

So, I'd suggest asking business customers if they are running an on-premises mail server, then allow outgoing 25/tcp for those who are, block for everyone else.
All the customers are either using Godaddy or Hostgator mostly for their websites and emails. 
So, they goto Outlook and enter their hostgator IMAP email server details. 
So, if I block port 25, will they stop working ? 
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Block Port 25 or not ?

Mon Jun 27, 2016 12:36 pm

So, if I block port 25, will they stop working ? 
No, they won't. Quick google search shows that both Godaddy and Hostgator use 465/tcp for mail sending.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jun 27, 2016 12:44 pm

Let assume that you manage list of allowed sources of SMTP,POP etc traffic and this list is named TRAFFIC_MX_ALLOW then you can record all mail traffic sources originating from non allowed IPs in TRAFFIC_MX_SRC list with 4h time-out
add action=add-src-to-address-list address-list=TRAFFIC_MX_SRC address-list-timeout=4h chain=forward dst-address-list=!TRAFFIC_MX_ALLOW dst-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp
or
add action=add-src-to-address-list address-list=TRAFFIC_MX_SRC address-list-timeout=4h chain=output dst-address-list=!TRAFFIC_MX_ALLOW dst-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp
To block all mail traffic except allowed IPs you need simple rule:
add action=reject chain=forward dst-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp src-address-list=!TRAFFIC_MX_ALLOW
or
add action=reject chain=outputt-port=110,995,143,993,25,465,585 out-interface=ETH-WAN-ISP1 protocol=tcp src-address-list=!TRAFFIC_MX_ALLOW
And the last step is to update TRAFFIC_MX_ALLOW list of IPs.
That's all.

P.S.
Adjust port list to your needs.
Real admins use real keyboards.
 
nescafe2002
Long time Member
Long time Member
Posts: 637
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Block Port 25 or not ?

Mon Jun 27, 2016 1:05 pm

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 1:13 pm

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.
This is a good suggestion. 
So, I should better host a mail server myself and use it as SMTP relay ?
Then email all customers to use that as outgoing server ?
But isn't that too much load for my mail server ?
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 1:18 pm

So, if I block port 25, will they stop working ? 
No, they won't. Quick google search shows that both Godaddy and Hostgator use 465/tcp for mail sending.
I think I should better block them port 25 and then wait for emails of customers. 
Whoever says, outlook not working.
Simply ask him to use SSL with 465 port. 
 
nescafe2002
Long time Member
Long time Member
Posts: 637
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Block Port 25 or not ?

Mon Jun 27, 2016 2:03 pm

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.
This is a good suggestion. 
So, I should better host a mail server myself and use it as SMTP relay ?
Then email all customers to use that as outgoing server ?
But isn't that too much load for my mail server ?
No, just advertise it passively on your website. Your customers can continue with their current settings. If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.
You will have to invest time and material for your email server, but at least this infrastructure is under your control. And you're not the one to blame.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 2:11 pm

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.
This is a good suggestion. 
So, I should better host a mail server myself and use it as SMTP relay ?
Then email all customers to use that as outgoing server ?
But isn't that too much load for my mail server ?
No, just advertise it passively on your website. Your customers can continue with their current settings. If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.
You will have to invest time and material for your email server, but at least this infrastructure is under your control. And you're not the one to blame.
Okay let me ask my developer if he knows about it. Very confusing :(
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jun 27, 2016 2:39 pm

If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.
Not true in 100% .....
If PBL blocks whole subnet instead of particular addresses then it backfires on "good guys". They have no chance to remove themselves from PBL as subnet is owned by ISP and they are not guilty but they have to "serve" sentence.

It is better to prevent than to cure ....
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 2:42 pm

If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.
Not true in 100% .....
If PBL blocks whole subnet instead of particular addresses then it backfires on "good guys". They have no chance to remove themselves from PBL as subnet is owned by ISP and they are not guilty but they have to "serve" sentence.

It is better to prevent than to cure ....
Whats your final suggestion ?
Yes, I can see the complete /22 is showing red in PBL. 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jun 27, 2016 2:58 pm

As /22 subnet owner try to remove whole subnet from PBL.
Check who is responsible for mail traffic.
Warn/inform users from the top of the usage list about problems.
Block 25 port ... leave 587 open

You need to choose: difficulties for customers or blocked subnet .....

