Pix 501 Controlling Access Based on Source Port

Discussion in 'Cisco' started by RG, May 17, 2009.

  1. RG

    RG Guest

    Is there a way to prevent remote access based on source ports? For
    instance, I would like to only receive emails originating from port 25 and
    no ohter.

    Thanks in advance
     
    RG, May 17, 2009
    #1
    1. Advertising

  2. RG

    Brian V Guest

    "RG" <> wrote in message
    news:4a100a66$0$5937$...
    > Is there a way to prevent remote access based on source ports? For
    > instance, I would like to only receive emails originating from port 25 and
    > no ohter.
    >
    > Thanks in advance


    Sure, you "could", i.e access-list outside permit tcp any eq 25 host 1.2.3.4
    but source ports are usually a randomly generated port greater than 1024,
    destination ports are what are fixed, ie. smtp is 25, www is 80 etc. Care to
    expand why your trying to do this? Perhaps we can find an alternative
    solution for you.
    -Brian
     
    Brian V, May 17, 2009
    #2
    1. Advertising

  3. RG

    RG Guest

    In my quest to keep away spam, I thought that limiting source ports to 25
    would filter a lot of the garbage. But it turns out yahoos of the world are
    using, like you are saying, random ports as well.

    Anyway, the information you provided is useful.

    Thanks again
    "Brian V" <> wrote in message
    news:gup3rt$v8v$-september.org...
    >
    > "RG" <> wrote in message
    > news:4a100a66$0$5937$...
    >> Is there a way to prevent remote access based on source ports? For
    >> instance, I would like to only receive emails originating from port 25
    >> and no ohter.
    >>
    >> Thanks in advance

    >
    > Sure, you "could", i.e access-list outside permit tcp any eq 25 host
    > 1.2.3.4 but source ports are usually a randomly generated port greater
    > than 1024, destination ports are what are fixed, ie. smtp is 25, www is 80
    > etc. Care to expand why your trying to do this? Perhaps we can find an
    > alternative solution for you.
    > -Brian
     
    RG, May 17, 2009
    #3
  4. RG

    Thrill5 Guest

    It's not the "yahoos" using random ports, it the way TCP/IP works. The
    source computer uses a random port (not really random., but...) to initiate
    the connection to a "well-known" port. It's the way it's always been, and
    always will be. Even if the source port were always the same (say port 25)
    how would this stop spammers? How would you be able to differentiate
    spammers who use port 25 from those that are sending legitimate e-mail? It
    stopping spam were this easy, there wouldn't be any.


    "RG" <> wrote in message
    news:4a103caf$0$5400$...
    > In my quest to keep away spam, I thought that limiting source ports to 25
    > would filter a lot of the garbage. But it turns out yahoos of the world
    > are using, like you are saying, random ports as well.
    >
    > Anyway, the information you provided is useful.
    >
    > Thanks again
    > "Brian V" <> wrote in message
    > news:gup3rt$v8v$-september.org...
    >>
    >> "RG" <> wrote in message
    >> news:4a100a66$0$5937$...
    >>> Is there a way to prevent remote access based on source ports? For
    >>> instance, I would like to only receive emails originating from port 25
    >>> and no ohter.
    >>>
    >>> Thanks in advance

    >>
    >> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
    >> 1.2.3.4 but source ports are usually a randomly generated port greater
    >> than 1024, destination ports are what are fixed, ie. smtp is 25, www is
    >> 80 etc. Care to expand why your trying to do this? Perhaps we can find an
    >> alternative solution for you.
    >> -Brian

    >
     
    Thrill5, May 17, 2009
    #4
  5. RG

    Daniel-G Guest

    Thrill5 said the following on 05/17/2009 08:12 PM:
    > It's not the "yahoos" using random ports, it the way TCP/IP works. The
    > source computer uses a random port (not really random., but...) to initiate
    > the connection to a "well-known" port. It's the way it's always been, and
    > always will be. Even if the source port were always the same (say port 25)
    > how would this stop spammers? How would you be able to differentiate
    > spammers who use port 25 from those that are sending legitimate e-mail? It
    > stopping spam were this easy, there wouldn't be any.
    >
    >
    > "RG" <> wrote in message
    > news:4a103caf$0$5400$...
    >> In my quest to keep away spam, I thought that limiting source ports to 25
    >> would filter a lot of the garbage. But it turns out yahoos of the world
    >> are using, like you are saying, random ports as well.
    >>
    >> Anyway, the information you provided is useful.
    >>
    >> Thanks again
    >> "Brian V" <> wrote in message
    >> news:gup3rt$v8v$-september.org...
    >>> "RG" <> wrote in message
    >>> news:4a100a66$0$5937$...
    >>>> Is there a way to prevent remote access based on source ports? For
    >>>> instance, I would like to only receive emails originating from port 25
    >>>> and no ohter.
    >>>>
    >>>> Thanks in advance
    >>> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
    >>> 1.2.3.4 but source ports are usually a randomly generated port greater
    >>> than 1024, destination ports are what are fixed, ie. smtp is 25, www is
    >>> 80 etc. Care to expand why your trying to do this? Perhaps we can find an
    >>> alternative solution for you.
    >>> -Brian

