Enhancement #2894

Mail filter: block port 25 from LAN to external network

Added by Giacomo Sanchietti about 5 years ago. Updated over 4 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-mail-filter
Target version:v6.6
Resolution: NEEDINFO:No

Description

If nethserver-firewall is installed, block port 25 for all LAN clients (green zone) to the external network (red zone).

The port 25 is reserved for communication between server. If a client sends on port 25 it's probably affected by a virus for spam generation.

The restriction can be overridden creating a new rule inside the firewall.


Related issues

Related to NethServer 6 - Enhancement #3295: Log smtp traffic rejection CLOSED

Associated revisions

Revision c7e4c230
Added by Giacomo Sanchietti about 5 years ago

Shorewall config: block port 25. Refs #2894

Revision fd4ac397
Added by Giacomo Sanchietti about 5 years ago

Revert to 2ea5d3e89c44cec021a8f2ee2ffa5badab337bec Refs #2894

Revision f5a9cc48
Added by Giacomo Sanchietti almost 5 years ago

Shorewall config: block port 25. Refs #2894

History

#1 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

The rule should be valid also for hosts from blue zone.

#2 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#4 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-mail-filter-1.1.6-6.0gitc7e4c230.ns6.noarch.rpm
Test case
  • Configure a machine with green+red and install the package
  • Connections from green to port 25 must be blocked
  • Connections from blue to port 25 must be blocked

Note: before release update inline help, developer manual and admin manual.

#5 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

After I installed the update, the block rule did not block connections.
In /var/log/messages I found:

Oct  7 18:58:38 nsrv64a2 esmith::event[28672]: [ERROR] Shorewall restart:    ERROR: Unknown source zone (blue) /etc/shorewall/rules (line 181)

I do not have a blue interface.
Moreover, I think that blocking a port in an update is dangerous.
We could add a checkbox somewhere to enable blocking. We could set the checkbox to disabled if updating a system and enabled if it's a new install.

#6 Updated by Giacomo Sanchietti about 5 years ago

Implementation moved to b2894.

#7 Updated by Davide Principi almost 5 years ago

  • Target version changed from v6.5 to v6.6-beta1

#8 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#9 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#10 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-mail-filter-1.2.1-1.0gitf5a9cc48.ns6.noarch.rpm

#11 Updated by Davide Principi almost 5 years ago

  • Target version changed from v6.6-beta1 to v6.6-rc1

#12 Updated by Giacomo Sanchietti almost 5 years ago

  • Target version changed from v6.6-rc1 to v6.6

#13 Updated by Filippo Carletti over 4 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Green+red:
REJECT loc net tcp 25
After adding a blue:
REJECT blue net tcp 25

#14 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-base:
  • nethserver-mail-filter-1.3.0-1.ns6.noarch.rpm

#15 Updated by Filippo Carletti about 4 years ago

Also available in: Atom PDF