CLI: Example for Configuring RBL-Based Anti-Spam
This section provides an example for configuring mail filtering on the FW that serves as the security gateway on the intranet.
Networking Requirements
The enterprise has a domain name of its own and deploys a mail server on the intranet. RBL-based anti-spam is required to protect the mail server in the DMS against spam, reducing network resource consumption.
Figure 1 Mail filtering networking diagram
Procedure
- Set the interface IP address and add the interface to a security zone.
- Enable the RBL filtering function and set the DNS server address.
[FW] rbl-filter enable [FW] rbl-filter dns-server 10.10.10.10
- Configure the mail filtering profile, use the RBL server cbl.anti-spam.org.cn, and set any reply code.
[FW] rbl-filter profile user-defined name "rbl server" [FW-rbl-filter-profile-rbl server] query cbl.anti-spam.org.cn [FW-rbl-filter-profile-rbl server] reply-code any [FW-rbl-filter-profile-rbl server] quit
- Reference the RBL filtering profile and set the filtering action to block.
[FW] rbl-filter profile user-defined name "rbl server" enable [FW] rbl-filter profile user-defined name "rbl server" action block
- Create a mail filtering profile and enable anti-spam.
[FW] profile type mail-filter name profile_mail_untrust_dmz [FW-profile-mail-filter-profile_mail_untrust_dmz] rbl-filter enable [FW-profile-mail-filter-profile_mail_untrust_dmz] quit
- Configure a security policy to permit the DNS traffic from the FW to the zone where the RBL server resides.
[FW] security-policy [FW-policy-security] rule name policy_sec_rbl [FW-policy-security-rule-policy_sec_rbl] source-zone local [FW-policy-security-rule-policy_sec_rbl] destination-zone untrust [FW-policy-security-rule-policy_sec_rbl] service dns [FW-policy-security-rule-policy_sec_rbl] action permit [FW-policy-security-rule-policy_sec_rbl] quit
- Configure the security policy between the dmz and the untrust zone.
[FW-policy-security] rule name policy_sec_untrust_dmz [FW-policy-security-rule-policy_sec_untrust_dmz] source-zone untrust [FW-policy-security-rule-policy_sec_untrust_dmz] destination-zone dmz [FW-policy-security-rule-policy_sec_untrust_dmz] profile mail-filter profile_mail_untrust_dmz [FW-policy-security-rule-policy_sec_untrust_dmz] action permit [FW-policy-security-rule-policy_sec_untrust_dmz] quit [FW-policy-security] quit
- Commit the content security profiles.
[FW] engine configuration commit Info: The operation may last for several minutes, please wait. Info: MAIL submitted configurations successfully. Info: Finish committing engine compiling.
Configuration Scripts
# sysname FW # rbl-filter enable rbl-filter dns-server 10.10.10.10 rbl-filter profile user-defined name rbl server action block rbl-filter profile user-defined name rbl server enable # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 10.2.0.1 255.255.255.0 # firewall zone untrust add interface GigabitEthernet0/0/1 # firewall zone dmz add interface GigabitEthernet0/0/2 # profile type mail-filter name profile_mail_untrust_dmz rbl-filter enable # rbl-filter profile user-defined name rbl server query cbl.anti-spam.org.cn reply-code any description rbl server # security-policy rule name policy_sec_untrust_dmz source-zone untrust destination-zone dmz profile mail-filter profile_mail_untrust_dmz action permit rule name policy_sec_rbl source-zone local destination-zone untrust service dns action permit