Blocking Port 25 Except from Filtering Service
-
Where does that "Filt.IP" in the pass line come from? When I try to set up a rule, the specific address is listed.
-
Where does that "Filt.IP" in the pass line come from? When I try to set up a rule, the specific address is listed.
It's the actual IP address of the filter. I changed it to protect the innocent. :)
-
So, I changed the Destination to be the internal IP address of the Exchange server and now it appears to be blocking. This is on the WAN tab of the page. Why would I put a LAN address under Destination?
-
As KOM mentioned, that "WAN address" is the firewall. Unless the mail is going to it, you need the LAN address of the Exchange server. You could also have specified the entire network, instead of a specific address.
-
Why would I put a LAN address under Destination?
Because you're forwarding the traffic. That's how a port-forward works. You define the NAT and the firewall rule allows the traffic to flow.
As KOM mentioned, that "WAN address" is suspicious.
I was just about to ask him if this was a forward, and then he is using the wrong target IP.
-
This is one of the gotchas of the PF packet filter. All NAT (inbound RDR or outbound NAT) happens before it hits the packet filter and the packet filter never sees the packets as they were before the address translation, you have to match the packets in your filter rules using the translated addresses after NAT.
-
Ah. I assumed this was before the forward instead of after. That makes things clearer now. Thanks for all the info everyone! Let me try it out and I'll let you know how it turns out.
-
As KOM mentioned, that "WAN address" is the firewall. Unless the mail is going to it, you need the LAN address of the Exchange server. You could also have specified the entire network, instead of a specific address.
So, I can set the destination as "LAN Network"?
-
You can specify the network, but you're probably better off with just the server address. You'd normally specify the network if you want to be able to reach most or all of the computers on the network. I doubt you'd have more than 1 or 2 Exchange servers, so stick with the single address. I was just providing an example of how you could use the destination for filtering.
-
It's all working. Thanks again for everyone's help!!!
