MikroTik

We are an ISP with over 6000 IPv4 addresses and I see, over 2000+ IP are already on PBL, almost 3 of the /22 are completely showing on PBL list. 
How to avoid this happening or get the whole block whitelisted by PBL ?

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router. 
is that a solution ?

But I guess, every customer outlook will stop working. 

I checked this, 
http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output

But Im afraid, whether to block or not. 

An option is writing a script that pulls IP's off a PBL and updates your block list, later you can inform the user that he might be infected with a virus and limit his service until he takes action, some ISP's do this, not the best option since PBL tend to put the whole subnet in rather than a specific IP.
Another option is to monitor traffic per specific user on port 25, legitimate users don't send tons of messages hence low number of packets per given time, if you see an abnormal increase in traffic on port 25 then its safe to assume that the user might be a spammer, just like that script you provided.

An option is writing a script that pulls IP's off a PBL and updates your block list, later you can inform the user that he might be infected with a virus and limit his service until he takes action, some ISP's do this, not the best option since PBL tend to put the whole subnet in rather than a specific IP.
Another option is to monitor traffic per specific user on port 25, legitimate users don't send tons of messages hence low number of packets per given time, if you see an abnormal increase in traffic on port 25 then its safe to assume that the user might be a spammer, just like that script you provided.

So put the script as wiki ?

Yes try that, however not to disturb service first monitor how the script behaves and if it yields results then implement it. 
Don't just jump right in

Yes try that, however not to disturb service first monitor how the script behaves and if it yields results then implement it. 
Don't just jump right in

Oops, I still fear. 
Lets wait for some more insights. 

The first step should be monitoring which IP usues 25 port and make some statistics and then you can inform "suspected" users that they generate traffic on port 25 and ask them to check if all is configured properly.

The first step should be monitoring which IP usues 25 port and make some statistics and then you can inform "suspected" users that they generate traffic on port 25 and ask them to check if all is configured properly.

So goto PPPoE router and goto CONNECTION TRACKING and see, who are connected to port 25 ?
And inform them ?
Isn't there a way, we can block 25 completely from the PPPoE router and then when someone emails us asking about it, we simply unblock the 25 for him for his MAC address only ?

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router. 
is that a solution ?

But I guess, every customer outlook will stop working.

No, it won't. Or at least it should not. Nowadays, no ordinary customer should have legitimate reasons to make outgoing connections to port 25/tcp, unless they are running their own mail server. Most email providers use alternative ports for client ESMTP (587/tcp and 465/tcp - the latter is not officially assigned but is a de-facto standard anyways), which also usually assume mandatory encryption and authentication.

So, I'd suggest asking business customers if they are running an on-premises mail server, then allow outgoing 25/tcp for those who are, block for everyone else.

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router. 
is that a solution ?

But I guess, every customer outlook will stop working.

No, it won't. Or at least it should not. Nowadays, no ordinary customer should have legitimate reasons to make outgoing connections to port 25/tcp, unless they are running their own mail server. Most email providers use alternative ports for client ESMTP (587/tcp and 465/tcp - the latter is not officially assigned but is a de-facto standard anyways), which also usually assume mandatory encryption and authentication.

So, I'd suggest asking business customers if they are running an on-premises mail server, then allow outgoing 25/tcp for those who are, block for everyone else.

All the customers are either using Godaddy or Hostgator mostly for their websites and emails. 
So, they goto Outlook and enter their hostgator IMAP email server details. 
So, if I block port 25, will they stop working ? 

So, if I block port 25, will they stop working ? 

No, they won't. Quick google search shows that both Godaddy and Hostgator use 465/tcp for mail sending.

Let assume that you manage list of allowed sources of SMTP,POP etc traffic and this list is named TRAFFIC_MX_ALLOW then you can record all mail traffic sources originating from non allowed IPs in TRAFFIC_MX_SRC list with 4h time-out or To block all mail traffic except allowed IPs you need simple rule: or And the last step is to update TRAFFIC_MX_ALLOW list of IPs.
That's all.

P.S.
Adjust port list to your needs.

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.

This is a good suggestion. 
So, I should better host a mail server myself and use it as SMTP relay ?
Then email all customers to use that as outgoing server ?
But isn't that too much load for my mail server ?

So, if I block port 25, will they stop working ? 

No, they won't. Quick google search shows that both Godaddy and Hostgator use 465/tcp for mail sending.

I think I should better block them port 25 and then wait for emails of customers. 
Whoever says, outlook not working.
Simply ask him to use SSL with 465 port. 

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.

This is a good suggestion. 
So, I should better host a mail server myself and use it as SMTP relay ?
Then email all customers to use that as outgoing server ?
But isn't that too much load for my mail server ?

