Pix 501 Controlling Access Based on Source Port

Discussion in 'Cisco' started by RG, May 17, 2009.

  1. RG

    RG Guest

    Is there a way to prevent remote access based on source ports? For
    instance, I would like to only receive emails originating from port 25 and
    no ohter.

    Thanks in advance
     
    RG, May 17, 2009
    #1
    1. Advertisements

  2. RG

    Brian V Guest

    Sure, you "could", i.e access-list outside permit tcp any eq 25 host 1.2.3.4
    but source ports are usually a randomly generated port greater than 1024,
    destination ports are what are fixed, ie. smtp is 25, www is 80 etc. Care to
    expand why your trying to do this? Perhaps we can find an alternative
    solution for you.
    -Brian
     
    Brian V, May 17, 2009
    #2
    1. Advertisements

  3. RG

    RG Guest

    In my quest to keep away spam, I thought that limiting source ports to 25
    would filter a lot of the garbage. But it turns out yahoos of the world are
    using, like you are saying, random ports as well.

    Anyway, the information you provided is useful.

    Thanks again
     
    RG, May 17, 2009
    #3
  4. RG

    Thrill5 Guest

    It's not the "yahoos" using random ports, it the way TCP/IP works. The
    source computer uses a random port (not really random., but...) to initiate
    the connection to a "well-known" port. It's the way it's always been, and
    always will be. Even if the source port were always the same (say port 25)
    how would this stop spammers? How would you be able to differentiate
    spammers who use port 25 from those that are sending legitimate e-mail? It
    stopping spam were this easy, there wouldn't be any.
     
    Thrill5, May 17, 2009
    #4
  5. RG

    Daniel-G Guest

    Thrill5 said the following on 05/17/2009 08:12 PM:
    IMHO it's up to the firewall to allow/block access to port 25
    It's th ematter of the smtp gateway to take care of spams and others
    What you could do on the Pix is to limit the bandwith dedicated to port 25.
    You can do that on a 515 running v7, on a 501 I doubt it's possible
    Daniel
     
    Daniel-G, May 17, 2009
    #5
  6. RG

    Daniel-G Guest

    Brian V said the following on 05/18/2009 04:58 AM:
    I did it this way to limit web trafic :
    1/ trafic selection
    access-list WEB-Traffic extended permit tcp any eq www any
    access-list WEB-Traffic extended permit tcp any any eq www
    access-list WEB-Traffic extended permit tcp any any eq ftp
    access-list WEB-Traffic extended permit tcp any any eq ftp-data

    2/ class definition
    class-map CM-WEB-Trafic-Policy
    match access-list WEB-Traffic

    3/ policy definition
    policy-map PM-WEB-Trafic
    class CM-WEB-Trafic-Policy
    police input 1500000 2000000

    4/ apply to the interface
    service-policy PM-WEB-Trafic interface outside

    PIX V7.2 (don't know if it's available with v7.1)
    Hope it helps
     
    Daniel-G, May 18, 2009
    #6
  7. RG

    alexd Guest

    Surely that will slow down legitimate email as well as spam?
     
    alexd, May 18, 2009
    #7
  8. RG

    Daniel-G Guest

    alexd said the following on 05/18/2009 08:08 PM:
    yes of course
    That's why email should be managed by an mta an nothing else (with a bit
    of help with iptables/fail2ban,etc.. if heavy load)
     
    Daniel-G, May 18, 2009
    #8
  9. RG

    Brian V Guest

    Good stuff! Love learning something new!
     
    Brian V, May 19, 2009
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.