I will give an example of blocking SMTP port 25 TCP so that users cannot send spam to servers, that is, they cannot make an outgoing connection to the destination port 25 TCP, instead they can make a connection to ports with authorization and encryption, for example 465 or 587.
Here is an example of a filter (first you can allow connections to someone, then block the rest):
edit firewall family inet filter BLOCK-PORT-25
set interface-specific
set term ALLOW-PORT-25 from source-address 10.0.2.6/32
set term ALLOW-PORT-25 from protocol tcp
set term ALLOW-PORT-25 from destination-port 25
set term ALLOW-PORT-25 then accept
set term BLOCK-PORT-25 from source-address 10.0.2.0/24
set term BLOCK-PORT-25 from source-address x.x.x.128/25
set term BLOCK-PORT-25 from protocol tcp
set term BLOCK-PORT-25 from destination-port 25
set term BLOCK-PORT-25 then discard
set term ALLOW-OTHER then accept
The filter must be applied on the outgoing interface (WAN), which faces the Internet, and only for outgoing traffic:
set interfaces ge-0/0/0 unit 0 family inet filter output BLOCK-PORT-25
For example, I have many outgoing VLAN interfaces on which traffic is balanced via BGP, and on which there is already a filter (blocked access to some networks on the Internet), example:
edit interfaces ae0
set unit 555 family inet filter output blacklist-ip-drop
set unit 556 family inet filter output blacklist-ip-drop
...
Of course, you can specify several filters at the same time, but if the first filter has the term ALLOW-OTHER then accept at the end, the second filter will not work:
set unit 555 family inet filter output-list [ blacklist-ip-drop BLOCK-PORT-25 ]
That’s why I edited the existing filter:
edit firewall family inet filter blacklist-ip-drop
Removed the last term:
delete term other then accept
Added rules:
set term ALLOW-PORT-25 from source-address 10.0.2.6/32
set term ALLOW-PORT-25 from protocol tcp
set term ALLOW-PORT-25 from destination-port 25
set term ALLOW-PORT-25 then accept
set term BLOCK-PORT-25 from source-address 10.0.2.0/24
set term BLOCK-PORT-25 from source-address x.x.x.128/25
set term BLOCK-PORT-25 from protocol tcp
set term BLOCK-PORT-25 from destination-port 25
set term BLOCK-PORT-25 then discard
And I made sure to add term at the end again, which allows all other traffic (otherwise the Internet will stop working without it):
set term ALLOW-OTHER then accept
Note that if the filter is used after NAT, and in my example this is the case, then you need to specify not the gray network, but the white one that is used for NAT.
Let’s apply a temporary configuration and make sure everything works (confirmed 10 will allow you to automatically cancel changes after 10 minutes in case you wrote the filter incorrectly and lost connection with the device):
commit check
commit confirmed 10
If everything is fine, then we save the configuration (we need to do this before 10 minutes expire):
commit comment "apply filter BLOCK-PORT-25"
Before and after applying the filter, you can test the connection to port 25 via telnet with any mail server, for example, I came across smtp.google.com, the connection was established and displayed:
220 mx.google.com ESMTP ... - gsmtp
After applying the filter, nothing was displayed)
See also my articles: