Suggestions internet–PFS--UT--PFS



  • i have problems with outgoing spam on my network, so i would put untangle behind pfs to filter port 25

    this is just my idea, i would like to hear your suggestions

    now i have PFS with 6 interfaces,
    WAN
    WAN 1
    LAN 10.10.10.0/24
    OPT1 10.10.20.0/24
    OPT2 10.10.30.0/24
    OPT3 10.10.40.0/24

    and i would change that to this configuration

    INTERNET –- PFS1 –- UNTANGLE –- PFS2

    PFS1
    WAN
    WAN1
    LAN 10.10.0.0/24 (10.10.0.1)

    UNTANGLE
    external in bridge with LAN 10.10.0.2

    PFS2
    WAN (NAT turned off) 10.10.0.3
    LAN 10.10.10.0/24
    OPT1 10.10.20.0/24
    OPT2 10.10.30.0/24
    OPT3 10.10.40.0/24 (DHCP and CP running on it)

    static route in PFS1
    LAN 10.10.10.0/24 GW 10.10.0.3
    LAN 10.10.20.0/24 GW 10.10.0.3
    LAN 10.10.30.0/24 GW 10.10.0.3
    LAN 10.10.40.0/24 GW 10.10.0.3

    what do you think?
    is there some better option?

    thanx



  • You would be much better served to block all outbound traffic destined to TCP 25 except from your approved mail servers.  Egress filtering at your mail server and proper firewall rules will fix this problem easily.  Then just use reporting from your spam filtering solution to identify problem clients and shut them down



  • hm,
    yes, but i asked for opinions not for solution of blocking port 25.
    25 mustwork and be opened for all clients, because company have maybe 50 subcontractor, maybe more, and they use our network and internet resources for work. And they use SMTP of their domain: mail.company.com (where; www.company.com; xyz@company.com). And now, they are using notebooks, so i should walk around and check every notebook, yeah right :)

    So you will suggest me to tell them to use web mail, no, it is not solution, they have to use mail clients (outlook, outlook express, thunderbird etc,) because mail data base is very important to them ;)

    thanks mate i appreciate your advice, but it is not solution.



  • Your original post said:

    "i have problems with outgoing spam on my network, so i would put untangle behind pfs to filter port 25"

    Based on that very vague spec., SubMicron suggested exactly what I would have suggested - prevent outbound SMTP from anything except known-good machines on your LAN.

    Then you changed the spec., contradicting yourself somewhat by saying:

    "yes, but i asked for opinions not for solution of blocking port 25."

    Selective blocking = filtering, IMHO.

    "25 mustwork and be opened for all clients"

    You have bigger problems than you think.

    "thanks mate i appreciate your advice, but it is not solution."

    It was a good solution based on the inadequate specification.



  • Nowadays even some Internet providers block port 25 and I do not know any company (with decent IT support) which allows tcp port 25 from inside to outside (except mail servers of course).
    Josey, with your approach your public IP(s) should be blocked very soon by all antispam-blacklists. I suspect that you do not run any mail-server behind your firewall, only this can explain why you are still not blocked.
    And finally, why would you worry about spam you are sending and put (expensive) device to block outgoing spam? I mean what is the purpose? Who complains?



  • sorry i should be more accurate when posting a question.
    Now you know what problem is, and i think this is so far best solution (PFT - UT -PFS)

    And, who complains ?
    Lots of people :)

    I really do appreciate your help, and asking now, what do you think about my solution, and if you have alternative solution.
    And SMTP port must be open.

    thanks guys



  • Why must it be open?  Do users need to directly connect to remote mail servers?



  • yes, as i already explain situation, there is more than 50 users/client comps of subcontractors, and they are using their outgoing mail servers.



  • So, you have 3 choices:

    1. Force them to use 587/TCP to connect to their organisations mail servers (this is how it is supposed to be done) and block port 25/TCP except from your mail server.  Spam problem goes away.

    2. Block 25/TCP outbound except from your mail server, require contractors to use a VPN to connect to their organisations mail server.

    3. Install spam blocker, cross fingers, spam problem doesn't completely go away ;)

    Personally I'd suggest that you go with your current plan, and tell contractors that they have 3 months before you implement (1) or (2).



  • thanks for advice

    that is same thing that i was thinking about!

    and there is always "but why"

    but definitely im going to block port 25 for some time !
    this is pain in the a*s :(



  • I'm not sure why I'm bothering to reply considering how you've conducted yourself in this thread, but what the hell, I'm bored.

    The problem here is that you're trying to attack a problem and not being willing to take the steps necessary.  In every site I've ever worked, we have a site security policy and a TOS which all network users must adhere to.  You need to decide what is important based on your network's goals.  If you need to be wide open, then I hope you have lots of lube and are properly flexible.  However, if security is your goal, then you have a responsibility to locking things down.

    I do not allow untrusted clients into my full production networks.  If you have contractors coming in which may be infected with trojans and such, they should be isolated to a separate network segment.  That segment should be heavily locked down and monitored.  Contractors who come into your network should understand that they don't have full run of your network and will have to adhere to your TOS and security policy.

    On a side note, if you post asking for opinions, when people offer their opinion, it would be a good idea for you to be receptive and not condescending.



  • Sorry, i didn want to fight anyone …
    sorry if looks like i want :(
    i was thinking about this, and as i said will block port 25, only i need some transition period.

    thanks for advices ;)


Locked