    >
    >

    IMHO it's up to the firewall to allow/block access to port 25
    It's th ematter of the smtp gateway to take care of spams and others
    What you could do on the Pix is to limit the bandwith dedicated to port 25.
    You can do that on a 515 running v7, on a 501 I doubt it's possible
    Daniel
     
    Daniel-G, May 17, 2009
    #5
  6. RG

    Daniel-G Guest

    Brian V said the following on 05/18/2009 04:58 AM:
    >
    > "Daniel-G" <free-news_no-replyATcasylde.fr> wrote in message
    > news:4a107dd7$0$12035$...
    >> Thrill5 said the following on 05/17/2009 08:12 PM:
    >>> It's not the "yahoos" using random ports, it the way TCP/IP works. The
    >>> source computer uses a random port (not really random., but...) to
    >>> initiate
    >>> the connection to a "well-known" port. It's the way it's always
    >>> been, and
    >>> always will be. Even if the source port were always the same (say
    >>> port 25)
    >>> how would this stop spammers? How would you be able to differentiate
    >>> spammers who use port 25 from those that are sending legitimate
    >>> e-mail? It
    >>> stopping spam were this easy, there wouldn't be any.
    >>>
    >>>
    >>> "RG" <> wrote in message
    >>> news:4a103caf$0$5400$...
    >>>> In my quest to keep away spam, I thought that limiting source ports
    >>>> to 25
    >>>> would filter a lot of the garbage. But it turns out yahoos of the
    >>>> world
    >>>> are using, like you are saying, random ports as well.
    >>>>
    >>>> Anyway, the information you provided is useful.
    >>>>
    >>>> Thanks again
    >>>> "Brian V" <> wrote in message
    >>>> news:gup3rt$v8v$-september.org...
    >>>>> "RG" <> wrote in message
    >>>>> news:4a100a66$0$5937$...
    >>>>>> Is there a way to prevent remote access based on source ports? For
    >>>>>> instance, I would like to only receive emails originating fromI did
    >>>>>> port 25
    >>>>>> and no ohter.
    >>>>>>
    >>>>>> Thanks in advance
    >>>>> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
    >>>>> 1.2.3.4 but source ports are usually a randomly generated port greater
    >>>>> than 1024, destination ports are what are fixed, ie. smtp is 25,
    >>>>> www is
    >>>>> 80 etc. Care to expand why your trying to do this? Perhaps we can
    >>>>> find an
    >>>>> alternative solution for you.
    >>>>> -Brian
    >>>
    >>>

    >> IMHO it's up to the firewall to allow/block access to port 25
    >> It's th ematter of the smtp gateway to take care of spams and others
    >> What you could do on the Pix is to limit the bandwith dedicated to
    >> port 25.
    >> You can do that on a 515 running v7, on a 501 I doubt it's possible
    >> Daniel

    >
    > You can limit bandwidth based on port? Care to give an example for that?
    > Never heard/seen of that!


    I did it this way to limit web trafic :
    1/ trafic selection
    access-list WEB-Traffic extended permit tcp any eq www any
    access-list WEB-Traffic extended permit tcp any any eq www
    access-list WEB-Traffic extended permit tcp any any eq ftp
    access-list WEB-Traffic extended permit tcp any any eq ftp-data

    2/ class definition
    class-map CM-WEB-Trafic-Policy
    match access-list WEB-Traffic

    3/ policy definition
    policy-map PM-WEB-Trafic
    class CM-WEB-Trafic-Policy
    police input 1500000 2000000

    4/ apply to the interface
    service-policy PM-WEB-Trafic interface outside

    PIX V7.2 (don't know if it's available with v7.1)
    Hope it helps
     
    Daniel-G, May 18, 2009
    #6
  7. RG

    alexd Guest

    Daniel-G <free-news_no-replyATcasylde.fr> wrote:

    > IMHO it's up to the firewall to allow/block access to port 25
    > It's th ematter of the smtp gateway to take care of spams and others
    > What you could do on the Pix is to limit the bandwith dedicated to port
    > 25.


    Surely that will slow down legitimate email as well as spam?

    --
    <http://ale.cx/> (AIM:troffasky) ()
    19:07:13 up 11 days, 21:38, 1 user, load average: 0.06, 0.10, 0.09
    A few flakes working together can unleash an avalanche of destruction
     
    alexd, May 18, 2009
    #7
  8. RG

    Daniel-G Guest

    alexd said the following on 05/18/2009 08:08 PM:
    > Daniel-G <free-news_no-replyATcasylde.fr> wrote:
    >
    >> IMHO it's up to the firewall to allow/block access to port 25
    >> It's th ematter of the smtp gateway to take care of spams and others
    >> What you could do on the Pix is to limit the bandwith dedicated to port
    >> 25.

