Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Suggestions internet–PFS--UT--PFS

    General pfSense Questions
    5
    12
    3047
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      josey last edited by

      i have problems with outgoing spam on my network, so i would put untangle behind pfs to filter port 25

      this is just my idea, i would like to hear your suggestions

      now i have PFS with 6 interfaces,
      WAN
      WAN 1
      LAN 10.10.10.0/24
      OPT1 10.10.20.0/24
      OPT2 10.10.30.0/24
      OPT3 10.10.40.0/24

      and i would change that to this configuration

      INTERNET –- PFS1 –- UNTANGLE –- PFS2

      PFS1
      WAN
      WAN1
      LAN 10.10.0.0/24 (10.10.0.1)

      UNTANGLE
      external in bridge with LAN 10.10.0.2

      PFS2
      WAN (NAT turned off) 10.10.0.3
      LAN 10.10.10.0/24
      OPT1 10.10.20.0/24
      OPT2 10.10.30.0/24
      OPT3 10.10.40.0/24 (DHCP and CP running on it)

      static route in PFS1
      LAN 10.10.10.0/24 GW 10.10.0.3
      LAN 10.10.20.0/24 GW 10.10.0.3
      LAN 10.10.30.0/24 GW 10.10.0.3
      LAN 10.10.40.0/24 GW 10.10.0.3

      what do you think?
      is there some better option?

      thanx

      1 Reply Last reply Reply Quote 0
      • ?
        Guest last edited by

        You would be much better served to block all outbound traffic destined to TCP 25 except from your approved mail servers.  Egress filtering at your mail server and proper firewall rules will fix this problem easily.  Then just use reporting from your spam filtering solution to identify problem clients and shut them down

        1 Reply Last reply Reply Quote 0
        • J
          josey last edited by

          hm,
          yes, but i asked for opinions not for solution of blocking port 25.
          25 mustwork and be opened for all clients, because company have maybe 50 subcontractor, maybe more, and they use our network and internet resources for work. And they use SMTP of their domain: mail.company.com (where; www.company.com; xyz@company.com). And now, they are using notebooks, so i should walk around and check every notebook, yeah right :)

          So you will suggest me to tell them to use web mail, no, it is not solution, they have to use mail clients (outlook, outlook express, thunderbird etc,) because mail data base is very important to them ;)

          thanks mate i appreciate your advice, but it is not solution.

          1 Reply Last reply Reply Quote 0
          • B
            Bern last edited by

            Your original post said:

            "i have problems with outgoing spam on my network, so i would put untangle behind pfs to filter port 25"

            Based on that very vague spec., SubMicron suggested exactly what I would have suggested - prevent outbound SMTP from anything except known-good machines on your LAN.

            Then you changed the spec., contradicting yourself somewhat by saying:

            "yes, but i asked for opinions not for solution of blocking port 25."

            Selective blocking = filtering, IMHO.

            "25 mustwork and be opened for all clients"

            You have bigger problems than you think.

            "thanks mate i appreciate your advice, but it is not solution."

            It was a good solution based on the inadequate specification.

            1 Reply Last reply Reply Quote 0
            • E
              Eugene last edited by

              Nowadays even some Internet providers block port 25 and I do not know any company (with decent IT support) which allows tcp port 25 from inside to outside (except mail servers of course).
              Josey, with your approach your public IP(s) should be blocked very soon by all antispam-blacklists. I suspect that you do not run any mail-server behind your firewall, only this can explain why you are still not blocked.
              And finally, why would you worry about spam you are sending and put (expensive) device to block outgoing spam? I mean what is the purpose? Who complains?

              http://ru.doc.pfsense.org

              1 Reply Last reply Reply Quote 0
              • J
                josey last edited by

                sorry i should be more accurate when posting a question.
                Now you know what problem is, and i think this is so far best solution (PFT - UT -PFS)

                And, who complains ?
                Lots of people :)

                I really do appreciate your help, and asking now, what do you think about my solution, and if you have alternative solution.
                And SMTP port must be open.

                thanks guys

                1 Reply Last reply Reply Quote 0
                • Cry Havok
                  Cry Havok last edited by

                  Why must it be open?  Do users need to directly connect to remote mail servers?

                  1 Reply Last reply Reply Quote 0
                  • J
                    josey last edited by

                    yes, as i already explain situation, there is more than 50 users/client comps of subcontractors, and they are using their outgoing mail servers.

                    1 Reply Last reply Reply Quote 0
                    • Cry Havok
                      Cry Havok last edited by

                      So, you have 3 choices:

                      1. Force them to use 587/TCP to connect to their organisations mail servers (this is how it is supposed to be done) and block port 25/TCP except from your mail server.  Spam problem goes away.

                      2. Block 25/TCP outbound except from your mail server, require contractors to use a VPN to connect to their organisations mail server.

                      3. Install spam blocker, cross fingers, spam problem doesn't completely go away ;)

                      Personally I'd suggest that you go with your current plan, and tell contractors that they have 3 months before you implement (1) or (2).

                      1 Reply Last reply Reply Quote 0
                      • J
                        josey last edited by

                        thanks for advice

                        that is same thing that i was thinking about!

                        and there is always "but why"

                        but definitely im going to block port 25 for some time !
                        this is pain in the a*s :(

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest last edited by

                          I'm not sure why I'm bothering to reply considering how you've conducted yourself in this thread, but what the hell, I'm bored.

                          The problem here is that you're trying to attack a problem and not being willing to take the steps necessary.  In every site I've ever worked, we have a site security policy and a TOS which all network users must adhere to.  You need to decide what is important based on your network's goals.  If you need to be wide open, then I hope you have lots of lube and are properly flexible.  However, if security is your goal, then you have a responsibility to locking things down.

                          I do not allow untrusted clients into my full production networks.  If you have contractors coming in which may be infected with trojans and such, they should be isolated to a separate network segment.  That segment should be heavily locked down and monitored.  Contractors who come into your network should understand that they don't have full run of your network and will have to adhere to your TOS and security policy.

                          On a side note, if you post asking for opinions, when people offer their opinion, it would be a good idea for you to be receptive and not condescending.

                          1 Reply Last reply Reply Quote 0
                          • J
                            josey last edited by

                            Sorry, i didn want to fight anyone …
                            sorry if looks like i want :(
                            i was thinking about this, and as i said will block port 25, only i need some transition period.

                            thanks for advices ;)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post