Nmap scan of ports

  • Hello

    I have scanned with Nmap a mail server behind my pfSense firewall. The scan of the firewall shows that port 25 is closed, but that it is open on the mail server (no surprise). I have a rule on the firewall opening port 25, with the mail server being the destination. I have no problem sending email from the mail server. What could cause the port to be "closed" to the scan?

    I have a NAT of
    WAN TCP  *  *  xxx.xxx.49.33  25(SMTP)    25(SMTP)

    And a Rule
    IPv4 TCP  *    *  25(SMTP)  *  none

    Duplication of effort?  Does one conflict with the other?

  • did you add your rule on the LAN or WAN interface?

  • WAN

  • LAYER 8 Netgate

    Sending email from the mail server does not require a port forward. Just like browsing web pages from the inside does not.

    That port forward looks good.

    Yes, you need both the NAT and the pass rule. First NAT happens then the firewall is checked. If your mail server on the inside had a routable address, you would only need the pass rule.

    I would:

    Check that the firewall on the mail server itself is passing the traffic from anywhere

    Check with a packet capture that connections to 25 into WAN are actually arriving on WAN. It would be strange for an ISP to allow outbound to 25 but not inbound but ISPs do strange things.

    This is all assuming you are testing from outside into WAN and you are not looking at a NAT reflection issue.

    Good list of things to check here:


  • Full disclosure, I am the "ISP", who inherited this, and I am trying to figure why port 25 shows up as blocked. Are yo saying there could be a problem between the mail server and the firewall? My understanding is the Rule is the allow inbound.

  • LAYER 8 Netgate

    No, I'm saying there might be a firewall rule on the host itself blocking traffic. Or something else on the path.

    Or the connections from the outside to pfSense WAN might be blocked.

    It looks like you have done everything on pfSense WAN that you need to.

    Check everything here:


  • Okay, thanks

Log in to reply