"To ban or not to ban ? That it admins' question" :-)
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 3:03 pm

As /22 subnet owner try to remove whole subnet from PBL.
Check who is responsible for mail traffic.
Warn/inform users from the top of the usage list about problems.
Block 25 port ... leave 587 open

You need to choose: difficulties for customers or blocked subnet .....

"To ban or not to ban ? That it admins' question" :-)
So, 1st step is block port 25. 
And when you said, check who is responsible, means check on connecting tracking, which customer IP is using the port 25 mostly ? 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jun 27, 2016 3:43 pm

Warn/inform users that you will block port 25
Block port 25 and track who is generating traffic to port 25. You can make rules for each customer:
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClient1
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClient2
....
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClientN
and you clearly will see who makes most of traffic watching counters.
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 3:54 pm

Warn/inform users that you will block port 25
Block port 25 and track who is generating traffic to port 25. You can make rules for each customer:
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClient1
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClient2
....
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClientN
and you clearly will see who makes most of traffic watching counters.
Okay so block the port 25 completely. 
Then if a customer asks to unblock it, then we should first ask him to purchase a static IP and then unblock his port 25 using the above chain action forward ?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jun 27, 2016 4:26 pm

Soamz:

A. Please do not cite full post just under cited post ... it is not necessary and makes thread longer than it should be

B. Yes. Block port 25 and watch who needs it and than make necessary changes in the firewall ... clients do not need public Ip but it could be solution.

C. You need to make decision what to to yourself .. I do not want to be accused for bad solution ... I am giving you just an idea and examples how to resolve problem.
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Mon Jun 27, 2016 4:28 pm

Weird, I just checked in canyouseeme and it says, port 25 is not open. 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jun 27, 2016 5:05 pm

You are checking if port 25 at your site is open. Simply: some server in the Internet tries to open port 25 at your site.
You are not checking if you are transmitting to port 25 somewhere in the internet.
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 3:49 am

You are checking if port 25 at your site is open. Simply: some server in the Internet tries to open port 25 at your site.
You are not checking if you are transmitting to port 25 somwhere in the internet.
So Block Port 25 on Border or Core or PPPoE router alone ?
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 4:03 am

Okay I did this in CORE ROUTER only. 

Did not do in Border routers or PPPoE Routers. 

Only done at core. 
/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 4:05 am

See attached. 
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Block Port 25 or not ?

Tue Jun 28, 2016 4:31 am

For a global operation of blocking port 25, you're definitely going to want to allow SMTP for some sources - suppose your own company's mail server, for instance, or any customers who are operating their own mail server.

You need to create an IP list for hosts that are allowed to use port 25
e.g.:
/ip firewall address-list add address=x.x.x.x list=MXokay

And then add any more approved hosts to this list. This is a list of hosts which are permitted to use port 25.

Then in your filter rule, add the criteria:
src-address-list=!MXokay
! means "not" - so this criteria means that if the src address is NOT in the list MXokay, then they may be blocked if the other criteria are true.
If the src IP --IS-- in the list, then the criteria is false, so may not be blocked by the rule.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 5:37 am

Done that just now at my PPPoE Router.

/ ip firewall filter
add chain=forward protocol=tcp dst-port=25 dst-address-list=!SMTP-addr action=drop comment="" disabled=no

/ ip firewall address-list 
add list=SMTP-addr address=1.1.1.1/32 comment="ISP SMTP" disabled=no
add list=SMTP-addr address=2.2.2.2/32 comment="Cust1 SMTP" disabled=no
add list=SMTP-addr address=3.3.3.3/32 comment="Cust2 SMTP" disabled=no
Still doesnt get packets. 
IM logged in as a customer and if I goto my CMD in windows and do telnet labnol.org 25
Im able to login to the telnet already. 

So, I guess something is not working.

Shall we do this in Border or core or NAS ??
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 5:43 am

For a global operation of blocking port 25, you're definitely going to want to allow SMTP for some sources - suppose your own company's mail server, for instance, or any customers who are operating their own mail server.

