Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN outbound allow rule for http(s) and SMTP not passing as expected

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 720 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfstyro
      last edited by

      Struggling to get some outbound filtering working properly. Could someone please advise what I am missing?

      LAN interface:
      I want to allow traffic only from specific alias/IPs on the LAN out of the LAN on specific ports. I have tried to set up for two port types - http(s) and SMTP, but I cannot get it to work as expected.

      My rule format is in summary;
      Action: Pass
      Protocol: TCP

      Source: Alias/IP as appropriate
      Port 443 (or 80 for https) / 25

      Destination: any
      Destination Port: 443 or 80 / 25

      Followed by a block everything rule.

      Unfortunately this doesn't work. I cannot access any sites via this rule and the port 25 rule won't pass outgoing emails. The only way I can get either to work is to use 'Any' as the protocol, so I am assuming I am missing some secondary port requirements, but which ones?

      I thought it might need access to a public DNS, so I added rules for that but no joy.

      What am I missing? I am sure it is obvious, but I can't see it atm.

      TIA

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @pfstyro
        last edited by

        @pfstyro said in LAN outbound allow rule for http(s) and SMTP not passing as expected:

        Source: Alias/IP as appropriate
        Port 443 (or 80 for https) / 25

        You must not specify a source port. It has to be "any".

        P 1 Reply Last reply Reply Quote 0
        • P
          pfstyro @viragomann
          last edited by pfstyro

          @viragomann
          Not to doubt you, because 1) I am sure you know better than me and 2) that accords with what I am seeing on these two ports, but I also have a TURN server set up which works exactly as expected. The only difference is that it is limited to specific FQDNs and the protocol port as a pair as the external endpoint, so why does it need 'any' as the protocol for ports 25, 80 and 443?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @pfstyro
            last edited by

            @pfstyro
            I'm not familiar with TURN.
            SMTP and HTTP/S only use TCP at all. But the source port is basically dynamic of most applications.

            P 1 Reply Last reply Reply Quote 0
            • P
              pfstyro @viragomann
              last edited by pfstyro

              @viragomann
              Thx, but how do I then limit access to ONLY http/https? I don't want to allow access to anything other than web pages in some instances.

              EDIT ...
              Hang on .... I can use TCP as the protocol, any as the source and specify the destination ports as 80/443?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @pfstyro
                last edited by

                @pfstyro said in LAN outbound allow rule for http(s) and SMTP not passing as expected:

                but how do I then limit access to ONLY http/https?

                By the destination port. The destination port is static, HTTP goes to 80, SMTP to 25.

                P 1 Reply Last reply Reply Quote 1
                • P
                  pfstyro @viragomann
                  last edited by

                  @viragomann
                  Thx, got that as you were typing I think. Brilliant!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.