This set jumps to sub-chains to deal with only the traffic from customer
subnets. It also uses an address-list to permit static IP customers,
who are most likely to run mail servers, to bypass the block. This
also keeps netbios from escaping... It's my first pass at optimizing
the ruleset to reduce cpu load. It is possible to do this with simpler
rules.
add chain=forward comment="Allow Established" connection-state=established
add chain=forward comment="Allow Related" connection-state=related
add action=jump chain=forward connection-state=new dst-address-list=APsubnets \
jump-target=forwardinapsubnets out-interface=AP_bridge
add action=jump chain=forward connection-state=new in-interface=AP_bridge
jump-target=\
forwardoutapsubnets src-address-list=APsubnets
add chain=forwardinapsubnets comment="Permit CustStatic IPs to run mail
servers" \
dst-port=25 protocol=tcp src-address-list=CustStatics
add action=drop chain=forwardinapsubnets comment=\
"Block netbios inbound to APsubnets by default" dst-port=135,137,139,445
protocol=\
tcp
add chain=forwardinapsubnets
add action=add-src-to-address-list address-list=Need_SNMP_question \
address-list-timeout=3d chain=forwardoutapsubnets comment=\
"Block port 25 outbound from APsubnets by default" dst-address-list=!OurIPs
\
dst-port=25 protocol=tcp
add action=drop chain=forwardoutapsubnets comment=\
"Block netbios outbound from APsubnets by default" dst-port=135,137,139,445
\
protocol=tcp
add chain=forwardoutapsubnets
add action=drop chain=forwardoutapsubnets comment=\
"Block port 25 outbound from APsubnets by default" dst-address-list=!OurIPs
\
dst-port=25 protocol=tcp src-address-list=APsubnets
On Thu, Dec 18, 2014 at 11:12:08PM -0500, RickG wrote:
> Take it off? I've never had it on. Well, actually, I tried blocking port 25
> but had some issues with a few customers so opened it back up. I believe I
> can work around them now. The question is it effective to block it? I
> remember it used to be the thing to do years ago.
>
>
> On Thu, Dec 18, 2014 at 11:45 AM, Clay Stewart <
> [email protected]> wrote:
> >
> > Take it off, and you will be blocked faster than Flash. According to
> > Sheldon
> >
> > On Thu, Dec 18, 2014 at 11:35 AM, RickG <[email protected]> wrote:
> >
> >> Folks, I'm tired of dealing with my main IP being blacklisted for SPAM by
> >>> certain users. Is it worth blocking port 25 anymore or is that old news?
> >>>
> >> --
> >> -RickG KyWiFi
> >>
> >> _______________________________________________
> >> Mikrotik-users mailing list
> >> [email protected]
> >> http://lists.wispa.org/mailman/listinfo/mikrotik-users
> >>
> >>
> >
> > --
> >
> >
> > --
> > Clay Stewart, CEO
> > SCS Broadband
> > 434.263.6363 O
> > 434.942.6510 C
> > [email protected]
> > "We Keep You Up and Running"
> >
> > Please send sales inquiries to [email protected]
> > Please send service/repair requests to [email protected]
> >
> > _______________________________________________
> > Mikrotik-users mailing list
> > [email protected]
> > http://lists.wispa.org/mailman/listinfo/mikrotik-users
> >
> >
>
> --
> -RickG KyWiFi
> _______________________________________________
> Mikrotik-users mailing list
> [email protected]
> http://lists.wispa.org/mailman/listinfo/mikrotik-users
--
Scott Lambert KC5MLE Unix SysAdmin
[email protected]
_______________________________________________
Mikrotik-users mailing list
[email protected]
http://lists.wispa.org/mailman/listinfo/mikrotik-users
