Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Pix 501 Controlling Access Based on Source Port

Reply
Thread Tools

Pix 501 Controlling Access Based on Source Port

 
 
RG
Guest
Posts: n/a
 
      05-17-2009
Is there a way to prevent remote access based on source ports? For
instance, I would like to only receive emails originating from port 25 and
no ohter.

Thanks in advance

 
Reply With Quote
 
 
 
 
Brian V
Guest
Posts: n/a
 
      05-17-2009

"RG" <(E-Mail Removed)> wrote in message
news:4a100a66$0$5937$(E-Mail Removed)...
> Is there a way to prevent remote access based on source ports? For
> instance, I would like to only receive emails originating from port 25 and
> no ohter.
>
> Thanks in advance


Sure, you "could", i.e access-list outside permit tcp any eq 25 host 1.2.3.4
but source ports are usually a randomly generated port greater than 1024,
destination ports are what are fixed, ie. smtp is 25, www is 80 etc. Care to
expand why your trying to do this? Perhaps we can find an alternative
solution for you.
-Brian

 
Reply With Quote
 
 
 
 
RG
Guest
Posts: n/a
 
      05-17-2009
In my quest to keep away spam, I thought that limiting source ports to 25
would filter a lot of the garbage. But it turns out yahoos of the world are
using, like you are saying, random ports as well.

Anyway, the information you provided is useful.

Thanks again
"Brian V" <(E-Mail Removed)> wrote in message
news:gup3rt$v8v$(E-Mail Removed)-september.org...
>
> "RG" <(E-Mail Removed)> wrote in message
> news:4a100a66$0$5937$(E-Mail Removed)...
>> Is there a way to prevent remote access based on source ports? For
>> instance, I would like to only receive emails originating from port 25
>> and no ohter.
>>
>> Thanks in advance

>
> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
> 1.2.3.4 but source ports are usually a randomly generated port greater
> than 1024, destination ports are what are fixed, ie. smtp is 25, www is 80
> etc. Care to expand why your trying to do this? Perhaps we can find an
> alternative solution for you.
> -Brian


 
Reply With Quote
 
Thrill5
Guest
Posts: n/a
 
      05-17-2009
It's not the "yahoos" using random ports, it the way TCP/IP works. The
source computer uses a random port (not really random., but...) to initiate
the connection to a "well-known" port. It's the way it's always been, and
always will be. Even if the source port were always the same (say port 25)
how would this stop spammers? How would you be able to differentiate
spammers who use port 25 from those that are sending legitimate e-mail? It
stopping spam were this easy, there wouldn't be any.


"RG" <(E-Mail Removed)> wrote in message
news:4a103caf$0$5400$(E-Mail Removed)...
> In my quest to keep away spam, I thought that limiting source ports to 25
> would filter a lot of the garbage. But it turns out yahoos of the world
> are using, like you are saying, random ports as well.
>
> Anyway, the information you provided is useful.
>
> Thanks again
> "Brian V" <(E-Mail Removed)> wrote in message
> news:gup3rt$v8v$(E-Mail Removed)-september.org...
>>
>> "RG" <(E-Mail Removed)> wrote in message
>> news:4a100a66$0$5937$(E-Mail Removed)...
>>> Is there a way to prevent remote access based on source ports? For
>>> instance, I would like to only receive emails originating from port 25
>>> and no ohter.
>>>
>>> Thanks in advance

>>
>> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
>> 1.2.3.4 but source ports are usually a randomly generated port greater
>> than 1024, destination ports are what are fixed, ie. smtp is 25, www is
>> 80 etc. Care to expand why your trying to do this? Perhaps we can find an
>> alternative solution for you.
>> -Brian

>



 
Reply With Quote
 
Daniel-G
Guest
Posts: n/a
 
      05-17-2009
Thrill5 said the following on 05/17/2009 08:12 PM:
> It's not the "yahoos" using random ports, it the way TCP/IP works. The
> source computer uses a random port (not really random., but...) to initiate
> the connection to a "well-known" port. It's the way it's always been, and
> always will be. Even if the source port were always the same (say port 25)
> how would this stop spammers? How would you be able to differentiate
> spammers who use port 25 from those that are sending legitimate e-mail? It
> stopping spam were this easy, there wouldn't be any.
>
>
> "RG" <(E-Mail Removed)> wrote in message
> news:4a103caf$0$5400$(E-Mail Removed)...
>> In my quest to keep away spam, I thought that limiting source ports to 25
>> would filter a lot of the garbage. But it turns out yahoos of the world
>> are using, like you are saying, random ports as well.
>>
>> Anyway, the information you provided is useful.
>>
>> Thanks again
>> "Brian V" <(E-Mail Removed)> wrote in message
>> news:gup3rt$v8v$(E-Mail Removed)-september.org...
>>> "RG" <(E-Mail Removed)> wrote in message
>>> news:4a100a66$0$5937$(E-Mail Removed)...
>>>> Is there a way to prevent remote access based on source ports? For
>>>> instance, I would like to only receive emails originating from port 25
>>>> and no ohter.
>>>>
>>>> Thanks in advance
>>> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
>>> 1.2.3.4 but source ports are usually a randomly generated port greater
>>> than 1024, destination ports are what are fixed, ie. smtp is 25, www is
>>> 80 etc. Care to expand why your trying to do this? Perhaps we can find an
>>> alternative solution for you.
>>> -Brian

