Blocking Port 25 Except from Filtering Service

Stewart · Feb 24, 2017, 6:19 PM

I have an Exchange server that is getting hit with failed logon attempts constantly which I'd like to block in the Firewall but I can't figure out what I'm missing. I believe Blocks come before Passes so I have:


	Protocol	Source	Port	Destination	Port		Gateway	Queue	Schedule	Description						Actions
BLOCK	IPv4 TCP/UDP	*	*	WAN address 	25 (SMTP)	*	none			Block Port 25 Traffic not Explicitly Defined Above 	
PASS	IPv4 TCP/UDP 	Filt.IP	*	WAN address 	25 (SMTP) 	* 	none 	  		Allow traffic from Filter

What gives? If, on the block Source I put in a specific IP then it works. If I put * it doesn't. I literally want the entire world blocked on a specific port except for the IPs I designate. I'm sure it's something simple but what am I missing?

Edit: I've almost figured it out. On the Block if I set destination to "WAN Address" then it doesn't work. If I set it to * then it does but it blocks everything including the IPs in the PASS rule. There is only 1 IP on the WAN. Am I mis-understanding what "WAN Address" is? I assumed it was anything coming to the WAN port destined for the IP on it. Is it not?

KOM · Feb 24, 2017, 6:24 PM

WAN Address is literally the IP address used by WAN.

The rules are processed top-down first-match, so your pass rule will never fire if the preceding rule blocks *.

JKnott · Feb 24, 2017, 6:27 PM

It looks like you've got those rules in reverse order. You can't pass a specific address after you've blocked all. Rules work on a first match basis and you match block all first, which means the desired source never gets to the rule that allows it.

Stewart · Feb 24, 2017, 6:29 PM

@KOM:

WAN Address is literally the IP address used by WAN.

The rules are processed top-down first-match, so your pass rule will never fire if the preceding rule blocks *.

That's what I thought so I originally had the Block below the Pass. Since it wasn't working I came and looked and say people posting Block first so I changed it. I have it back now to Pass before Block but it isn't working. If Block is on with "*" then it blocks all port 25 traffic. If Block is on with "WAN Address" it blocks nothing.

It is now:


	Protocol	Source	Port	Destination	Port		Gateway	Queue	Schedule	Description						Actions
PASS	IPv4 TCP/UDP 	Filt.IP	*	WAN address 	25 (SMTP) 	* 	none 	  		Allow traffic from Filter 	
BLOCK	IPv4 TCP/UDP	*	*	WAN address 	25 (SMTP)	*	none			Block Port 25 Traffic not Explicitly Defined Above

JKnott · Feb 24, 2017, 6:49 PM

Where does that "Filt.IP" in the pass line come from? When I try to set up a rule, the specific address is listed.

Stewart · Feb 24, 2017, 6:54 PM

@JKnott:

Where does that "Filt.IP" in the pass line come from? When I try to set up a rule, the specific address is listed.

It's the actual IP address of the filter. I changed it to protect the innocent. :)

Stewart · Feb 24, 2017, 6:59 PM

So, I changed the Destination to be the internal IP address of the Exchange server and now it appears to be blocking. This is on the WAN tab of the page. Why would I put a LAN address under Destination?

JKnott · Feb 24, 2017, 7:00 PM

As KOM mentioned, that "WAN address" is the firewall. Unless the mail is going to it, you need the LAN address of the Exchange server. You could also have specified the entire network, instead of a specific address.

KOM · Feb 24, 2017, 7:02 PM

Why would I put a LAN address under Destination?

Because you're forwarding the traffic. That's how a port-forward works. You define the NAT and the firewall rule allows the traffic to flow.

As KOM mentioned, that "WAN address" is suspicious.

I was just about to ask him if this was a forward, and then he is using the wrong target IP.

kpa · Feb 24, 2017, 7:25 PM

This is one of the gotchas of the PF packet filter. All NAT (inbound RDR or outbound NAT) happens before it hits the packet filter and the packet filter never sees the packets as they were before the address translation, you have to match the packets in your filter rules using the translated addresses after NAT.

Stewart · Feb 24, 2017, 7:23 PM

Ah. I assumed this was before the forward instead of after. That makes things clearer now. Thanks for all the info everyone! Let me try it out and I'll let you know how it turns out.

Stewart · Feb 24, 2017, 7:25 PM

@JKnott:

As KOM mentioned, that "WAN address" is the firewall. Unless the mail is going to it, you need the LAN address of the Exchange server. You could also have specified the entire network, instead of a specific address.

So, I can set the destination as "LAN Network"?

JKnott · Feb 24, 2017, 7:31 PM

You can specify the network, but you're probably better off with just the server address. You'd normally specify the network if you want to be able to reach most or all of the computers on the network. I doubt you'd have more than 1 or 2 Exchange servers, so stick with the single address. I was just providing an example of how you could use the destination for filtering.

Stewart · Feb 24, 2017, 7:36 PM

It's all working. Thanks again for everyone's help!!!