Allow emails only

Kyushu

How do we block a set of users from surfing the net but they should be able to send and receive emails from/to only one domain ? We already created an alias for the group. We tried to create a rule and it seems to be working when IP address of the destination is used but if we put in the URL it doesn't work.

Thanks in advance.

marcelloc

@Kyushu:

We tried to create a rule and it seems to be working when IP address of the destination is used but if we put in the URL it doesn't work.

Aliases are just for ip, networks, hosts and ports.

To filter url, you will need a proxy package installed.

Note: Url and Url table are used to fetch hosts/ip aliases from external urls.

sample:

url http://192.168.2.2/ips.txt
fetches
10.10.10.10
10.20.30.50
mail.google.com
www.hotmail.com
192.168.4.4
.
.
.

att,
Marcello Coutinho

Kyushu

Thanks for the input.

I understand that aliases are for ip, networks, hosts and ports and we also have a proxy that filters specific sites/url.

We have this specific users in our network that are only allowed for emails such as :

192.168.0.10 - 192.168.0.30 ip range

they are only allowed to get and send email let us say from and to mail.google.com, aside from that they can't do anything on the net.

if we put in mail.google.com to the destination it doesn't work, clients just keeps on finding host but it doesn't send or receive email. But if we put in the ip address of google.com it works.

Anyway, we'll try it again.

thanks. :)

chpalmer

Have you allowed them access to a DNS?

reshab912

even I am trying to set up the same thing for my organization but without any success.

dhatz

@Kyushu:

How do we block a set of users from surfing the net but they should be able to send and receive emails from/to only one domain ? We already created an alias for the group. We tried to create a rule and it seems to be working when IP address of the destination is used but if we put in the URL it doesn't work.

Thanks in advance.

Well, you need to be a lot more specific. Do the users who won't be allowed to surf the web, also send/receive email via Web (e.g. Squirrelmail, Gmail, Hotmail etc) ? And in the latter case, do you have control over that mail-server?

In the simplest case you might be able to achieve what you want by blocking http/https (port 80,443) while allowing 25/587/993/995/etc, but only to certain white-listed IPs.

In order to allow email to/from one domain only, you'd need to process (in a store & forward fashion, since I don't know of any tool to do this "on-the-fly") all SMTP traffic. One way would be with a "smarthost" that will be relaying all your email.

reshab912

Our users would be using just gmail i.e. mail.google.com. It's use is purely browser based.

Attached is the screenshot from my rules.

gotomeeting.com -> works, but is very very slow in comparison to if i open default * * * * rule
google.com -> doesnot work.

Thanks.

untitled.JPG_thumb

marcelloc

You maybe need to move this rules to a proxy server like squid and/or squidguar/dansguardian.

IIRC, these hosts change it's ips very often.

Using proxy, it will check url instead of ip address.

att,
Marcello Coutinho

reshab912

Squid works just for HTTP and not for https. Please correct if I am wrong.

Also we would like to have a total ingress/outgress - is it possible with squid?

Thanks again

dhatz

@reshab912:

Our users would be using just gmail i.e. mail.google.com. It's use is purely browser based.

Check a related feature-request I submitted to Redmine 9 months ago: http://redmine.pfsense.org/issues/1901

BTW this is a usage scenario which is coming up much more frequently in recent years, due to proliferation of cloud and SaaS. AFAIK the only way to enforce it with pfSense would be to maintain the IP ranges yourself. If you only care about Gmail, just use the method I described in my redmine post.

PS: You can make Squid also work with https, but not if it's configured as transparent proxy.

Kyushu

@dhatz:

Well, you need to be a lot more specific. Do the users who won't be allowed to surf the web, also send/receive email via Web (e.g. Squirrelmail, Gmail, Hotmail etc) ? And in the latter case, do you have control over that mail-server?

In the simplest case you might be able to achieve what you want by blocking http/https (port 80,443) while allowing 25/587/993/995/etc, but only to certain white-listed IPs.

In order to allow email to/from one domain only, you'd need to process (in a store & forward fashion, since I don't know of any tool to do this "on-the-fly") all SMTP traffic. One way would be with a "smarthost" that will be relaying all your email.

This specific users are not allowed to surf the net.
They use Eudora or Outlook in retrieving emails.
They don't use any browser based email.
We control our mailserver but it is also co-located. (Pop3 of mail.gmail.com is just my example)
We have our own domain where they fetch and send emails.
They are all using POP3/POP3s.
If we block them using squid, they pass through via HTTPS.
DNS are specified on their workstation via DHCP server.

Thanks. :)

codemarauder

@Kyushu:

This specific users are not allowed to surf the net.
They use Eudora or Outlook in retrieving emails.
They don't use any browser based email.
We control our mailserver but it is also co-located. (Pop3 of mail.gmail.com is just my example)
We have our own domain where they fetch and send emails.
They are all using POP3/POP3s.
If we block them using squid, they pass through via HTTPS.
DNS are specified on their workstation via DHCP server.
Thanks. :)

Kyushu, if your users are accessing emails using mail client over IMAPS/POP3S then things are simple.

Block port 80/443 from LAN to Internet
Allow ports 993, 995 (IMAPS, POP3S) from LAN to Internet
Allow ports 465, 587 (SMTPS) from LAN to Internet

Above rules will allow IMAPS, POP3S and SMTPS to all destinations on the Internet. If you still want to narrow down to allowing access only to GMAIL hosted IMAPS, POP3S and SMTPS, do the following:

Create alias (name it as mail_hosts) with hostnames as imap.gmail.com, pop3.gmail.com and smtp.gmail.com
Create alias (name it as imaps_pop3s_ports) with ports 993, 995
Create alias (name it as smtps_ports) with ports 465, 587

and create following firewall rules:

Allow from LAN to alias mail_hosts ports alias imaps_pop3s
Allow from LAN to alias mail_hosts ports alias smptps
Deny ALL from LAN

This shall allow access only to gmail hosted mail ports from your LAN.

Kyushu

Got it. That is basically what we did, we only allowed the group to use the mail_ports only.

However on the client side mail application such as eudora and Outlook, if we put the url or domain name such as (mail.this_is_our_domain_name.com and smtp.this_is_our_domain_name.com) in the smtp and mail server textbox, it just keep on resolving and do nothing. But if we put in the ipaddress it just works fine.

So for now, we just replaced the mail and smtp server on the client side mail application with the ipaddress instead of the domain name.
(but we still would like to use the mail server name instead of ipaddress.)

Thanks for the info. :)