Rule to Limit SMTP outbound?
-
Why destination wan adress?
-
Trying to block all systems on the network from making smtp connections to outside hosts or servers so only my Exchange server is allowed to make outbound smtp connections.
-
Then you want a block rule that blocks everything NOT exchange IP address (source ip) on LAN.
-
had a virus once which installed an smtp server on a machine and spammed the hell out of our customers. I want to prevent all internal hosts from being able to act as smtp server except for my Exchange server.
-
What is I have 3 addresses which I need to allow..3 internal IP's?
-
Create an host alias at firewall>aliases with all your smtp allowed senders like "smtpallowedhosts"
Then create 2 firewallrules at the lan tab:
pass protocol tcp, source smtpallowedhosts, destination any, port 25, default gateway
block protocol tcp, source any, destination any, port 25, default gatewayThat will do the trick. Alternatively you could have 3 pass rules with the IPs of the smtp senders but aliases are much more elegant ;)
-
Trying now…
-
Great. The key here was that I chose the Wan address and should have used Any. I used the aliases.
Thanks guys.
Mark
-
Ok, this is exactly what I need to do but obviously I have something wrong. I only need to allow one internal LAN IP to send mail and I want to block all other LAN IPs from using SMTP. So, here are my rules I created on the LAN interface.
Pass Protocol TCP, source 192.168.0.x, port 25, destination any, port 25, default gateway
Block protocol TCP, source any, port 25, destination any, port 25, default gatewayPass *, source LAN net, port *, destination *, port *, gateway *
Why wouldn't this work?
pfSense 1.2-RC2
-
Set the source port to *, the destination is 25. There is a reason that field is behind a checkbox with this warning:
Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any").
Hint: you can leave the 'to' field empty if you only want to filter a single port
NOTE: You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here! -
Thank you very much! Had to set the source port on both the allow and the deny to get things working.
