Simple IPSEC filter

I've got a policy that is successful in restricting access to a server by IP
addresses and subnets. No protocol restrictions.

Now I'd like to open the machine to accept SMTP port 25 traffic from the
universe.

A simple filter like the address filters above that adds port 25 TCP
mirrored + "permit" doesn't seem to do the trick. It seems logical that
port/protocol would be more "specific", but the filter won't permit machines
outside of my "permit" group to see port 25.

Appreciate any ideas ..

Dave, U. of FL Gators...

Try a rule with a permit filter action that includes a mirrored filter entry
for destination address - my IP, source address - any, protocol - TCP,
destination port 25, source port - any. --- Steve


"dlbrum" <(E-Mail Removed)> wrote in message
news:CDADE320-B506-4D18-8CF3-(E-Mail Removed)...
> I've got a policy that is successful in restricting access to a server by
> IP
> addresses and subnets. No protocol restrictions.
>
> Now I'd like to open the machine to accept SMTP port 25 traffic from the
> universe.
>
> A simple filter like the address filters above that adds port 25 TCP
> mirrored + "permit" doesn't seem to do the trick. It seems logical that
> port/protocol would be more "specific", but the filter won't permit
> machines
> outside of my "permit" group to see port 25.
>
> Appreciate any ideas ..
>
> Dave, U. of FL Gators...

That's what I've been trying, but it won't even let me outbound, let alone
inbound.

Even if I put in a specific destination IP address (not in the permitted
subnet), if I specify TCP and port 25, then the connection won't work. Same
mirrored rule, just remove the TCP and port designations as 25, and the
connection is fine.

This rule is in addition to rules that permit a subnet, and deny everyone
else, no protocol or port restrictions.

So I'm wondering about the order of rule/filter application. I thought it
was from specific to general, but it seems to me that the opposite is
happening.


"Steven L Umbach" wrote:

> Try a rule with a permit filter action that includes a mirrored filter entry
> for destination address - my IP, source address - any, protocol - TCP,
> destination port 25, source port - any. --- Steve
>
>
> "dlbrum" <(E-Mail Removed)> wrote in message
> news:CDADE320-B506-4D18-8CF3-(E-Mail Removed)...
> > I've got a policy that is successful in restricting access to a server by
> > IP
> > addresses and subnets. No protocol restrictions.
> >
> > Now I'd like to open the machine to accept SMTP port 25 traffic from the
> > universe.
> >
> > A simple filter like the address filters above that adds port 25 TCP
> > mirrored + "permit" doesn't seem to do the trick. It seems logical that
> > port/protocol would be more "specific", but the filter won't permit
> > machines
> > outside of my "permit" group to see port 25.
> >
> > Appreciate any ideas ..
> >
> > Dave, U. of FL Gators...
>
>
>

I have used ipsec filters such as you are trying to implement many times and
they work fine. I start off with a mirrored block all, add a mirrored permit
all for the subnet, and then specific mirrored filters entries for permitted
inbound. The order of the filters is not important as you say they are given
a weighting based on general to specific. Most of the time the problem is
that the ports/protocols are wrong for the source/destination. If you are
using Windows 2003 you can use the two ip security mmc snapins to help
trouble ipsec problems and also use netsh to enable logging of dropped
packets. The link below may also be helpful in tips on building your ipsec
filters. --- Steve

http://www.securityfocus.com/infocus/1559

"dlbrum" <(E-Mail Removed)> wrote in message
news:706D9A3C-54B9-44B2-86F9-(E-Mail Removed)...
>
> That's what I've been trying, but it won't even let me outbound, let alone
> inbound.
>
> Even if I put in a specific destination IP address (not in the permitted
> subnet), if I specify TCP and port 25, then the connection won't work.
> Same
> mirrored rule, just remove the TCP and port designations as 25, and the
> connection is fine.
>
> This rule is in addition to rules that permit a subnet, and deny everyone
> else, no protocol or port restrictions.
>
> So I'm wondering about the order of rule/filter application. I thought it
> was from specific to general, but it seems to me that the opposite is
> happening.
>
>
> "Steven L Umbach" wrote:
>
>> Try a rule with a permit filter action that includes a mirrored filter
>> entry
>> for destination address - my IP, source address - any, protocol - TCP,
>> destination port 25, source port - any. --- Steve
>>
>>
>> "dlbrum" <(E-Mail Removed)> wrote in message
>> news:CDADE320-B506-4D18-8CF3-(E-Mail Removed)...
>> > I've got a policy that is successful in restricting access to a server
>> > by
>> > IP
>> > addresses and subnets. No protocol restrictions.
>> >
>> > Now I'd like to open the machine to accept SMTP port 25 traffic from
>> > the
>> > universe.
>> >
>> > A simple filter like the address filters above that adds port 25 TCP
>> > mirrored + "permit" doesn't seem to do the trick. It seems logical that
>> > port/protocol would be more "specific", but the filter won't permit
>> > machines
>> > outside of my "permit" group to see port 25.
>> >
>> > Appreciate any ideas ..
>> >
>> > Dave, U. of FL Gators...
>>
>>
>>

I misread your post. The reason I am wary of your suggested filter is that I
don't want any host anywhere to be able to come in thru any port... Just
25...

