1. Home
  2. Cisco Systems
  3. Pix 501 Controlling Access Based on Source Port

Pix 501 Controlling Access Based on Source Port

Is there a way to prevent remote access based on source ports? For instance, I would like to only receive emails originating from port 25 and no ohter.

Thanks in advance

Reply to
RG
Loading thread data ...

Sure, you "could", i.e access-list outside permit tcp any eq 25 host 1.2.3.4 but source ports are usually a randomly generated port greater than 1024, destination ports are what are fixed, ie. smtp is 25, www is 80 etc. Care to expand why your trying to do this? Perhaps we can find an alternative solution for you.

-Brian

Reply to
Brian V

In my quest to keep away spam, I thought that limiting source ports to 25 would filter a lot of the garbage. But it turns out yahoos of the world are using, like you are saying, random ports as well.

Anyway, the information you provided is useful.

Reply to
RG

It's not the "yahoos" using random ports, it the way TCP/IP works. The source computer uses a random port (not really random., but...) to initiate the connection to a "well-known" port. It's the way it's always been, and always will be. Even if the source port were always the same (say port 25) how would this stop spammers? How would you be able to differentiate spammers who use port 25 from those that are sending legitimate e-mail? It stopping spam were this easy, there wouldn't be any.

Reply to
Thrill5

Thrill5 said the following on 05/17/2009 08:12 PM:

IMHO it's up to the firewall to allow/block access to port 25 It's th ematter of the smtp gateway to take care of spams and others What you could do on the Pix is to limit the bandwith dedicated to port 25. You can do that on a 515 running v7, on a 501 I doubt it's possible Daniel

Reply to
Daniel-G

You can limit bandwidth based on port? Care to give an example for that? Never heard/seen of that!

Reply to
Brian V

Brian V said the following on 05/18/2009 04:58 AM:

I did it this way to limit web trafic :

1/ trafic selection access-list WEB-Traffic extended permit tcp any eq www any access-list WEB-Traffic extended permit tcp any any eq www access-list WEB-Traffic extended permit tcp any any eq ftp access-list WEB-Traffic extended permit tcp any any eq ftp-data 2/ class definition class-map CM-WEB-Trafic-Policy match access-list WEB-Traffic 3/ policy definition policy-map PM-WEB-Trafic class CM-WEB-Trafic-Policy police input 1500000 2000000 4/ apply to the interface service-policy PM-WEB-Trafic interface outside

PIX V7.2 (don't know if it's available with v7.1) Hope it helps

Reply to
Daniel-G

I have answered you many times, you seem to think this group is a write only medium. You really need to google Cisco ACL PIX

formatting link

Reply to
Artie Lange

Surely that will slow down legitimate email as well as spam?

Reply to
alexd

yes of course That's why email should be managed by an mta an nothing else (with a bit of help with iptables/fail2ban,etc.. if heavy load)

Reply to
Daniel-G

Good stuff! Love learning something new!

Reply to
Brian V

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.