Enhancement #2894
Mail filter: block port 25 from LAN to external network
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-mail-filter | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
If nethserver-firewall is installed, block port 25 for all LAN clients (green zone) to the external network (red zone).
The port 25 is reserved for communication between server. If a client sends on port 25 it's probably affected by a virus for spam generation.
The restriction can be overridden creating a new rule inside the firewall.
Related issues
Associated revisions
Shorewall config: block port 25. Refs #2894
Revert to 2ea5d3e89c44cec021a8f2ee2ffa5badab337bec Refs #2894
Shorewall config: block port 25. Refs #2894
History
#1 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
The rule should be valid also for hosts from blue zone.
#2 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#4 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-mail-filter-1.1.6-6.0gitc7e4c230.ns6.noarch.rpm
- Configure a machine with green+red and install the package
- Connections from green to port 25 must be blocked
- Connections from blue to port 25 must be blocked
Note: before release update inline help, developer manual and admin manual.
#5 Updated by Filippo Carletti almost 7 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
After I installed the update, the block rule did not block connections.
In /var/log/messages I found:
Oct 7 18:58:38 nsrv64a2 esmith::event[28672]: [ERROR] Shorewall restart: ERROR: Unknown source zone (blue) /etc/shorewall/rules (line 181)
I do not have a blue interface.
Moreover, I think that blocking a port in an update is dangerous.
We could add a checkbox somewhere to enable blocking. We could set the checkbox to disabled if updating a system and enabled if it's a new install.
#6 Updated by Giacomo Sanchietti almost 7 years ago
Implementation moved to b2894.
#7 Updated by Davide Principi over 6 years ago
- Target version changed from v6.5 to v6.6-beta1
#8 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#9 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#10 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-mail-filter-1.2.1-1.0gitf5a9cc48.ns6.noarch.rpm
#11 Updated by Davide Principi over 6 years ago
- Target version changed from v6.6-beta1 to v6.6-rc1
#12 Updated by Giacomo Sanchietti over 6 years ago
- Target version changed from v6.6-rc1 to v6.6
#13 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Green+red:
REJECT loc net tcp 25
After adding a blue:
REJECT blue net tcp 25
#14 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-mail-filter-1.3.0-1.ns6.noarch.rpm
#15 Updated by Filippo Carletti almost 6 years ago
- Related to Enhancement #3295: Log smtp traffic rejection added