>
>

IMHO it's up to the firewall to allow/block access to port 25
It's th ematter of the smtp gateway to take care of spams and others
What you could do on the Pix is to limit the bandwith dedicated to port 25.
You can do that on a 515 running v7, on a 501 I doubt it's possible
Daniel
 
Reply With Quote
 
Daniel-G
Guest
Posts: n/a
 
      05-18-2009
Brian V said the following on 05/18/2009 04:58 AM:
>
> "Daniel-G" <free-news_no-replyATcasylde.fr> wrote in message
> news:4a107dd7$0$12035$(E-Mail Removed)...
>> Thrill5 said the following on 05/17/2009 08:12 PM:
>>> It's not the "yahoos" using random ports, it the way TCP/IP works. The
>>> source computer uses a random port (not really random., but...) to
>>> initiate
>>> the connection to a "well-known" port. It's the way it's always
>>> been, and
>>> always will be. Even if the source port were always the same (say
>>> port 25)
>>> how would this stop spammers? How would you be able to differentiate
>>> spammers who use port 25 from those that are sending legitimate
>>> e-mail? It
>>> stopping spam were this easy, there wouldn't be any.
>>>
>>>
>>> "RG" <(E-Mail Removed)> wrote in message
>>> news:4a103caf$0$5400$(E-Mail Removed)...
>>>> In my quest to keep away spam, I thought that limiting source ports
>>>> to 25
>>>> would filter a lot of the garbage. But it turns out yahoos of the
>>>> world
>>>> are using, like you are saying, random ports as well.
>>>>
>>>> Anyway, the information you provided is useful.
>>>>
>>>> Thanks again
>>>> "Brian V" <(E-Mail Removed)> wrote in message
>>>> news:gup3rt$v8v$(E-Mail Removed)-september.org...
>>>>> "RG" <(E-Mail Removed)> wrote in message
>>>>> news:4a100a66$0$5937$(E-Mail Removed)...
>>>>>> Is there a way to prevent remote access based on source ports? For
>>>>>> instance, I would like to only receive emails originating fromI did
>>>>>> port 25
>>>>>> and no ohter.
>>>>>>
>>>>>> Thanks in advance
>>>>> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
>>>>> 1.2.3.4 but source ports are usually a randomly generated port greater
>>>>> than 1024, destination ports are what are fixed, ie. smtp is 25,
>>>>> www is
>>>>> 80 etc. Care to expand why your trying to do this? Perhaps we can
>>>>> find an
>>>>> alternative solution for you.
>>>>> -Brian
>>>
>>>

>> IMHO it's up to the firewall to allow/block access to port 25
>> It's th ematter of the smtp gateway to take care of spams and others
>> What you could do on the Pix is to limit the bandwith dedicated to
>> port 25.
>> You can do that on a 515 running v7, on a 501 I doubt it's possible
>> Daniel

>
> You can limit bandwidth based on port? Care to give an example for that?
> Never heard/seen of that!


I did it this way to limit web trafic :
1/ trafic selection
access-list WEB-Traffic extended permit tcp any eq www any
access-list WEB-Traffic extended permit tcp any any eq www
access-list WEB-Traffic extended permit tcp any any eq ftp
access-list WEB-Traffic extended permit tcp any any eq ftp-data

2/ class definition
class-map CM-WEB-Trafic-Policy
match access-list WEB-Traffic

3/ policy definition
policy-map PM-WEB-Trafic
class CM-WEB-Trafic-Policy
police input 1500000 2000000

4/ apply to the interface
service-policy PM-WEB-Trafic interface outside

PIX V7.2 (don't know if it's available with v7.1)
Hope it helps
 
Reply With Quote
 
alexd
Guest
Posts: n/a
 
      05-18-2009
Daniel-G <free-news_no-replyATcasylde.fr> wrote:

> IMHO it's up to the firewall to allow/block access to port 25
> It's th ematter of the smtp gateway to take care of spams and others
> What you could do on the Pix is to limit the bandwith dedicated to port
> 25.


Surely that will slow down legitimate email as well as spam?

