I have a very restricted ACL for my VPC. We have a public subnet and a private subnet, each subnet has its own individual ACL.
What I don't understand is why the following ACL works for sending email over port 465 via Amazon SES.
public:
- inbound: src 0.0.0.0/0, port 465
- outbound: dest 0.0.0.0/0, port 465
private:
- inbound: N/A
- outbound: dest 0.0.0.0/0, port 465
I get both outbound, but the inbound for public doesn't make any sense. Where in the SMTP RFC say the smtp server (SES, a relay) will connect with the client back on port 465? I would expect client pick a high port as shown in the following netstat:
tcp 104 0 ip-10-0-1-75.ec:36836 ec2-54-243-225-221.:urd CLOSE_WAIT
tcp 0 0 ip-10-0-1-75.ec:50903 ec2-54-243-161-229.:urd ESTABLISHED
urd is 465 from what I understand. So my instance in the private subnet routes the request to the NAT instance, and the NAT (in public subnet) sends the packets to the remote server. So why is 465 needed inbound anyway?
Best Answer
To be sure we're clear,
src 0.0.0.0/0 port 465refers to source IP but destination port.What's interesting about the question is that what's "wrong" (that is, the source of the confusion) with the rule isn't the port at all, it's the IP range.
This rule is allowing your instances on private subnets to access your NAT instance (on the public subnet) so that the traffic can be forwarded from there to the Internet. It's actual purpose is not for allowing traffic from the Internet back in (though it is inadvertently doing something similar to that, allowing ingress traffic with destination port 465, which you don't want). The more correct rule would use the cidr block of your VPC (e.g. 172.31.0.0/16) (or an appropriate subset) as source and the NAT machine or its subnet as destination.