?

If I allow one machine in without restricting to TCP and port 25, it's fine.
As soon as I restrict that same filter to TCP and port 25, no can do...
sigh...

"Steven L Umbach" wrote:

> Try a rule with a permit filter action that includes a mirrored filter entry
> for destination address - my IP, source address - any, protocol - TCP,
> destination port 25, source port - any. --- Steve
>
>
> "dlbrum" <(E-Mail Removed)> wrote in message
> news:CDADE320-B506-4D18-8CF3-(E-Mail Removed)...
> > I've got a policy that is successful in restricting access to a server by
> > IP
> > addresses and subnets. No protocol restrictions.
> >
> > Now I'd like to open the machine to accept SMTP port 25 traffic from the
> > universe.
> >
> > A simple filter like the address filters above that adds port 25 TCP
> > mirrored + "permit" doesn't seem to do the trick. It seems logical that
> > port/protocol would be more "specific", but the filter won't permit
> > machines
> > outside of my "permit" group to see port 25.
> >
> > Appreciate any ideas ..
> >
> > Dave, U. of FL Gators...
>
>
>

You said you wanted to allow the universe to be able to access port 25 TCP.
The filter I suggested does just that - allows any IP to access port 25 TCP
on your computer. The source port could be any which typically would be any
port over 1024 from the client trying to connect. Ipsec does not allow you
to specify port ranges. You could manually add each port from 1025-65550 to
a filter list but that would take a long time.--- Steve


"dlbrum" <(E-Mail Removed)> wrote in message
news:0E87B78F-3DB8-4165-B598-(E-Mail Removed)...
>I misread your post. The reason I am wary of your suggested filter is that
>I
> don't want any host anywhere to be able to come in thru any port... Just
> 25...
>
> ?
>
> If I allow one machine in without restricting to TCP and port 25, it's
> fine.
> As soon as I restrict that same filter to TCP and port 25, no can do...
> sigh...
>
> "Steven L Umbach" wrote:
>
>> Try a rule with a permit filter action that includes a mirrored filter
>> entry
>> for destination address - my IP, source address - any, protocol - TCP,
>> destination port 25, source port - any. --- Steve
>>
>>
>> "dlbrum" <(E-Mail Removed)> wrote in message
>> news:CDADE320-B506-4D18-8CF3-(E-Mail Removed)...
>> > I've got a policy that is successful in restricting access to a server
>> > by
>> > IP
>> > addresses and subnets. No protocol restrictions.
>> >
>> > Now I'd like to open the machine to accept SMTP port 25 traffic from
>> > the
>> > universe.
>> >
>> > A simple filter like the address filters above that adds port 25 TCP
>> > mirrored + "permit" doesn't seem to do the trick. It seems logical that
>> > port/protocol would be more "specific", but the filter won't permit
>> > machines
>> > outside of my "permit" group to see port 25.
>> >
>> > Appreciate any ideas ..
>> >
>> > Dave, U. of FL Gators...
>>
>>
>>

Well, I didn't realize that a "foreign" SMTP connection would come from a
different port (than 25). I thought that it was port 25 to port 25 sort of a
deal.

So I'm allowing any port on any foreign machine to access only my port 25 ?

Thanks so much for the help,
dave

"Steven L Umbach" wrote:

> You said you wanted to allow the universe to be able to access port 25 TCP.
> The filter I suggested does just that - allows any IP to access port 25 TCP
> on your computer. The source port could be any which typically would be any
> port over 1024 from the client trying to connect. Ipsec does not allow you
> to specify port ranges. You could manually add each port from 1025-65550 to
> a filter list but that would take a long time.--- Steve
>
>
> "dlbrum" <(E-Mail Removed)> wrote in message
> news:0E87B78F-3DB8-4165-B598-(E-Mail Removed)...
> >I misread your post. The reason I am wary of your suggested filter is that
> >I
> > don't want any host anywhere to be able to come in thru any port... Just
> > 25...
> >
> > ?
> >
> > If I allow one machine in without restricting to TCP and port 25, it's
> > fine.
> > As soon as I restrict that same filter to TCP and port 25, no can do...
> > sigh...
> >
> > "Steven L Umbach" wrote:
> >
> >> Try a rule with a permit filter action that includes a mirrored filter
> >> entry
> >> for destination address - my IP, source address - any, protocol - TCP,
> >> destination port 25, source port - any. --- Steve
> >>
> >>
> >> "dlbrum" <(E-Mail Removed)> wrote in message
> >> news:CDADE320-B506-4D18-8CF3-(E-Mail Removed)...
> >> > I've got a policy that is successful in restricting access to a server
> >> > by
> >> > IP
> >> > addresses and subnets. No protocol restrictions.
> >> >
> >> > Now I'd like to open the machine to accept SMTP port 25 traffic from
> >> > the
> >> > universe.
> >> >
> >> > A simple filter like the address filters above that adds port 25 TCP
> >> > mirrored + "permit" doesn't seem to do the trick. It seems logical that
> >> > port/protocol would be more "specific", but the filter won't permit
> >> > machines
> >> > outside of my "permit" group to see port 25.
> >> >
> >> > Appreciate any ideas ..
> >> >
> >> > Dave, U. of FL Gators...
> >>
> >>
> >>
>
>
>

