![[Steve Friedl Logo]](/images/unixwiz-logo-140x80.gif){kind=logo}
This site uses advanced css techniques
We've long been fans of the Netopia R-series internet routers, particularly the R9100 Ethernet-to-Ethernet unit. They have been fast, reliable, and with excellent support — we have them in wide service at customer networks.
We normally use these in NAT/PAT mode, and have never bothered to set up the firewall filters. But a customer's network was recently added to a spam blocklist because an internal machine was infected with malware, blasting outbound messages at an enormous rate. We cleaned up the infection but the blocklisting lingered for a time.
On this network, the only machine which ought to have rights to send email is the mail server, so we added rules to the Netopia to block all outbound connection attempts except from the authorized server.
This is a curious use of a firewall not so much to directly protect our own network from the internet, but to protect the internet from us. Should an internal machine start sending spam, the firewall will block it all from making to an outside mailserver. By avoiding the spam in the first place, we benefit ourselves.
Packet-filtering rules are not terribly difficult to understand, and this case is particularly straightforward, but there is always the risk of getting a minor detail wrong and downing the internet or locking oneself out of the router. We often manage customer routers remotely.
We were fortunate to get this right the first time and are memorializing the steps here for others needing to take this step.
Warning — This configuration only should be used when NAT is used, and there are no existing filter sets. If the router is not using NAT and the internal network is protected by more advanced filter sets, enabling this filter (which removes the previous one) will completely expose the internal network to the internet. That's bad.
Generally speaking, the packet filter will allow all traffic except outbound SMTP from internal machines other than the mailserver. This is on top of the routine NAT/PAT, and the inbound pinholes enabled by the Server List features (not described here).
Filter rules are always applied in order, and the first rule which matches, wins.
Because the mail server's traffic (including SMTP) is allowed as the first step, it's not blocked in any way: server-originated traffic never goes beyond step #1. It's non-server traffic which collides with step #2, and if SMTP is seen, it's not allowed. Step #3 is reached for non-server, non-SMTP traffic: this is all permitted.
This is done in two steps: first we create the named filter, then apply it to a particular connection. Maintaining the filter sets is done by logging into the router via telnet and navigating to the proper menu.
Nav:
Main Menu
» System Configuration...
» Filter Sets...
» Add Filter Set...
Here the filter set should be named, and "ADD FILTER SET" selected:
Add Filter Set...
Filter Set Name: SMTP Output Filter
ADD FILTER SET CANCEL
The filter set is empty after being added, so it must then be populated. Select Display/Change Filter Set..., press RETURN, then select the newly-created set. We'll be at this screen more than once.
Display/Change Filter Set...
Filter Set Name: SMTP Output Filter
Add Input Filter to Filter Set...
Display/Change Input Filter...
Delete Input Filter...
Move Input Filter...
Add Output Filter to Filter Set...
Display/Change Output Filter...
Delete Output Filter...
Move Output Filter...
First we'll add the input filter. This may not be required, because the device might default to "Permit" when no filter is provided, but we didn't want to find out the hard way by getting locked out remotely. An explicit "Permit" rule seemed like a wise idea: select Add Input Filter to Filter Set... and press RETURN.
Add Input Filter
Enabled: Yes
Forward: Yes — means "Permit"
Call Placement/Idle Reset: No Change
Source IP Address: 0.0.0.0
Source IP Address Mask: 0.0.0.0
Dest. IP Address: 0.0.0.0
Dest. IP Address Mask: 0.0.0.0
Protocol Type: ANY
ADD THIS FILTER NOW CANCEL
IMPORTANT - the default for the "Forward" field is No, and this has the effect of a Deny rule: be sure to select Yes (by pressing TAB then RETURN).
Next we'll select Add Output Filter to Filter Set... and add the three rules required. First we permit the mailserver identified by a single IP address to make any connections whatsoever. This goes beyond the rule of allowing just SMTP, but in case we got the other rules wrong (remotely), we wanted to always get to the server.