No, just advertise it passively on your website. Your customers can continue with their current settings. If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.
You will have to invest time and material for your email server, but at least this infrastructure is under your control. And you're not the one to blame.

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records).

Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most black lists and allowing you to restrict customer access on abuse.

This is a good suggestion. 
So, I should better host a mail server myself and use it as SMTP relay ?
Then email all customers to use that as outgoing server ?
But isn't that too much load for my mail server ?

No, just advertise it passively on your website. Your customers can continue with their current settings. If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.
You will have to invest time and material for your email server, but at least this infrastructure is under your control. And you're not the one to blame.

Okay let me ask my developer if he knows about it. Very confusing

If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.

Not true in 100% .....
If PBL blocks whole subnet instead of particular addresses then it backfires on "good guys". They have no chance to remove themselves from PBL as subnet is owned by ISP and they are not guilty but they have to "serve" sentence.

It is better to prevent than to cure ....

If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server.

Not true in 100% .....
If PBL blocks whole subnet instead of particular addresses then it backfires on "good guys". They have no chance to remove themselves from PBL as subnet is owned by ISP and they are not guilty but they have to "serve" sentence.

It is better to prevent than to cure ....

Whats your final suggestion ?
Yes, I can see the complete /22 is showing red in PBL. 

As /22 subnet owner try to remove whole subnet from PBL.
Check who is responsible for mail traffic.
Warn/inform users from the top of the usage list about problems.
Block 25 port ... leave 587 open

You need to choose: difficulties for customers or blocked subnet .....

"To ban or not to ban ? That it admins' question"

As /22 subnet owner try to remove whole subnet from PBL.
Check who is responsible for mail traffic.
Warn/inform users from the top of the usage list about problems.
Block 25 port ... leave 587 open

You need to choose: difficulties for customers or blocked subnet .....

"To ban or not to ban ? That it admins' question"

So, 1st step is block port 25. 
And when you said, check who is responsible, means check on connecting tracking, which customer IP is using the port 25 mostly ? 

Warn/inform users that you will block port 25
Block port 25 and track who is generating traffic to port 25. You can make rules for each customer: and you clearly will see who makes most of traffic watching counters.

Warn/inform users that you will block port 25
Block port 25 and track who is generating traffic to port 25. You can make rules for each customer:

Code: Select all

add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClient1
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClient2
....
add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClientN

and you clearly will see who makes most of traffic watching counters.

Okay so block the port 25 completely. 
Then if a customer asks to unblock it, then we should first ask him to purchase a static IP and then unblock his port 25 using the above chain action forward ?

Soamz:

A. Please do not cite full post just under cited post ... it is not necessary and makes thread longer than it should be

B. Yes. Block port 25 and watch who needs it and than make necessary changes in the firewall ... clients do not need public Ip but it could be solution.

C. You need to make decision what to to yourself .. I do not want to be accused for bad solution ... I am giving you just an idea and examples how to resolve problem.

You are checking if port 25 at your site is open. Simply: some server in the Internet tries to open port 25 at your site.
You are not checking if you are transmitting to port 25 somewhere in the internet.

You are checking if port 25 at your site is open. Simply: some server in the Internet tries to open port 25 at your site.
You are not checking if you are transmitting to port 25 somwhere in the internet.

So Block Port 25 on Border or Core or PPPoE router alone ?

Okay I did this in CORE ROUTER only. 

Did not do in Border routers or PPPoE Routers. 

Only done at core. 

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"

See attached. 

For a global operation of blocking port 25, you're definitely going to want to allow SMTP for some sources - suppose your own company's mail server, for instance, or any customers who are operating their own mail server.

You need to create an IP list for hosts that are allowed to use port 25
e.g.:
/ip firewall address-list add address=x.x.x.x list=MXokay

And then add any more approved hosts to this list. This is a list of hosts which are permitted to use port 25.

Then in your filter rule, add the criteria:
src-address-list=!MXokay
! means "not" - so this criteria means that if the src address is NOT in the list MXokay, then they may be blocked if the other criteria are true.
If the src IP --IS-- in the list, then the criteria is false, so may not be blocked by the rule.

Done that just now at my PPPoE Router.

/ ip firewall filter
add chain=forward protocol=tcp dst-port=25 dst-address-list=!SMTP-addr action=drop comment="" disabled=no

/ ip firewall address-list 
add list=SMTP-addr address=1.1.1.1/32 comment="ISP SMTP" disabled=no
add list=SMTP-addr address=2.2.2.2/32 comment="Cust1 SMTP" disabled=no
add list=SMTP-addr address=3.3.3.3/32 comment="Cust2 SMTP" disabled=no

Still doesnt get packets. 
IM logged in as a customer and if I goto my CMD in windows and do telnet labnol.org 25
Im able to login to the telnet already. 

So, I guess something is not working.

Shall we do this in Border or core or NAS ??

