Re: Possible Mail Relay or just new usages of returned mail by spammers

Hollis,

If you have ANY type of firewall, be it a NAT router or true firewall
appliance (SonicWALL, WatchGuard, etc) between your server and your ISP
connection, then ISA is not the primary firewall.

ISA can be used in conjunction with the router/firewall, but if you do, you
need to keep in mind that whatever you want to open for inbound access has
to be done twice...once in ISA, and once in the router to port forward to
the WAN NIC of the SBS, which is primarily what ISA is protecting.

Typical home-user class NAT routers let everything out by default...no need
to open outbound ports, just the desired inbound ports, if any. Also, by
default, any connection they make to an outside source will be allowed back
in without opening a port, i.e., if you make a POP3 request on port 110 to
an outside server, it does not have to be open in the router to get the
mail. The router know you made the request and let's the resulting inbound
connection come through because it is now trusted.

I had ISA 2004 on my SBS but removed it in favor of a single-NIC setup with
a true firewall protecting the LAN.

I do not know enough about ISA to help with any of your questions, but if
you DO NOT have any inbound mail delivered directly to Exchange (via port
25), why not just make sure it is NOT port-forwarded in your router? That
is, make sure port 25 is NOT open to inbound traffic. Period, done, no need
to turn it off or on.

While I did not specifically say so, I was talking about port 25 inbound,
which I thought would have been clear when I asked if "you do not use
Exchange to receive directly" and when I recommended trying to Telnet to it
from a remote system as a test to see if port 25 was open.

I saw mention of articles to test if you had port 25 open to the Internet
from outside sources, but nothing where anyone said anything about
outbound-only.

Gregg Hill



"Hollis Paul" <nospam@xxxxxxxxxx> wrote in message
news:VA.00000434.026f6ccd@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In article <#TFDc11oIHA.3652@xxxxxxxxxxxxxxxxxxxx>, Gregg Hill wrote:
Do you have a firewall or router in front of your SBS? Only open inbound
ports that you want to forward.

If you have a real firewall and not just a NAT router, check this thread
and
open only what you need.

It is just a NAT router, not a 'real = hardware' firewall appliance. My
understanding is that ISA 2000 is our Firewall to the external world. In
that
thread, you all were talking about Port 25 only being open outbound. Now
I
have done enough monkeying around in ISA 2000, to know that you can set
ports
to be only open one direction. My real question was "Is there an easy
way,
using the ISA Management console, to open and close Port 25?" By easy, I
mean
something equivalent to having the Networks Connections screen open, on
one of
my multiple desktop where it is always just one double-click away, and
then
clicking enable or disable the WAN connector.

Is it just the matter of disabling a particular firewall policy? Or
moving it
up or down?

What is really confusing is that I have two firewall policies near the
top:

8 SMTP Server Access Rule, Allow, SMTP, External,Local Host, all users.
11 SBS SMTP outbound access, Allow, SMTP, Local Host, External, all users

But when I go in and click on the SMTP protocol, click edit, click
parameters,
then I see that both are port 25 and outbound, and apparently tied to
source
sets and destination sets, and I can't see how to get to either of those.

There are other SMTP rules lower down, that are worrisome.

28 ISA40: Permit mail from member server,Allow,SMTP and SMTPServer!!!,
Member
Server, Anywhere!!!

I think that is just letting me mail from the member server to and from
client
computers. Not sure if that allows the internet cloud to come to the
member
server. I will disable that rule for now; but I would like some advice on
it.

--
Hollis Paul
Mukilteo, WA USA




.

Relevant Pages

  • Re: Routers Firewall
    ... I ask him do you have a firewall and he says yes. ... I still have an IDS/firewall on all my machines behind the router. ... > to connect to a port your public IP address the router would reject the ... > An open port on the router could be connected to a service running on the ...
    (comp.security.firewalls)
  • Re: Home firewall Hits
    ... >Port 162 with a UDP message. ... than theres nothing blocking access from the internet to your router. ... >Subject: Home firewall Hits ... >simplify the management and deployment of PGP and reduce overall PGP costs ...
    (Security-Basics)
  • Re: Router ISA OWA and VPN
    ... When ISA is installed - its the same as any other web page error - page ... The router I have is a Sitecom WL-025. ... smtp - port 25 ... You have two nics in the SBS, ...
    (microsoft.public.windows.server.sbs)
  • Re: Routers Firewall
    ... > indicates that it has firewall technology, then the router doesn't have a ... What your router does have is NAT. ... ZA is a fine product which will protect a computer ... Port 80 is the WEB access port and port 21 is the FTP ...
    (comp.security.firewalls)
  • Re: Pros/Cons of Single/Dual NIC Card Topology?
    ... As you already own ISA, and as SBS has a network configuration script that's designed and proven to create a secure ISA configuration that's SBS 'aware', it's really a no-brainer. ... As Dave already mentioned in his reply - there's some benifit to using your existing nat router as well. ... > router/firewall just for its firewall capability. ...
    (microsoft.public.windows.server.sbs)