The netmask of 255.255.255.255 means this is a single IP address, not an address block or range.
Add Output Filter
Enabled: Yes
Forward: Yes — means "Permit"
Call Placement/Idle Reset: No Change
Source IP Address: 192.168.1.1
Source IP Address Mask: 255.255.255.255
Dest. IP Address: 0.0.0.0
Dest. IP Address Mask: 0.0.0.0
Protocol Type: ANY
ADD THIS FILTER NOW CANCEL
Next we add the rule which denies all outbound SMTP. Rules are applied in order, so the server — which is allowed to do anything it likes — won't ever get to this rule. All the non-server systems do, and their attempts at outbound port 25/tcp are blocked by the Forward=No.
Add Output Filter
Enabled: Yes
Forward: No — means "Deny"
Source IP Address: 0.0.0.0
Source IP Address Mask: 0.0.0.0
Dest. IP Address: 0.0.0.0
Dest. IP Address Mask: 0.0.0.0
Protocol Type: TCP
Source Port Compare... No Compare
Source Port ID: 0
Dest. Port Compare... Equal
Dest. Port ID: 25
Established TCP Conns. Only: No
ADD THIS FILTER NOW CANCEL
Finally we add the rules which allows all the systems to do non-mail transport: they should be able to surf the internet or download files, or whatever. Selecting Add Output Filter again, we see:
Add Output Filter
Enabled: Yes
Forward: Yes — means "Permit"
Call Placement/Idle Reset: No Change
Source IP Address: 0.0.0.0
Source IP Address Mask: 0.0.0.0
Dest. IP Address: 0.0.0.0
Dest. IP Address Mask: 0.0.0.0
Protocol Type: ANY
ADD THIS FILTER NOW CANCEL
This done, the filter has been defined, and we can verify both directions with the "Display/Change Filter" options in each input/output section.
Input filter:
+-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 0.0.0.0 0.0.0.0 ANY -- -- Yes Yes | | | | | | | +-------------------------------------------------------------------------+
Output filter:
+-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+ +-------------------------------------------------------------------------+ | 1 192.168.0.2 0.0.0.0 ANY -- -- Yes Yes | | 2 0.0.0.0 0.0.0.0 TCP NC =25 Yes No | | 3 0.0.0.0 0.0.0.0 ANY -- -- Yes Yes | | | | | +-------------------------------------------------------------------------+
Now our "Outbound SMTP Filter" is defined, but since no connection is using it, there is no impact on actual traffic anywhere.
With the "Outbound SMTP filter" defined, we're ready to attach it to the internet connection. From the main menu, navigate down to "WAN Ethernet Configuration"
Nav:
Main Menu
» WAN (Wide Area Network) Setup...
» EN (Wan module 1) Setup...
One must be very careful in this configuration screen: this holds the parameters for the live internet, and mistakes can be painful. It's certainly much safer to do this over the serial console rather than remotely over the internet: do so if possible.
Furthermore, only the Filter Set setting should be changed here: the other parameters may well be different and reflect the local configuration. DO NOT change any other parameters to match those here.
WAN Ethernet Configuration
Address Translation Enabled: Yes
Local WAN IP Address: 66.121.X.X
Local WAN IP Mask: 255.255.255.248
NAT Map List... Easy-PAT List
NAT Server List... Easy-Servers
Filter Set... Outbound Mail Filter
Remove Filter Set
Enable PPP over Ethernet: Off
Wan Ethernet MAC Address: 00:00:c5:70:xx:xx
RIP Options...
Press ESCAPE to leave this screen, and the filters should take effect immediately. It's wise to doublecheck the settings by checking that the filters are working properly.
If any of these tests fail, it's best to remove the filter from the connection (the "Remove Filter Set" option in the last screen) and regroup.
First published: 2006/01/14
![[Steve's Email]](/images/steve-email.gif)
![[RSS Feed available]](/images/feed-icon-14x14.png){kind=icon}