For a global operation of blocking port 25, you're definitely going to want to allow SMTP for some sources - suppose your own company's mail server, for instance, or any customers who are operating their own mail server.

You need to create an IP list for hosts that are allowed to use port 25
e.g.:
/ip firewall address-list add address=x.x.x.x list=MXokay

And then add any more approved hosts to this list. This is a list of hosts which are permitted to use port 25.

Then in your filter rule, add the criteria:
src-address-list=!MXokay
! means "not" - so this criteria means that if the src address is NOT in the list MXokay, then they may be blocked if the other criteria are true.
If the src IP --IS-- in the list, then the criteria is false, so may not be blocked by the rule.

What should be the rule if I want to know which IP are spamming and which IP list should be approved ?
I have created 2 address list, 
SPAMMER
VERIFIED-USER
What should be the final code please. 

Read this once again: http://forum.mikrotik.com/viewtopic.php ... 84#p544328

Read this once again: http://forum.mikrotik.com/viewtopic.php ... 84#p544328

You wrote it OR. 
So, I got confused, whether to run 2 or all 4. 

Rules 1,2 collect data in forward and output chains
Rules 3,4 filter mails in forward and output chains

You can use all of them at the same time.

Rules 1,2 collect data in  forward and output chains
Rules 3,4 filter mails in forward and output chains

You can use all of them at the same time.

Amazing. 
In Border or Core ?
Or both ?
Or PPPoE routers ?

For each device which sends data directly to the Internet ... if there is more than one then for each one but then for each device you need to maintain lists.

It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the people via the only one gate then you need only one security person which need to be instructed what to instead of full team training.

For each device which sends data directly to the Internet  ... if there is more than one then for each one but then for each device you need to maintain lists.

It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the people via the only one gate then you need only one security person which need to be instructed what to instead of full team training.

Okay then putting to border, core and NAS. 
Damn!

For each device which sends data directly to the Internet  ... if there is more than one then for each one but then for each device you need to maintain lists.

It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the people via the only one gate then you need only one security person which need to be instructed what to instead of full team training.

I was checking Comcast website and I see they have blocked all those ports. 
https://customer.xfinity.com/help-and-s ... ked-ports/
Can I add those ports also to your above code ?

No... use KISS rule ...

Rules for for e-mail
Rules for ssh
Rules for WWW
Rules for SPI ...
Rules for .... whatever you want to filter

No... use KISS rule ...  

Rules for  for e-mail
Rules for ssh
Rules for WWW
Rules for SPI ...
Rules for .... whatever you want to filter

KISS
Where do I find more info about it ?
I think, there should be a microtik wiki for all this. 
As every ISP needs this common and it ends up with 1000 confusing forum threads. 
One single wiki thread for the MUST HAVE FIREWALL RULES for ISP should be a official wiki article. 

KISS Where do I find more info about it ?

If you do not know this acronym: "Keep It Simple Stupid"
Therefore do not mix different rules into one if you are not experieced enough or you do not know what and why are you doing.
There is always time to optimize your firewall ... in the beggining it should work

From your port list,  I removed the 465, as 25 is blocked, so customers will use 465 with SSL for sending emails. 

I did this in a NAS which has 2500 PPPoE customers. 


But I dont think its working. 
After placing this, I went to home and went to cmd 
telnet mywebsite.com 25
I was able to go to my mailbox telnet. 

While it should get blocked.

I guess something is wrong with the above code then

Chances are you have the rules in the wrong order, below one that permits the traffic you are trying to log and filter out.

I am a home user that runs a web and mail server at home - along with a few other weird things.  I can tell you what my ISP does (from the customer prospective).  The have three levels of firewall at their end that can be selected by the customer.  They are:
 "No Firewall" with an option box to Allow port 25 bypass.
"Basic Firewall" with option boxes to Allow port 25 bypass, and Allow pinging.
"Full Firewall" with option boxes to Allow port 25 bypass, Allow pinging, and Allow remote desktop.
The no firewall and full firewall should be pretty obvious, and the description of the Basic Firewall is: "Recommended Setting. Block incoming requests from the most commonly abused ports on a computer including 135, 139, 389, 445, and 593."
Port 25 is blocked at all levels unless the "Allow port 25 bypass" is checked.  First time you check that, it brings up a terms of service page specifically on port 25 abuse that you have to agree to in order for the port 25 bypass parameter to take effect.  The TOS states that they will check your mail server periodically to see if you are allowing open relay.  If you are running an open relay, they will block port 25 for you.

Mine is set for the Basic Firewall and that has worked fine for me.

I realize this does not help in the "How to accomplish" the filtering, but does give a perspective of what my ISP does.

Chances are you have the rules in the wrong order, below one that permits the traffic you are trying to log and filter out.

Oops. 
Can you clear and paste the final version please ?

