Make dynamic IPs work in a firewall?

Started by dlots, January 28, 2016, 02:15:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

dlots

January 28, 2016, 02:15:02 PM
I have always wanted to know if anyone has a better solution for this:  Say you have an e-mail server you want to be able to reach gmail.  Is there a better way to do that than collect every single IP address that gmail has and make an object-group out of it?  Or windows update servers, netflix, etc.  I can't imagine there not being a better way to do that kinda thing, but I have no idea what it might be.

icecream-guy

#1
January 28, 2016, 02:20:59 PM
Quote from: dlots on January 28, 2016, 02:15:02 PM
I have always wanted to know if anyone has a better solution for this:  Say you have an e-mail server you want to be able to reach gmail.  Is there a better way to do that than collect every single IP address that gmail has and make an object-group out of it?  Or windows update servers, netflix, etc.  I can't imagine there not being a better way to do that kinda thing, but I have no idea what it might be.

That mean you are blocking outbound SMTP traffic from your mail server ?   That sounds silly.

Inbound I can see, stops the baddies from using the mail server.

outbound traffic should be generally allowed, inbound traffic, sniffed, scanned, and inspected before being allowed in.

:professorcat:

My Moral Fibers have been cut.

deanwebb

#2
January 28, 2016, 02:36:18 PM
Allow SMTP from any/all in both directions. In front of the firewall or immediately behind it, you can set up an SMTP proxy that will require validation and authorization from all connecting boxes - that's what keeps you from being an open relay. But firms will get email from *everywhere*, so there's no real call to block SMTP that way.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#3
January 28, 2016, 02:36:30 PM
Palo alto appid.

dlots

#4
January 28, 2016, 03:25:51 PM
we don't run e-mail servers, we have a server that sends e-mail alerts out to a particualr set of servers, so far I haven't gotten a request for gmail, but I figure it's only a matter of time.  We are also overly high security and don't like to let anything go anywhere if we can help it.

wintermute000

#5
January 28, 2016, 04:16:24 PM
some other vendors will/can do URL based firewall rulesets, that gives you the bare minimum though may fail occasionally if google brings a new IP online before the URL list updates

deanwebb

#6
January 28, 2016, 04:16:42 PM
Then in that case, deny the request when it arrives due to security concerns, or set up a relay outside the firewall that will accept connections ONLY from your email server.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

#7
January 31, 2016, 04:08:33 AM
A mailserver can be allowed to do SMTP to any I believe. Especially if it uses MX records. Whitelisting Gmail is going to be a pain... You'll need IP ranges of CDNs and so on... The minor increased risk isn't worth it.

dlots

#8
February 01, 2016, 09:10:29 AM
Yeah that's what I figured, but there is never any harm in asking. 

Thank you
Print
Go Up Pages1
User actions