I always thought that there was no need to restrict outbound sessions across a firewall in low-security environments. My last encounter with malware has taught me otherwise; sometimes we need to protect the rest of the Internet from our clumsiness. OK, so I decided to install an inbound access-list on the inside interface of my SOHO router that will block all SMTP traffic not sent to a well-known SMTP server (and let the ISP’s SMTP server deal with relay issues).
This is the point where my laziness kicked in: if I want to add another SMTP server in the future, I wouldn’t like to hack my ACL. I might also need to enter the SMTP server addresses in multiple ACLs and it would be annoying if I would add the server in one ACL but forget all the other related ACLs (because, you know, we don’t really need documentation). Fortunately, IOS release 12.4(20)T provides just the tool I need: the ACL object groups. I can define a group of host addresses and use them as an object in my ACL:
object-group network SMTP_Server description ISP SMTP server host 192.168.0.2 host 172.16.2.3 ! ip access-list extended Inside permit tcp any object-group SMTP_Server eq smtp deny tcp any any eq smtp log permit ip any any ! interface Vlan1 ip access-group Inside in
IOS implements network and service object groups. Network object groups can include hosts, IP prefixes or ranges. Service object groups define TCP, UDP or ICMP services (including all ACL options like ranges of ports). You can also nest object groups and define new groups as unions of already defined groups.