You need to create an IP list for hosts that are allowed to use port 25
e.g.:
/ip firewall address-list add address=x.x.x.x list=MXokay

And then add any more approved hosts to this list. This is a list of hosts which are permitted to use port 25.

Then in your filter rule, add the criteria:
src-address-list=!MXokay
! means "not" - so this criteria means that if the src address is NOT in the list MXokay, then they may be blocked if the other criteria are true.
If the src IP --IS-- in the list, then the criteria is false, so may not be blocked by the rule.
What should be the rule if I want to know which IP are spamming and which IP list should be approved ?
I have created 2 address list, 
SPAMMER
VERIFIED-USER
What should be the final code please. 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Tue Jun 28, 2016 8:02 am

Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 8:07 am

You wrote it OR. 
So, I got confused, whether to run 2 or all 4. 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Tue Jun 28, 2016 8:14 am

Rules 1,2 collect data in forward and output chains
Rules 3,4 filter mails in forward and output chains

You can use all of them at the same time.
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 8:16 am

Rules 1,2 collect data in  forward and output chains
Rules 3,4 filter mails in forward and output chains

You can use all of them at the same time.
Amazing. 
In Border or Core ?
Or both ?
Or PPPoE routers ?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Tue Jun 28, 2016 8:26 am

For each device which sends data directly to the Internet ... if there is more than one then for each one but then for each device you need to maintain lists.

It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the people via the only one gate then you need only one security person which need to be instructed what to instead of full team training.
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 8:50 am

For each device which sends data directly to the Internet  ... if there is more than one then for each one but then for each device you need to maintain lists.

It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the people via the only one gate then you need only one security person which need to be instructed what to instead of full team training.
Okay then putting to border, core and NAS. 
Damn!
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 9:01 am

For each device which sends data directly to the Internet  ... if there is more than one then for each one but then for each device you need to maintain lists.

It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the people via the only one gate then you need only one security person which need to be instructed what to instead of full team training.
I was checking Comcast website and I see they have blocked all those ports. 
https://customer.xfinity.com/help-and-s ... ked-ports/
Can I add those ports also to your above code ?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Tue Jun 28, 2016 11:37 am

No... use KISS rule ...

Rules for for e-mail
Rules for ssh
Rules for WWW
Rules for SPI ...
Rules for .... whatever you want to filter
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Tue Jun 28, 2016 12:14 pm

No... use KISS rule ...  

Rules for  for e-mail
Rules for ssh
Rules for WWW
Rules for SPI ...
Rules for .... whatever you want to filter
KISS :P
Where do I find more info about it ?
I think, there should be a microtik wiki for all this. 
As every ISP needs this common and it ends up with 1000 confusing forum threads. 
One single wiki thread for the MUST HAVE FIREWALL RULES for ISP should be a official wiki article. 
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Tue Jun 28, 2016 12:25 pm

KISS :P Where do I find more info about it ?
If you do not know this acronym: "Keep It Simple Stupid"
Therefore do not mix different rules into one if you are not experieced enough or you do not know what and why are you doing.
There is always time to optimize your firewall ... in the beggining it should work
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Wed Jun 29, 2016 6:15 am

From your port list, 
110,995,143,993,25,465,585
I removed the 465, as 25 is blocked, so customers will use 465 with SSL for sending emails. 
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Wed Jun 29, 2016 6:27 am

I did this in a NAS which has 2500 PPPoE customers. 

/ip firewall filter
add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=forward dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp
add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=output dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp
add action=reject chain=forward dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS
add action=reject chain=output dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS

But I dont think its working. 
After placing this, I went to home and went to cmd 
telnet mywebsite.com 25
I was able to go to my mailbox telnet. 

While it should get blocked.

I guess something is wrong with the above code then :(
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: Block Port 25 or not ?

Thu Jun 30, 2016 12:21 am

Chances are you have the rules in the wrong order, below one that permits the traffic you are trying to log and filter out.
 
User avatar
k6ccc
Member
Member
Posts: 481
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Block Port 25 or not ?

Thu Jun 30, 2016 3:37 am

I am a home user that runs a web and mail server at home - along with a few other weird things.  I can tell you what my ISP does (from the customer prospective).  The have three levels of firewall at their end that can be selected by the customer.  They are:
 "No Firewall" with an option box to Allow port 25 bypass.
"Basic Firewall" with option boxes to Allow port 25 bypass, and Allow pinging.
"Full Firewall" with option boxes to Allow port 25 bypass, Allow pinging, and Allow remote desktop.
The no firewall and full firewall should be pretty obvious, and the description of the Basic Firewall is: "Recommended Setting. Block incoming requests from the most commonly abused ports on a computer including 135, 139, 389, 445, and 593."
Port 25 is blocked at all levels unless the "Allow port 25 bypass" is checked.  First time you check that, it brings up a terms of service page specifically on port 25 abuse that you have to agree to in order for the port 25 bypass parameter to take effect.  The TOS states that they will check your mail server periodically to see if you are allowing open relay.  If you are running an open relay, they will block port 25 for you.

Mine is set for the Basic Firewall and that has worked fine for me.

I realize this does not help in the "How to accomplish" the filtering, but does give a perspective of what my ISP does.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Thu Jun 30, 2016 5:29 am

Chances are you have the rules in the wrong order, below one that permits the traffic you are trying to log and filter out.
Oops. 
Can you clear and paste the final version please ?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Thu Jun 30, 2016 11:30 am

Soamz:

Let me explain... these four rules you have applied are not blocking incoming packets to the router.
When you are telnetting from home (WAN side)to port 25 at yourwebsite then you have access to your SMTP port as it is not blocked.
To block it you need other rule:
add action=reject chain=input dst-port=25 in-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS
Rule blocks access to port 25 in input chain as packet is incoming to the router.
Real admins use real keyboards.
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Thu Jun 30, 2016 11:39 am

So final version this one ?
/ip firewall filter

add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=forward dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp

add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=output dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp

add action=reject chain=forward dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS

add action=reject chain=output dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS
add action=reject chain=input dst-port=25 in-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Thu Jun 30, 2016 11:41 am

And this needs to be done for the PPPoE ether or the Microtek's public IP ether ?
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Thu Jun 30, 2016 11:49 am

Done. 
But still Im able to goto my PC and goto telnet domain.com 25 
You do not have the required permissions to view the files attached to this post.
 
mikemccharles
Trainer
Trainer
Posts: 18
Joined: Thu May 26, 2016 12:55 pm
Location: Nairobi, Kenya
Contact:

Re: Block Port 25 or not ?

Fri Jul 01, 2016 6:50 pm

Am a newbie here especially on the firewall thing. I have a similar problem where my entire /23 subnet is on PBL. Am more of a routing person but I have to deal with this. Is anyone willing to help with this
Certified Trainer: MikroTIk | Ubiquiti | Cambium

https://www.mccharlesconsulting.net
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Fri Jul 01, 2016 7:22 pm

Am a newbie here especially on the firewall thing. I have a similar problem where my entire /23 subnet is on PBL. Am more of a routing person but I have to deal with this. Is anyone willing to help with this
Mine is still not blocked, very confused. 
Still, after placing everything, Im able to login in my PC. 
 
Nightkillian
just joined
Posts: 3
Joined: Sat Jul 02, 2016 12:29 am

Re: Block Port 25 or not ?

Sat Jul 02, 2016 1:22 am

So it was my understanding that since they passed Net Neutrality, we as ISP's can't block any ports to customers. It somehow violates Net Neutrality.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Block Port 25 or not ?

Sun Jul 03, 2016 7:55 am

If you blocked/degraded some servers but allowed/favored others, then that would be more a violation of net neutrality.

(At least to my non-lawyer way of thinking)

If you block all by default for security/policy reasons and publish this policy in your TOS, and possibly allow exceptions for users who operate mail servers, then that seems fair.

The idea of net neutrality is that ISPs cannot favor some service over another, especially when there is a conflict of interest, such as when Comcast deliberately degraded Netflix performance in order to protect their own video services.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
mikemccharles
Trainer
Trainer
Posts: 18
Joined: Thu May 26, 2016 12:55 pm
Location: Nairobi, Kenya
Contact:

Re: Block Port 25 or not ?