Soamz:

Let me explain... these four rules you have applied are not blocking incoming packets to the router.
When you are telnetting from home (WAN side)to port 25 at yourwebsite then you have access to your SMTP port as it is not blocked.
To block it you need other rule:Rule blocks access to port 25 in input chain as packet is incoming to the router.

So final version this one ?

/ip firewall filter

add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=forward dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp

add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=output dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp

add action=reject chain=forward dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS

add action=reject chain=output dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS
add action=reject chain=input dst-port=25 in-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS

And this needs to be done for the PPPoE ether or the Microtek's public IP ether ?

Done. 
But still Im able to goto my PC and goto telnet domain.com 25 

Am a newbie here especially on the firewall thing. I have a similar problem where my entire /23 subnet is on PBL. Am more of a routing person but I have to deal with this. Is anyone willing to help with this

Am a newbie here especially on the firewall thing. I have a similar problem where my entire /23 subnet is on PBL. Am more of a routing person but I have to deal with this. Is anyone willing to help with this

Mine is still not blocked, very confused. 
Still, after placing everything, Im able to login in my PC. 

So it was my understanding that since they passed Net Neutrality, we as ISP's can't block any ports to customers. It somehow violates Net Neutrality.

If you blocked/degraded some servers but allowed/favored others, then that would be more a violation of net neutrality.

(At least to my non-lawyer way of thinking)

If you block all by default for security/policy reasons and publish this policy in your TOS, and possibly allow exceptions for users who operate mail servers, then that seems fair.

The idea of net neutrality is that ISPs cannot favor some service over another, especially when there is a conflict of interest, such as when Comcast deliberately degraded Netflix performance in order to protect their own video services.

That rule will be correct to the extent that the server is hosed behind the router in question. Am assuming that's the setup otherwise if the that is the client's gateway router, the chain should be forward

Soamz:

Let me explain... these four rules you have applied are not blocking incoming packets to the router.
When you are telnetting from home (WAN side)to port 25 at yourwebsite then you have access to your SMTP port as it is not blocked.
To block it you need other rule:

Code: Select all

add action=reject chain=input dst-port=25 in-interface=ether6 protocol=tcp src-address-list=!GOOD_SMTP_CLIENTS

Rule blocks access to port 25 in input chain as packet is incoming to the router.

Yes. I assume that smtp server is behind the router.
No. It should be input chain as packets are incoming to the router so they are blocked on input to the router.
The missing part are rules which are passing packets to the real server. It could be one destination NAT rule or the pair of DST & SRC NAT.
Hewever, despite the number of rules, the input chain blocks every packet trying to reach the WAN interface of the router at port 25 except permitted ones.

Yes. I assume that smtp server is behind the router.
No. It should be input chain as packets are incoming to the router so they are  blocked on input to the router.
The missing part are rules which are passing packets to the real server. It could be  one destination NAT rule or the pair of DST & SRC NAT.
Hewever, despite the number of  rules, the input chain blocks every packet trying to reach the WAN interface of the router at port 25 except permitted ones.

I could be misunderstanding you, BartoszP, and if so, then I apologize for that...

However...
It sounds to me that your are suggesting that any packet received on the WAN interface is subjected to the INPUT chain of the filter table, and if it passes the INPUT chain, then the packet is passed to the FORWARD chain if it is to be forwarded onward to an internal host. This is incorrect. The INPUT chain ONLY applies to packets which will be processed by the router itself. The INPUT chain does not function in the same manner as an an interface ACL in Cisco for instance, which refers to "ingress" packets (on whatever interface is utilizing the ACL), regardless of whether their destination is the router itself or one which results in forwarding to some other host.

This distinction is very powerful. Suppose you wish to limit SSH access to a backbone router, so that the router only accepts ssh requests from your management network, but you do not want to block your customers' ssh connections which pass through that router.

If the INPUT chain were to apply to traffic flowing through the router, then you would also need to make sure that the filter list of SSH only applied to any IP address on the router itself, and if the router is a customer access router with hundreds of IP interfaces, this would be quite unwieldy. Since the FORWARD chain is the one applied to the customers' traffic flowing through the router, you can easily make just one INPUT rule about ssh - accept from source X only, drop the rest. The particular interface where ssh packets arrive is irrelevant to the INPUT chain. If you DO need to specify which interface the rule applies to, you can add the in-interface as a criteria, but if you don't care which interface (suppose you have a router with several OSPF-controlled dynamic interfaces), then it's quite powerful to only limit the IP src and be completely agnostic regarding specific interfaces.

ZeroByte

Guilty Thank you for good long exlpanation ... I have written the very short version and it is not quite precise.

Edited by BartoszP: removed full quote without any comment from the author

Yes. ... snip-snip ....

I could be ... snip-snip ...

Still not working