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
19:07:13 up 11 days, 21:38, 1 user, load average: 0.06, 0.10, 0.09
A few flakes working together can unleash an avalanche of destruction

 
Reply With Quote
 
Daniel-G
Guest
Posts: n/a
 
      05-18-2009
alexd said the following on 05/18/2009 08:08 PM:
> Daniel-G <free-news_no-replyATcasylde.fr> wrote:
>
>> IMHO it's up to the firewall to allow/block access to port 25
>> It's th ematter of the smtp gateway to take care of spams and others
>> What you could do on the Pix is to limit the bandwith dedicated to port
>> 25.

>
> Surely that will slow down legitimate email as well as spam?
>

yes of course
That's why email should be managed by an mta an nothing else (with a bit
of help with iptables/fail2ban,etc.. if heavy load)
 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      05-18-2009

"Daniel-G" <free-news_no-replyATcasylde.fr> wrote in message
news:4a110452$0$20237$(E-Mail Removed)...
> Brian V said the following on 05/18/2009 04:58 AM:
>>
>> "Daniel-G" <free-news_no-replyATcasylde.fr> wrote in message
>> news:4a107dd7$0$12035$(E-Mail Removed)...
>>> Thrill5 said the following on 05/17/2009 08:12 PM:
>>>> It's not the "yahoos" using random ports, it the way TCP/IP works. The
>>>> source computer uses a random port (not really random., but...) to
>>>> initiate
>>>> the connection to a "well-known" port. It's the way it's always
>>>> been, and
>>>> always will be. Even if the source port were always the same (say
>>>> port 25)
>>>> how would this stop spammers? How would you be able to differentiate
>>>> spammers who use port 25 from those that are sending legitimate
>>>> e-mail? It
>>>> stopping spam were this easy, there wouldn't be any.
>>>>
>>>>
>>>> "RG" <(E-Mail Removed)> wrote in message
>>>> news:4a103caf$0$5400$(E-Mail Removed)...
>>>>> In my quest to keep away spam, I thought that limiting source ports
>>>>> to 25
>>>>> would filter a lot of the garbage. But it turns out yahoos of the
>>>>> world
>>>>> are using, like you are saying, random ports as well.
>>>>>
>>>>> Anyway, the information you provided is useful.
>>>>>
>>>>> Thanks again
>>>>> "Brian V" <(E-Mail Removed)> wrote in message
>>>>> news:gup3rt$v8v$(E-Mail Removed)-september.org...
>>>>>> "RG" <(E-Mail Removed)> wrote in message
>>>>>> news:4a100a66$0$5937$(E-Mail Removed)...
>>>>>>> Is there a way to prevent remote access based on source ports? For
>>>>>>> instance, I would like to only receive emails originating fromI did
>>>>>>> port 25
>>>>>>> and no ohter.
>>>>>>>
>>>>>>> Thanks in advance
>>>>>> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
>>>>>> 1.2.3.4 but source ports are usually a randomly generated port
>>>>>> greater
>>>>>> than 1024, destination ports are what are fixed, ie. smtp is 25,
>>>>>> www is
>>>>>> 80 etc. Care to expand why your trying to do this? Perhaps we can
>>>>>> find an
>>>>>> alternative solution for you.
>>>>>> -Brian
>>>>
>>>>
>>> IMHO it's up to the firewall to allow/block access to port 25
>>> It's th ematter of the smtp gateway to take care of spams and others
>>> What you could do on the Pix is to limit the bandwith dedicated to
>>> port 25.
>>> You can do that on a 515 running v7, on a 501 I doubt it's possible
>>> Daniel

>>
>> You can limit bandwidth based on port? Care to give an example for that?
>> Never heard/seen of that!

>
> I did it this way to limit web trafic :
> 1/ trafic selection
> access-list WEB-Traffic extended permit tcp any eq www any
> access-list WEB-Traffic extended permit tcp any any eq www
> access-list WEB-Traffic extended permit tcp any any eq ftp
> access-list WEB-Traffic extended permit tcp any any eq ftp-data
>
> 2/ class definition
> class-map CM-WEB-Trafic-Policy
> match access-list WEB-Traffic
>
> 3/ policy definition
> policy-map PM-WEB-Trafic
> class CM-WEB-Trafic-Policy
> police input 1500000 2000000
>
> 4/ apply to the interface
> service-policy PM-WEB-Trafic interface outside
>
> PIX V7.2 (don't know if it's available with v7.1)
> Hope it helps


Good stuff! Love learning something new!

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
controlling web access via a PIX/ASA barret bonden Cisco 0 11-05-2008 12:27 AM
PIX/ASA methods of controlling web access. barret bonden Cisco 0 10-24-2008 02:40 PM
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
Your thoughts on dual PIX 501 access - redundant SOHO access mh Cisco 6 05-10-2004 04:32 PM



Advertisments