    >
    > Surely that will slow down legitimate email as well as spam?
    >

    yes of course
    That's why email should be managed by an mta an nothing else (with a bit
    of help with iptables/fail2ban,etc.. if heavy load)
     
    Daniel-G, May 18, 2009
    #8
  9. RG

    Brian V Guest

    "Daniel-G" <free-news_no-replyATcasylde.fr> wrote in message
    news:4a110452$0$20237$...
    > Brian V said the following on 05/18/2009 04:58 AM:
    >>
    >> "Daniel-G" <free-news_no-replyATcasylde.fr> wrote in message
    >> news:4a107dd7$0$12035$...
    >>> Thrill5 said the following on 05/17/2009 08:12 PM:
    >>>> It's not the "yahoos" using random ports, it the way TCP/IP works. The
    >>>> source computer uses a random port (not really random., but...) to
    >>>> initiate
    >>>> the connection to a "well-known" port. It's the way it's always
    >>>> been, and
    >>>> always will be. Even if the source port were always the same (say
    >>>> port 25)
    >>>> how would this stop spammers? How would you be able to differentiate
    >>>> spammers who use port 25 from those that are sending legitimate
    >>>> e-mail? It
    >>>> stopping spam were this easy, there wouldn't be any.
    >>>>
    >>>>
    >>>> "RG" <> wrote in message
    >>>> news:4a103caf$0$5400$...
    >>>>> In my quest to keep away spam, I thought that limiting source ports
    >>>>> to 25
    >>>>> would filter a lot of the garbage. But it turns out yahoos of the
    >>>>> world
    >>>>> are using, like you are saying, random ports as well.
    >>>>>
    >>>>> Anyway, the information you provided is useful.
    >>>>>
    >>>>> Thanks again
    >>>>> "Brian V" <> wrote in message
    >>>>> news:gup3rt$v8v$-september.org...
    >>>>>> "RG" <> wrote in message
    >>>>>> news:4a100a66$0$5937$...
    >>>>>>> Is there a way to prevent remote access based on source ports? For
    >>>>>>> instance, I would like to only receive emails originating fromI did
    >>>>>>> port 25
    >>>>>>> and no ohter.
    >>>>>>>
    >>>>>>> Thanks in advance
    >>>>>> Sure, you "could", i.e access-list outside permit tcp any eq 25 host
    >>>>>> 1.2.3.4 but source ports are usually a randomly generated port
    >>>>>> greater
    >>>>>> than 1024, destination ports are what are fixed, ie. smtp is 25,
    >>>>>> www is
    >>>>>> 80 etc. Care to expand why your trying to do this? Perhaps we can
    >>>>>> find an
    >>>>>> alternative solution for you.
    >>>>>> -Brian
    >>>>
    >>>>
    >>> IMHO it's up to the firewall to allow/block access to port 25
    >>> It's th ematter of the smtp gateway to take care of spams and others
    >>> What you could do on the Pix is to limit the bandwith dedicated to
    >>> port 25.
    >>> You can do that on a 515 running v7, on a 501 I doubt it's possible
    >>> Daniel

    >>
    >> You can limit bandwidth based on port? Care to give an example for that?
    >> Never heard/seen of that!

    >
    > I did it this way to limit web trafic :
    > 1/ trafic selection
    > access-list WEB-Traffic extended permit tcp any eq www any
    > access-list WEB-Traffic extended permit tcp any any eq www
    > access-list WEB-Traffic extended permit tcp any any eq ftp
    > access-list WEB-Traffic extended permit tcp any any eq ftp-data
    >
    > 2/ class definition
    > class-map CM-WEB-Trafic-Policy
    > match access-list WEB-Traffic
    >
    > 3/ policy definition
    > policy-map PM-WEB-Trafic
    > class CM-WEB-Trafic-Policy
    > police input 1500000 2000000
    >
    > 4/ apply to the interface
    > service-policy PM-WEB-Trafic interface outside
    >
    > PIX V7.2 (don't know if it's available with v7.1)
    > Hope it helps


    Good stuff! Love learning something new!
     
    Brian V, May 19, 2009
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel Prince
    Replies:
    6
    Views:
    647
    Daniel Prince
    Dec 11, 2004
  2. Andre
    Replies:
    7
    Views:
    770
    Andre
    Feb 20, 2005
  3. =?Utf-8?B?SVQgU2Ft?=
    Replies:
    4
    Views:
    1,965
    Darrell Gorter[MSFT]
    Mar 7, 2007
  4. barret bonden
    Replies:
    0
    Views:
    417
    barret bonden
    Oct 24, 2008
  5. barret bonden

    controlling web access via a PIX/ASA

    barret bonden, Nov 5, 2008, in forum: Cisco
    Replies:
    0
    Views:
    416
    barret bonden
    Nov 5, 2008
Loading...

Share This Page