LAN outbound allow rule for http(s) and SMTP not passing as expected
-
Struggling to get some outbound filtering working properly. Could someone please advise what I am missing?
LAN interface:
I want to allow traffic only from specific alias/IPs on the LAN out of the LAN on specific ports. I have tried to set up for two port types - http(s) and SMTP, but I cannot get it to work as expected.My rule format is in summary;
Action: Pass
Protocol: TCPSource: Alias/IP as appropriate
Port 443 (or 80 for https) / 25Destination: any
Destination Port: 443 or 80 / 25Followed by a block everything rule.
Unfortunately this doesn't work. I cannot access any sites via this rule and the port 25 rule won't pass outgoing emails. The only way I can get either to work is to use 'Any' as the protocol, so I am assuming I am missing some secondary port requirements, but which ones?
I thought it might need access to a public DNS, so I added rules for that but no joy.
What am I missing? I am sure it is obvious, but I can't see it atm.
TIA
-
@pfstyro said in LAN outbound allow rule for http(s) and SMTP not passing as expected:
Source: Alias/IP as appropriate
Port 443 (or 80 for https) / 25You must not specify a source port. It has to be "any".
-
@viragomann
Not to doubt you, because 1) I am sure you know better than me and 2) that accords with what I am seeing on these two ports, but I also have a TURN server set up which works exactly as expected. The only difference is that it is limited to specific FQDNs and the protocol port as a pair as the external endpoint, so why does it need 'any' as the protocol for ports 25, 80 and 443? -
@pfstyro
I'm not familiar with TURN.
SMTP and HTTP/S only use TCP at all. But the source port is basically dynamic of most applications. -
@viragomann
Thx, but how do I then limit access to ONLY http/https? I don't want to allow access to anything other than web pages in some instances.EDIT ...
Hang on .... I can use TCP as the protocol, any as the source and specify the destination ports as 80/443? -
@pfstyro said in LAN outbound allow rule for http(s) and SMTP not passing as expected:
but how do I then limit access to ONLY http/https?
By the destination port. The destination port is static, HTTP goes to 80, SMTP to 25.
-
@viragomann
Thx, got that as you were typing I think. Brilliant!