Blocking port 25 for all pcs except one.

[nicolatiana]

Hi everybody

Wingate 6.2.2:

Internal Mail server over the lan is Groupwise that connects outside via port 25 (Ens has port 25 opened for "lan connections to internet").
I'd like to prevent all lan pcs except the groupwise server from using port 25.

Can I do it in some way with wingate ?

Bye

Nicola

[adrien]

Hi

There are several ways you can do this.

a) using Extended Networking policies.
b) using the SMTP server to intercept connections, and block access from other machines, then relay the mail on
c) use a TCP mapping proxy to intercept connections on port 25, and apply policy to prevent others from using it.

Depending on what else you are using in WinGate, c could be the easiest.

Regards

Adrien

[nicolatiana]

Many thanks Adrien.

Trying using C) solution.Let me know if I'm right: I want to allow only 192.168.0.126 to use port 25. So:

Creating TCP mapping service on port 25 with the following policy:
- Recipient: Everyone and User may be unknown
- Location: Specify location where .......... - Included locations: 127.0.0.1 - 192.168.0.126 (Does this mean that all other Ip are excluded ? On the other hand filling the excluded location with some records means that all the others are included ?)
- Time, Ban List, Advanced: leaving unchanged

Bye

Nicola

[logan]

Hi Nicola,

The default behaviour of the location tab is to deny access to all IP addresses. You can then grant access to single IP's or groups of IP's (with wildcards * ? ) using the inclusion list. The Exclusion list is there to override the inclusions, so if you specify an IP in both lists, the IP will be denied access. This is usefull if you want to take a blacklist approach to controlling access. I.e. allow an large IP range in the inclusions (192.168.1.*) and then exclude certain IP's from within that range.

So what you have set up right now is perfect. Only the two IP addresses specified in the inclusions will be granted access. Everyone else will be denied access.

[nicolatiana]

Many thanks

Going to try it next week by my customer.

Happy Easter

Nicola

[adrien]

A couple more things to note.

The TCP mapping service needn't run on port 25, it only needs to intercept port 25. So you can still run e.g. another mail server on port 25 without conflicting, the only connections that will be intercepted are ones that would be through WinGate to the net, not connections to the WinGate machine itself on port 25.

If you leave all the mappings blank and default mapping blank, then the TCP mapping proxy will connect to the originally intercepted destination IP:port, so the client will connect through to where they were originally trying to connect to, but you get policy control, and can do things like make the connection out a specified gateway etc.

Felice pasqua!

[nicolatiana]

The TCP mapping service needn't run on port 25, it only needs to intercept port 25. So you can still run e.g. another mail server on port 25 without conflicting, the only connections that will be intercepted are ones that would be through WinGate to the net, not connections to the WinGate machine itself on port 25.

I suppose this concerns also Natted connections.

If you leave all the mappings blank and default mapping blank, then the TCP mapping proxy will connect to the originally intercepted destination IP:port, so the client will connect through to where they were originally trying to connect to, but you get policy control, and can do things like make the connection out a specified gateway etc

Good, this should work as I need.

The aim of this configuration is to prevent the remote eventuality that a "massmailer infected pc" can communicate with the internet and have the public IP blacklisted (Desktops are usually clean: SAV Antivirus on eachone + Kav on Wingate it's safe enough but many external Laptops are often connected to lan . . . . . . ). I'll try to test blocking with a OES2 virtual machine with a test Groupwise 8.0 installed on it that will perform the "bad guy" character.

Felice pasqua!

Studying italian ? ;-)

Bye

Nicola