Sun Jul 03, 2016 8:44 pm

That rule will be correct to the extent that the server is hosed behind the router in question. Am assuming that's the setup otherwise if the that is the client's gateway router, the chain should be forward
Soamz:

Let me explain... these four rules you have applied are not blocking incoming packets to the router.
When you are telnetting from home (WAN side)to port 25 at yourwebsite then you have access to your SMTP port as it is not blocked.
To block it you need other rule:
add action=reject chain=input dst-port=25 in-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS
Rule blocks access to port 25 in input chain as packet is incoming to the router.
Certified Trainer: MikroTIk | Ubiquiti | Cambium

https://www.mccharlesconsulting.net
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Mon Jul 04, 2016 12:27 am

Yes. I assume that smtp server is behind the router.
No. It should be input chain as packets are incoming to the router so they are blocked on input to the router.
The missing part are rules which are passing packets to the real server. It could be one destination NAT rule or the pair of DST & SRC NAT.
Hewever, despite the number of rules, the input chain blocks every packet trying to reach the WAN interface of the router at port 25 except permitted ones.
Real admins use real keyboards.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Block Port 25 or not ?

Tue Jul 05, 2016 8:17 pm

Yes. I assume that smtp server is behind the router.
No. It should be input chain as packets are incoming to the router so they are  blocked on input to the router.
The missing part are rules which are passing packets to the real server. It could be  one destination NAT rule or the pair of DST & SRC NAT.
Hewever, despite the number of  rules, the input chain blocks every packet trying to reach the WAN interface of the router at port 25 except permitted ones.
I could be misunderstanding you, BartoszP, and if so, then I apologize for that...

However...
It sounds to me that your are suggesting that any packet received on the WAN interface is subjected to the INPUT chain of the filter table, and if it passes the INPUT chain, then the packet is passed to the FORWARD chain if it is to be forwarded onward to an internal host. This is incorrect. The INPUT chain ONLY applies to packets which will be processed by the router itself. The INPUT chain does not function in the same manner as an an interface ACL in Cisco for instance, which refers to "ingress" packets (on whatever interface is utilizing the ACL), regardless of whether their destination is the router itself or one which results in forwarding to some other host.

This distinction is very powerful. Suppose you wish to limit SSH access to a backbone router, so that the router only accepts ssh requests from your management network, but you do not want to block your customers' ssh connections which pass through that router.

If the INPUT chain were to apply to traffic flowing through the router, then you would also need to make sure that the filter list of SSH only applied to any IP address on the router itself, and if the router is a customer access router with hundreds of IP interfaces, this would be quite unwieldy. Since the FORWARD chain is the one applied to the customers' traffic flowing through the router, you can easily make just one INPUT rule about ssh - accept from source X only, drop the rest. The particular interface where ssh packets arrive is irrelevant to the INPUT chain. If you DO need to specify which interface the rule applies to, you can add the in-interface as a criteria, but if you don't care which interface (suppose you have a router with several OSPF-controlled dynamic interfaces), then it's quite powerful to only limit the IP src and be completely agnostic regarding specific interfaces.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1720
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block Port 25 or not ?

Wed Jul 06, 2016 7:40 am

ZeroByte

Guilty :-) Thank you for good long exlpanation ... I have written the very short version and it is not quite precise.
Real admins use real keyboards.
 
mikemccharles
Trainer
Trainer
Posts: 18
Joined: Thu May 26, 2016 12:55 pm
Location: Nairobi, Kenya
Contact:

Re: Block Port 25 or not ?

Wed Jul 06, 2016 3:48 pm

Edited by BartoszP: removed full quote without any comment from the author
Yes. ... snip-snip ....
I could be ... snip-snip ...
Certified Trainer: MikroTIk | Ubiquiti | Cambium

https://www.mccharlesconsulting.net
 
soamz
Member
Member
Topic Author
Posts: 429
Joined: Thu Mar 19, 2015 7:19 am

Re: Block Port 25 or not ?

Sat Jul 30, 2016 11:17 am

Still not working :(

Who is online

Users browsing this forum: No registered users and 70 guests