This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Summit x670-48x acl on sharing

Summit x670-48x acl on sharing

Go to solution
cosmostv
New Contributor

‎10-20-2023 01:34 AM

Hello, I have trouble blocking outgoing smtp on my x670. I have this acl applied to config master of my sharing:

Policy: deny_smtp
entry port_25_tcp {
if match all {
source-address 10.0.0.0/8 ;
protocol tcp ;
destination-port 25 ;
}
then {
deny ;
}
}
entry port_25_udp {
if match all {
source-address 10.0.0.0/8 ;
protocol udp ;
destination-port 25 ;
}
then {
deny ;
}
}

enable sharing 40 grouping 35-44 algorithm address-based L3

configure access-list deny_smtp ports 40 egress

but whenever I try I still can access smtp servers  outside. Am I doing something wrong here?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
FredrikB-NN2
Contributor

‎10-21-2023 02:32 PM - edited ‎10-21-2023 02:37 PM

You have to put the ACL on all ports in the LAG. Stupid, I know...

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000087786

Since you have 10 ports in your LAG, 1/10th of the sessions will be blocked as expected. When you apply the ACL on all ports (35-44), it will behave as expected for all sessions.

Oh, and you can ditch the UDP part. SNMP is TCP, never UDP (as far as I know, never seen it). I assume you know already, but SMTP can also be run on ports 465 and 587 with encryption. Port 2525 is also popular in order to circumvent filters like this. Of course. anyone can setup a port forwarding or even an SMTP server that listens to any other port for SMTP if they like.

View solution in original post

2 REPLIES 2

Go to solution
FredrikB-NN2
Contributor

‎10-21-2023 02:32 PM - edited ‎10-21-2023 02:37 PM

You have to put the ACL on all ports in the LAG. Stupid, I know...

https://extreme-networks.my.site.com/ExtrArticleDetail?an=000087786

Since you have 10 ports in your LAG, 1/10th of the sessions will be blocked as expected. When you apply the ACL on all ports (35-44), it will behave as expected for all sessions.

Oh, and you can ditch the UDP part. SNMP is TCP, never UDP (as far as I know, never seen it). I assume you know already, but SMTP can also be run on ports 465 and 587 with encryption. Port 2525 is also popular in order to circumvent filters like this. Of course. anyone can setup a port forwarding or even an SMTP server that listens to any other port for SMTP if they like.

Go to solution
cosmostv
New Contributor
In response to FredrikB-NN2

‎10-22-2023 11:31 PM

Thanks, that's what I thought might be the cause here. As for the UDP part somehow I can see some UDP packets sent over port 25 as well, so this is just to prevent that.

0 Kudos
GTM-P2G8KFN