"dlbrum" <(E-Mail Removed)> wrote in message
news:9FFD316B-F70A-4DC3-9BC8-(E-Mail Removed)...
> Well, I didn't realize that a "foreign" SMTP connection would come from a
> different port (than 25). I thought that it was port 25 to port 25 sort
of a
> deal.
>
> So I'm allowing any port on any foreign machine to access only my port 25
?

That is correct. Most TCP communication does not use the same port at both
ends. The destination port (or target port) is the one everybody knows
about and thinks about, but the source port (client port) is usually a
random number between 1025 - 5000.

Play around a bit with Network Monitor and you will see it works like that
with just about all IP based traffic.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Correct. Normally the client port would be a random unprivileged port above
1024. There are rare exceptions where the client and server use the same
port such as port 138UDP for browser service traffic. You can use the
command netstat -an to see the client and server ports used in a connection
to your server. For instance a netstat -an from my computer right now shows
[see below] that I am connected to my nntp server on port 119TCP and my
computer is using port 1535TCP as the client port behind my NAT firewall.
The port that my computer uses however can change in future connections to
my nntp newsgroup server. --- Steve

TCP 192.168.1.52:1535 207.46.248.16:119 ESTABLISHED


"dlbrum" <(E-Mail Removed)> wrote in message
news:9FFD316B-F70A-4DC3-9BC8-(E-Mail Removed)...
> Well, I didn't realize that a "foreign" SMTP connection would come from a
> different port (than 25). I thought that it was port 25 to port 25 sort
> of a
> deal.
>
> So I'm allowing any port on any foreign machine to access only my port 25
> ?
>
> Thanks so much for the help,
> dave
>
> "Steven L Umbach" wrote:
>
>> You said you wanted to allow the universe to be able to access port 25
>> TCP.
>> The filter I suggested does just that - allows any IP to access port 25
>> TCP
>> on your computer. The source port could be any which typically would be
>> any
>> port over 1024 from the client trying to connect. Ipsec does not allow
>> you
>> to specify port ranges. You could manually add each port from 1025-65550
>> to
>> a filter list but that would take a long time.--- Steve
>>
>>
>> "dlbrum" <(E-Mail Removed)> wrote in message
>> news:0E87B78F-3DB8-4165-B598-(E-Mail Removed)...
>> >I misread your post. The reason I am wary of your suggested filter is
>> >that
>> >I
>> > don't want any host anywhere to be able to come in thru any port...
>> > Just
>> > 25...
>> >
>> > ?
>> >
>> > If I allow one machine in without restricting to TCP and port 25, it's
>> > fine.
>> > As soon as I restrict that same filter to TCP and port 25, no can do...
>> > sigh...
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Try a rule with a permit filter action that includes a mirrored filter
>> >> entry
>> >> for destination address - my IP, source address - any, protocol - TCP,
>> >> destination port 25, source port - any. --- Steve
>> >>
>> >>
>> >> "dlbrum" <(E-Mail Removed)> wrote in message
>> >> news:CDADE320-B506-4D18-8CF3-(E-Mail Removed)...
>> >> > I've got a policy that is successful in restricting access to a
>> >> > server
>> >> > by
>> >> > IP
>> >> > addresses and subnets. No protocol restrictions.
>> >> >
>> >> > Now I'd like to open the machine to accept SMTP port 25 traffic from
>> >> > the
>> >> > universe.
>> >> >
>> >> > A simple filter like the address filters above that adds port 25 TCP
>> >> > mirrored + "permit" doesn't seem to do the trick. It seems logical
>> >> > that
>> >> > port/protocol would be more "specific", but the filter won't permit
>> >> > machines
>> >> > outside of my "permit" group to see port 25.
>> >> >
>> >> > Appreciate any ideas ..
>> >> >
>> >> > Dave, U. of FL Gators...
>> >>
>> >>
>> >>
>>
>>
>>