Denying SMTP Connections

Answered Question
Feb 13th, 2007

Hi,

I have a server on my network which is advertised to the internet. I have been seeing SMTP connections from the internet address space do this server. If I want to deny SMPT connections to the server can I do the following

ip access 133 remark block smtp connections

access-list 133 deny any <host IP> eq smtp?

Would this block the connections? Do I have to apply this to the Interface(s) that connect to my ISP?

Thanks to Satish, I now know how to debug the source addresses from the access-list.

Thanks for help.

I do have a PIX firewall at the ISP that provides our prim internet connection and would prefer to stop it there but I am still new to the PIX configuration and would rather for now block in at the router entry points to my network.

Any help would do.

Thanks

Brad

I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 9 years 7 months ago

You would need to apply it only inbound on the interface as the traffic is coming from outside --> inside only. However, if you want to block outbound SMTP as well then the ACE needs to reversed.

access-list 132 deny tcp host eq smtp any

access-list 132 permit ip any any

The 'in' and 'out' keyword used with the 'ip access-group' is viewed from the standpoint of the router itself. Hence, 'in' means traffic coming into the interface and 'out' means traffic leaving the interface. Use a difference ACL #, though not necessary, for inbound and outbound filtering.

HTH

Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
sundar.palaniappan Tue, 02/13/2007 - 11:11

Your approach is correct but your syntax is slightly off. Also, remember there's an implicit deny at the end of any ACL and hence, add an ACE to allow all other IP traffic after the deny statement. Apply the ACL inbound on the interface that connects to the Internet. You need an ACL similar to this one;

access-list 133 deny tcp any host eq smtp

access-list 133 permit ip any any

HTH

Sundar

bradlesliect Tue, 02/13/2007 - 11:36

Thanks Sundar,

Do I appply it as an

ip access-group 101 in

ip access-group 101 out

?

This won't break anything else?

Correct Answer
sundar.palaniappan Tue, 02/13/2007 - 12:28

You would need to apply it only inbound on the interface as the traffic is coming from outside --> inside only. However, if you want to block outbound SMTP as well then the ACE needs to reversed.

access-list 132 deny tcp host eq smtp any

access-list 132 permit ip any any

The 'in' and 'out' keyword used with the 'ip access-group' is viewed from the standpoint of the router itself. Hence, 'in' means traffic coming into the interface and 'out' means traffic leaving the interface. Use a difference ACL #, though not necessary, for inbound and outbound filtering.

HTH

Sundar

Actions

This Discussion