Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Restrict port 25 to one IP address

Hi There We are currently running a Fortigate 60ADSL router. Port 25 is forwarded to the exchange server for incoming mail. How to I configure the firewall to ONLY allow connections to port 25 from only ONE public IP address? The reason I ask is that we have a barracuda spamfilter in a data centre, this receives all the mail for the domain name (the MX record points to that spam filter), the barracuda then sends the mail to the public IP address of our network, so we really should lock down the port 25 forwarding to only accept connections from the barracuda' s public ip address. I would like to do this in the fortinet firewall, rather than the exchange server itself. How do I configure such a setup? Firmware version: Fortigate-60ADSL 3.00,build0406,070126 Help would be much appreciated Regards Travis
6 REPLIES 6
romanr
Valued Contributor

Just enter your Spam-Filter-Box as the source address in the policy for your mail-server and don' t allow " any" . cheers.
Not applicable

Hi There Thanks for your reply. I dont quite understand what you mean by don' t allow " any" . This is how I have setup the policy: Clicked Firewall --> Policy Create New Source Interface/Zone: adsl Source Address Name: <IP Address of Spam Filter> Destination Interface/Zone: internal Destination Address Name: <Selected the VIP I created for SMTP port forwarding> Schedule: Always Service: SMTP Action: Accept Box for NAT is checked All other boxes unchecked Here are the settings for the SMTP Virtual IP I created: Name: SMTP External Interface: adsl Type: Static NAT External IP Address/Range: 0.0.0.0 Mapped IP Address/Range: <LAN IP Address of Mail Server> Port Forwarding box is Checked Protocol: TCP External Service Port: 25 Map to Port: 25 It' s very strange, even though I configured the firewall policy with the source address, it still accepts connections to port 25 from any IP address. I am baffled as to why it doesn' t work, I' ve most likely missed something simple. Help is much appreciated. Regards Travis
romanr
Valued Contributor

and there is no other policy using this vip and allowing more then just for spam-filter server?
Not applicable

yep, nothing else is using that VIP Regards Travis
doshbass
New Contributor III

There are a couple of possibilities, 1) The public address of teh barracuda is defined wrongly, perhaps a 0.0.0.0 mask instead of 255.255.255.255 2) There is another FW policy that is overriding this one. Another one may be that a different VIP somewhere has been defined with teh LAN mail server address by mistake. Jon
Still learning to type " the"
Still learning to type " the"
thors_hammer
New Contributor

I think you can uncheck the NAT-box in the firewall-policy, cause it' s not needed for inbound connections with VIPs. Perhaps that' s the solution of your problem...

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors