I had copied the outbound filter set from one I used on a Netopia R7200 router, which was used at the site for a DSL connection. I installed the Netopia R5300 router when the site obtained a T1 line.
I thought I had tested the firewall to ensure that outbound connectivity from any other system on the LAN to port 25 on a destination system would be blocked. Yet I found that the IP address of the site got placed on the Composite Blocking List, which is a DNS Blacklist (DNSBL), when an infected home system connecting from a VPN connection transmitted spam out through the router.
I compared the inbound and outbound filter sets in the Netopia R5300 to those
in the Netopia R7200 router again. They looked exactly the same. Yet when
I tried to telnet to port 25 on mail servers outside the router, I was able
to get through. E.g. when I tried telnet mx1.hotmail.com 25, I
would see the banner displayed from the outside email server.
But the outbound filter set shown below, looked correct.
+-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 UDP =138 NC Yes No | | 2 0.0.0.0 0.0.0.0 TCP NC =139 Yes No | | 3 0.0.0.0 0.0.0.0 UDP =137 NC Yes No | | 4 192.168.0.3 0.0.0.0 TCP NC =25 Yes Yes | | 5 192.168.0.25 0.0.0.0 TCP NC =25 Yes Yes | | 6 0.0.0.0 0.0.0.0 TCP NC =25 Yes No | | 7 0.0.0.0 0.0.0.0 ANY -- -- Yes Yes | | | | | | | | | +-------------------------------------------------------------------------+
Only the two mail servers, 192.168.0.3 and 192.168.0.25 should be able to send email as specified in lines 4 and 5. Line 6 should result in email from any other system being blocked. Yet it was getting through. I examined line 6 several times, but it looked correct to me.
Change Output Filter 11
Enabled: Yes
Forward: No
Source IP Address: 0.0.0.0
Source IP Address Mask: 0.0.0.0
Dest. IP Address: 0.0.0.0
Dest. IP Address Mask: 0.0.0.0
Protocol Type: TCP
Source Port Compare... No Compare
Source Port ID: 0
Dest. Port Compare... Equal
Dest. Port ID: 25
Established TCP Conns. Only: No
Return/Enter accepts * Tab toggles * ESC cancels.
Enter the packet specific information for this filter.
By specifying source and destination address of all zeroes, subnet masks of all zeroes, "Dest. Port Compare" to equal port 25, and "forward" to "no", all network traffic from any address on the LAN to any IP address reachable by the router's WAN interface should be blocked.
Since rules are executed in the order they appear in the list, lines 4 and 5 should ensure that traffic from the two listed source addresses should be allowed through with no futher checks done. If the source address of packets coming into the router don't match the two listed then the router should go on to line 6 and block any packets that have a destination port of 25, but that wasn't happening.
I didn't realize my mistake until I checked lines 4 and 5 again. For line 4, I saw the following:
Change Output Filter 4
Enabled: Yes
Forward: Yes
Call Placement/Idle Reset: No Change
Source IP Address: 192.168.0.3
Source IP Address Mask: 0.0.0.0
Dest. IP Address: 0.0.0.0
Dest. IP Address Mask: 0.0.0.0
Protocol Type: TCP
Source Port Compare... No Compare
Source Port ID: 0
Dest. Port Compare... Equal
Dest. Port ID: 25
Established TCP Conns. Only: No
Return/Enter accepts * Tab toggles * ESC cancels.
Enter the packet specific information for this filter.
Looking at the source IP address mask, I realized I had set the subnet mask to 0.0.0.0, which would essentially mean that it didn't matter what I listed for the source address, since, with a mask of all zeroes, any address would match. I should have used 255.255.255.255, which specifies an exact host match, i.e. only the specific source address listed. When I changed the setting for the rule to that shown below on line 4 and also set the subnet mask to 255.255.255.255 for the source address on line 5, the block for any traffic to port 25 from other than the two mail servers worked.
Change Output Filter 4
Enabled: Yes
Forward: Yes
Call Placement/Idle Reset: No Change
Source IP Address: 192.168.0.3
Source IP Address Mask: 255.255.255.255
Dest. IP Address: 0.0.0.0
Dest. IP Address Mask: 0.0.0.0
Protocol Type: TCP
Source Port Compare... No Compare
Source Port ID: 0
Dest. Port Compare... Equal
Dest. Port ID: 25
Established TCP Conns. Only: No
Return/Enter accepts * Tab toggles * ESC cancels.
Enter the packet specific information for this filter.
If you allow systems on the LAN outbound connectivity to only specific IP addresses on port 25, e.g., if you had rules such as the following, which allow any system to connect to 4 different Comcast email servers, then you need to ensure you have a subnet mask of 255.255.255.255 for the destination host or the same problem occurs.
+-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 UDP =138 NC Yes No | | 2 0.0.0.0 0.0.0.0 TCP NC =139 Yes No | | 3 0.0.0.0 0.0.0.0 UDP =137 NC Yes No | | 4 192.168.0.3 0.0.0.0 TCP NC =25 Yes Yes | | 5 192.168.0.25 0.0.0.0 TCP NC =25 Yes Yes | | 6 192.168.0.0 76.96.30.117 TCP NC =25 Yes Yes | | 7 192.168.0.0 76.96.31.117 TCP NC =25 Yes Yes | | 8 192.168.0.0 76.96.60.117 TCP NC =25 Yes Yes | | 9 192.168.0.0 76.96.61.117 TCP NC =25 Yes Yes | | 10 192.168.0.0 76.96.62.117 TCP NC =25 Yes Yes | | 11 0.0.0.0 0.0.0.0 TCP NC =25 Yes No | | 12 0.0.0.0 0.0.0.0 ANY -- -- Yes Yes | | | | | | | | | +-------------------------------------------------------------------------+
The subnet mask for the destination host should be set as follows. "Forward" should, of course be set to "Yes".
Change Output Filter 6
Enabled: Yes
Forward: Yes
Call Placement/Idle Reset: No Change
Source IP Address: 192.168.0.0
Source IP Address Mask: 255.255.0.0
Dest. IP Address: 76.96.30.117
Dest. IP Address Mask: 255.255.255.255
Protocol Type: TCP
Source Port Compare... No Compare
Source Port ID: 0
Dest. Port Compare... Equal
Dest. Port ID: 25
Established TCP Conns. Only: No
Return/Enter accepts * Tab toggles * ESC cancels.
Enter the packet specific information for this filter.
After setting the subnet masks appropriately, I verified that no system on the LAN, other than the two mail servers, could connect outbound to port 25 on another system, except for the authorized exceptions. I also verified that no one from a home VPN connection could connect outbound through the office router to a host on port 25.
I found someone else reporting encountering the same problem with a client's system transmitting spam out through their Netopia router resulting in the client's IP address being added to a spam blocklist, leading to his implementation of outbound port filtering on the Netopia router. The article at Outbound SMTP filtering with Netopia R-Series Routers goes into more detail on setting up the SMTP filter, if you don't have any filters set initially.
Created: Thursday August 14, 2008