I'm going to be assisting with the implementation of a "mail-only"
connection to the Internet shortly. By "mail-only" I mean that while there
will be a router connected to an ISP via a leased line, the only traffic
that we want to permit will be SMTP traffic to a specific machine
designated as our "mail gateway" server. The only other traffic allowed
will be to support DNS so that the gateway machine (only) can find the
proper host to connect to for outbound traffic.
I've just finished reading the FAQ and Brent Chapman's paper on Packet
Filtering, and I'm starting to better understand the issues involved. What
we would like to do, initially, is to set up a router (which will probably
be a Cisco 2501) to do packet filtering as Brent's described in his paper,
to allow for this mail-only connection to a machine on our internal
network. Eventually, we will add in a dedicated firewall machine between
the inbound router and the internal network, but we'd like to put that step
off for a while if we can be reasonably safe without doing that.
What I'd like to know is this: Is the Cisco 2501 capable of filtering based
on source port (not just source address) so that I can block incoming
packets that aren't (apparently) coming from the remote SMTP server? Does
the router provide for blocking start-of-connection packets so that
a remote system can't use port 25 to launch an attack as described in
If this router won't do the trick, would a simple (hah!) firewall/mail
gateway "between" the Internet, behind a filtering router, and the
internal network, which could "see" the internal network, do the trick?
What else should I be concerned with?
David Kozinn dkozinn @
com / david @
Computer Sciences Corporation Under contract to Mutual of New York
Technology Management Group +1-201-907-6990