firewall to protect mail server

Unanswered Question
Oct 2nd, 2008
User Badges:

my router = Cisco 2651XM with wic-adsl card.

IOS = c2600-adventerprisek9-mz.124-2.T.bin


I've set up a mail server computer at my home and I was wondering if there are any known good router firewall settings that will hinder spammers relaying junk mail through my mail server. I know there are several things I can do on the server machine itself, but I'd also like to stop them at the router if that's possible.

I know I can filter traffic based on outside IP address but people's ip addresses change all the time so that's not a viable approach. Is it possible to filter outside traffic based on an outside mac address?

Thanks for any advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Wed, 10/08/2008 - 06:12
User Badges:
  • Bronze, 100 points or more

MAC acls can be used for filtering the traffic based on MAC address.MAC ACLs are applied on incoming traffic on Gigabit Ethernet interfaces and VLAN subinterfaces. After a networking device receives a packet, the Cisco IOS software checks the source MAC address of the Gigabit Ethernet, 802.1Q VLAN, or 802.1Q-in-Q packet against the access list. If the MAC access list permits the address, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.If the specified MAC ACL does not exist on the interface or subinterface, all packets are passed.


tonyspcrepairs Wed, 10/08/2008 - 14:29
User Badges:

thanks for your response hadbou, Im glad to hear mac filtering is possible. I was looking on google but I'm finding it hard to understand what the correct acl command should be for this. I found this example command:

access-list 700 per 001c.baba.ca1b 0000.0000.0000

(where "001c.baba.ca1b 0000.0000.0000" is replaced with real mac addresses) but I need the permit rule to be on ports 25 and 110 (smtp and pop3) coming into Dialer0 from outside. Do you know what the correct command should be? maybe something like...

access-list 700 permit aaaa.aaaa.aaaa Dialer0 25 (?)

Attached is my running config, thanks for any advice.



Actions

This Discussion