Allow only some wan IP's access through port 25
-
Hi i hope someone can help me here.
I need to redirect smtp from my spam provider to my mail server.
Rigth now its working by allowing any from outside port 25 to server IP port 25. This is not secure enough !
i would like to alow only WAN IP X.X.X.X and WAN IP X.X.X.X port 25 to access LAN IP X.X.X.X port 25 how do i do that ?Also i wants to deny all but one IP on the lan to send smtp and only to WAN IP X.X.X.X and WAN IP X.X.X.X
Best regards /Gorm
-
Have you considered using the source/destination field of firewall rules for that?
-
yes but the wan address field is grayed out :-\
-
single host or alias and network are the only source fields where i can type an IP
so are you telling me to use single host for the wan ip an make multiple rules ?
i have tried that in the past and it didn't seam to work. -
Edit your NAT rule so that the Source is changed from any to the IP address that you wish to allow.
-
i seams that i can only do that by chancing any to single host or alias
so would the right way to do this be: make a alias with the wan IP's and then redirect the alias ?
I am using pfsense 2.0.3-RELEASE and either i am misunderstanding what Firewal/nat/source wan address means or there is a bug !
-
i seams that i can only do that by chancing any to single host or alias
So use that then. Is it a problem somehow???
make a alias with the wan IP's and then redirect the alias ?
Since you have more than one single host, an alias that holds the hosts is what you need.
I am using pfsense 2.0.3-RELEASE and either i am misunderstanding what Firewal/nat/source wan address means or there is a bug !
You might want to consider upgrading to something a little more current. NAT is a basic function of pfSense. I very much doubt there is a bug.
-
thanks
@KOM:i seams that i can only do that by chancing any to single host or alias
So use that then. Is it a problem somehow???
It is not a problem as long as it is working.
The reason asking is becourse i in another case tryed to pass an external ip through this way and it was not working. I dont know if there where some sort of ip masking in play or something else making it not working.
and i dont want any unnecessary downtime.
make a alias with the wan IP's and then redirect the alias ?
Since you have more than one single host, an alias that holds the hosts is what you need.
so i do this by firewall/aliases/ make a ip based rule here and use the wan ip's give the rule a name ? can i then find it under source or do i manualy have the enter the name of the rule under single host or alias
I am using pfsense 2.0.3-RELEASE and either i am misunderstanding what Firewal/nat/source wan address means or there is a bug !
You might want to consider upgrading to something a little more current. NAT is a basic function of pfSense. I very much doubt there is a bug.
there is probably a bug in my brain then.. be-course i think a wan address should mean a address on the internet and not just the outside ip of pfsense or what it means ?
maybe it means any address on the outside of the firewall ? and lan means any address on the inside ?your right i should upgrade, will it course any downtime like reboot
-
"be-course i think a wan address should mean a address on the internet"
That is a flaw in your thinking.. WAN net is the Wan network pfsense is attached too, just like LAN network is the lan network pfsense is attached tool.
So Wan Address is pfsense address in the WAN net, and LAN address is the address pfsense has in the Lan net..
-
so i do this by firewall/aliases/ make a ip based rule here and use the wan ip's give the rule a name ?
Just create an IP alias. Stuff it with two IP addresses you require. Create your firewall rule and when asked for Source or Destination (depending on what the rule is supposed to do), select Single host or alias and then specify your alias.
-
"be-course i think a wan address should mean a address on the internet"
That is a flaw in your thinking.. WAN net is the Wan network pfsense is attached too, just like LAN network is the lan network pfsense is attached tool.
So Wan Address is pfsense address in the WAN net, and LAN address is the address pfsense has in the Lan net..
you are right i just think of it as outside and inside.
sometimes the wan side is really a lan or is that a flaw to ::) never mind
-
@KOM:
so i do this by firewall/aliases/ make a ip based rule here and use the wan ip's give the rule a name ?
Just create an IP alias. Stuff it with two IP addresses you require. Create your firewall rule and when asked for Source or Destination (depending on what the rule is supposed to do), select Single host or alias and then specify your alias.
ok thanks so that is the one that i can make in firewall/aliases/ rigth
sorry for the stupid questions but iam more used to cisco / iptabels terminal based firewalls
-
yes wan does not mean internet, it just means network on the outside of pfsense compared to your LAN.. Wan Net does not mean internet it means the network that your connected to on the WAN side.. for example I am connected to a /21 yes this is public but if I create a rule that says you can go to WAN net, just means you can connect to IPs in that /21 nothing more..
Here is example rule I have where I only let my vps boxes talk to my wan address (publicIP) that is forwarded to my box running landscape
-
so you did make thoes vps as aliases in firewall/aliases/ ?
then i guess that the single host alias rule can be both outside and inside IP's depending on how you use it. that make sense.
I still think that its a little bit confusing why a wan address cant be a ip on the www but guess i just have to accept that.
-
WAN Address is the IP address of your WAN. WAN Network is the network your WAN is on, based on subnet mask.
-
The internet is HUGE!!!!!! sure not just one network.. You can not be connected to the WHOLE internet, you connected to a network that is connected to another network that is connected to another, and others and others, etc..
So when you look at pfsense its wan is only 1 network, be it /24 /29 /21, etc.. And on that network you have a gateway to get OFF that network and the stuff past that network (other networks or anything else for example on the internet)
If you want something to describe the "internet" it would be ANY..
-
OK i get that but what i was not sure about is that my friends wan ip is a host and not another wan ip to me.
:-[i did try this in another case where i had to redirect a outside host to a inside ip but that did only work when i used any as source.
-
The traffic will hit your WAN with a source address of the server that sent the request. That is the address you need to pass.
Yes, you make an alias in Firewall > Aliases, IP Tab Give it a name, leave the type set at hosts. Add the IP addresses FROM WHICH you want to allow SMTP connections. Change the SOURCE on your port forward pass rule to type single host or alias and enter the alias you have just created.
If you have gotten clicky clicky and set the SOURCE PORT to 25 under the advanced button (as was implied by one of your prior posts), go back in there and set the source port to any.
-
thanks Derelict
yes your right i did get clicky on the advanced button but i also did that when i used the any rule
so does that explain way my rule didn't work.
-
Certainly doesn't help. Leaving the source port set to any is also in the list of port forward troubleshooting steps.
It shouldn't work with source addresses limited by the alias or with source addresses set to any unless your spam filter provider guarantees that their source port will always be 25, which seems like it would complicate things for them unnecessarily.