Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need Best Solution to Allow IP addresses to By Pass Custom Rule to Block SMTP 25

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 616 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kiekar
      last edited by

      Hello,

      I have many attempts from the outside world to login to mydomain user accounts which i've noticed on my anti spam proxy filter logs. I found an article where someone created an custom rule to block any brute force attempts.
      alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP AUTH LOGON brute force attemp"; content:"AUTH LOGIN"; nocase; classtype:suspicious-login; sid:1000001; rev:2;)

      My issue is the rule blocks all attempts including my attempt to send out mail using my mobile provider's network. What is the best solution for allowing to bypass the rule for my mobile network, PassLists, IP List or IP Rep. I created an Alias with IPs of 24.114.0.0/17 and
      72.136.0.0/13. Any Help would be much appreciated.

      Karl

      1 Reply Last reply Reply Quote 0
      • P
        pfBasic Banned
        last edited by

        Yeah that shouldn't be too difficult to accomplish.

        You can create your alias for Suricata at /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.
        Once you've created your alias change your custom rule to the following.
        This just sets the rule to alert on any source IP not included in your alias, instead of any source included in the built in $EXTERNAL_NET alias.

        
        alert tcp !$MY_NET any -> any 25
        
        
        1 Reply Last reply Reply Quote 0
        • K
          kiekar
          last edited by

          Thanks for your response,

          I should've been more clear. I'm using snort. I'm currently using now a Pass List which work fine now but I am concerned that if I leave the country and use my cell phone it will once again get blocked based on the IP address i will have which won't be on the the alias Pass List.

          1 Reply Last reply Reply Quote 0
          • P
            pfBasic Banned
            last edited by

            Oh ok, can you just setup a VPN server on your pfSense box and export the client to your cell phone, VPN won't be on port 25 and once you are connected you'll be on an IP you can set an alias for.

            1 Reply Last reply Reply Quote 0
            • K
              kiekar
              last edited by

              I do have VPN setup on my server and also the client on my phone. I will need to gives this a test.

              Thanks,

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.