How does one create an outbound rule?

jayht3

in the advanced features section of the rule GUI, "IN/OUT" only lists "NONE".  Im getting fw log entries that show that a mail server behind the fw is trying to send outbound traffic to port 25, and is blocked by default OUT rule.  Why would the default out rule be a BLOCK? How would you edit that, except by editing the huge php file which generates the rules?  mail seems to be sending out at higher rates than the fw log lists these blocked out packets.  thanks in advance, I tried searching the forum on  "IN/OUT" and "outbound rule", didnt find an A.

marcelloc

Pfsense is a stateful firewall, every rule must be created where the communication begins.

Just create a normal rule on smtp server firewall interface allowing access to any ip on port 25.

jayht3

I believe I have, but I still see the blocked packets. My scenario is that OPT4 is an openvpn tunnel and OPT2 is the network with the mail server on a public ip. The fw log shows the blocked entries as outbound on OPT2, from any ip any port to the mail server ip port 25, TCP: RA.

There are these rules:

OPT2:
tcp  * *  x.x.x.x/28 25 * none
tcp  x.x.x.x/28 25 * * * none

OPT4:
tcp  * *  x.x.x.x/28 25 * none 
tcp  x.x.x.x/28 25 * * * none

I was going to turn one rule on each interface to outbound,
but the GUI isnt presenting the option.

Thanks,
Jay

jayht3

Ive also tried wide open rules, any protocol, all interfaces, * * * * *  , still get the blocked messages in fw logs.

marcelloc

@jayht3:

OPT2:
tcp  * *  x.x.x.x/28 25 * none
tcp  x.x.x.x/28 25 * * * none

OPT4:
tcp  * *  x.x.x.x/28 25 * none   
tcp  x.x.x.x/28 25 * * * none

Just to be sure, OPT2 and OPT4 are with the same network range?

Can you screenshot your OPT2 rule screen?

jayht3

no, I have the opt4 tunnel numbered with a /30 of public ips.

opt2 is the local area network thats the /28,  and the /28 is routed up and down
that tunnel.

http://www.ex88.net/images/pfpic1.jpg (opt4)
http://www.ex88.net/images/pfpic2.jpg (opt2)
http://www.ex88.net/images/pfpic3.jpg (fw logs)

thanks

marcelloc

Remove the advanced options from OPT rules, to be sure you did not disabled keep-state.

Your logs show external ips going to your server. This rule must be on WAN interface, not on opt.

Just like I said on the other post, the rule must be where traffic begins.

jayht3

ok, I can remove the options.  OPT4 is a TUNNEL, and public ips are routed to it.  How do I create an outbound rule when the in/out button doesnt have anything besides NONE in the drop down options? (in the edit rule window)

–-------------
I removed the options and flags, here is the cmd line info:

[2.0.1-RELEASE][admin@pfsense.localdomain]/root(3): pfctl -s rules
anchor "relayd/" all
block drop in log all label "Default deny rule"
block drop out log all label "Default deny rule"
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = http label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! xl0 inet from 68.184.0.0/21 to any
block drop in inet from 68.184.4.246 to any
block drop in on xl0 inet6 from fe80::20a:5eff:fe4c:d0c6 to any
pass in on xl0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out on xl0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in on ! ovpnc1 inet from 74.118.12.54 to any
block drop in inet from 74.118.12.54 to any
block drop in on ! ovpnc2 inet from 74.118.12.50 to any
block drop in inet from 74.118.12.50 to any
block drop in on ! fxp0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.1 to any
block drop in on ! xl1 inet from 74.118.12.32/28 to any
block drop in inet from 74.118.12.33 to any
block drop in on ! xl2 inet from 12.174.25.224/27 to any
block drop in inet from 12.174.25.248 to any
block drop in on ovpnc1 inet6 from fe80::20a:5eff:fe4c:d0c6 to any
block drop in on ovpnc2 inet6 from fe80::20a:5eff:fe4c:d0c6 to any
block drop in on fxp0 inet6 from fe80::201:80ff:fe3e:5cae to any
block drop in on xl1 inet6 from fe80::201:2ff:fec6:6ee1 to any
block drop in on xl2 inet6 from fe80::20a:5eff:fe3d:1026 to any
pass in on lo0 all flags S/SA keep state label "pass loopback"
pass out on lo0 all flags S/SA keep state label "pass loopback"
pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (xl0 68.184.0.1) inet from 68.184.4.246 to ! 68.184.0.0/21 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (ovpnc1 74.118.12.53) inet from 74.118.12.54 to ! 74.118.12.54 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (ovpnc2 74.118.12.49) inet from 74.118.12.50 to ! 74.118.12.50 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on fxp0 proto tcp from any to (fxp0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on xl0 reply-to (xl0 68.184.0.1) inet all flags S/SA keep state label "USER_RULE: wan rule 1"
pass in quick on xl0 reply-to (xl0 68.184.0.1) inet proto udp from any to any port = 1194 keep state label "USER_RULE: wan rule 2"
pass in quick on xl0 reply-to (xl0 68.184.0.1) inet proto icmp all keep state label "USER_RULE: wan rule 3"
pass in quick on fxp0 all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on openvpn all flags S/SA keep state label "USER_RULE: openvpn 1"
pass in quick on ovpnc1 reply-to (ovpnc1 74.118.12.53) inet all flags S/SA keep state label "USER_RULE: opt 1 rule 1"
pass in quick on xl1 inet proto tcp from 74.118.12.32/28 port = smtp to any flags S/SA keep state label "USER_RULE: opt2 rule 2"
pass in quick on xl1 inet proto tcp from any to 74.118.12.32/28 port = smtp flags S/SA keep state label "USER_RULE: opt2 rule 3"
pass in quick on xl1 all flags S/SA keep state label "USER_RULE: opt2 rule 1"
pass in quick on xl2 all flags S/SA keep state label "USER_RULE: opt3 rule 1"
pass in log quick on ovpnc2 reply-to (ovpnc2 74.118.12.49) inet proto icmp from 74.118.12.34 to 8.8.8.8 keep state label "USER_RULE: 88ping"
block drop in quick on ovpnc2 reply-to (ovpnc2 74.118.12.49) inet from <easyruleblockhostsopt4>to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
pass in log quick on ovpnc2 reply-to (ovpnc2 74.118.12.49) inet proto tcp from any to 74.118.12.32/28 port = smtp flags S/SA keep state label "USER_RULE: opt4 rule 3"
pass in log quick on ovpnc2 reply-to (ovpnc2 74.118.12.49) inet proto tcp from 74.118.12.32/28 port = smtp to any flags S/SA keep state label "USER_RULE: opt4 rule 1"
pass in quick on ovpnc2 reply-to (ovpnc2 74.118.12.49) inet all flags S/SA keep state label "USER_RULE: opt 4 rule 2"
anchor "tftp-proxy/*" all</easyruleblockhostsopt4></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

marcelloc

The first rule on (opt2) image is an outbound rule, you just need to change sourceport to any and destination port to 25

attached is a sample of smtp outgoing rule from hosts on dmz interface.