> -----Original Message----- > From: CertaintyTech [mailto:[EMAIL PROTECTED] > Sent: Friday, August 22, 2003 12:04 PM > To: 'ML qmail-scanner' > Subject: RE: [Qmail-scanner-general]Worm.Sobig.F > > > > option 1) restrict all outbound destination port 25 traffic > from your > > internal lan, except for the mail server IP's. they are > the only ones > > that should be sending the mail anyhow. (exceptions to > this would be > > direct sendmail deliveries from clients...). > > > > ...snip... > > > > Dallas > > > > > Do you know how to do "option 1" on a Cisco router? > > Ed. >
ios 12.x commands would look something like this... ignore the pretty drawning and the comments. [internet] -> [ cisco ] -> [mail server] 0.0.0.0 10.1.1.1 10.1.1.2 # source: any, source port: *, dest: 10.1.1.2, dest port: 25 (incoming mail) access-list 102 permit tcp any host 10.1.1.2 eq 25 # source: 10.1.1.2, source port: *, dest: any, dest port: 25 (outgoing mail) access-list 102 permit tcp host 10.1.1.2 any eq 25 # deny 10.1.1.x lan from talking on port 25 to the outside world access-list 102 deny tcp 10.1.1.0 0.0.0.255 any eq 25 interface ethernet0/8 ip access-group 102 in i dont use cisco ios regularly, so anyone can feel free to correct me if you see something wrong with that. ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
