Closing port 25 from outside



  • We're on PFSense 1.2.2 and I can't figure out something.  I have our firewall set to permit port 25 so my internal server can forward mail to the outside, but I don't want it open from the outside.
    Is there a way to do this?

    Here's my current rules:
    NAT: Port forward
    Proto Ext. port range NAT IP Int. port range Description

    WAN TCP 25 (SMTP) 10.23.23.24
    (ext.: any) 25 (SMTP) Mail foward for exchange server

    Firewall Rules:
    TCP * * 10.23.23.24 25 (SMTP) *   NAT Mail foward for exchange server

    Thanks!
    Mitch



  • The permit rule so that your mail server can send mail would be on the LAN interface. Remove the rule on the WAN and the port forward in NAT, and that will stop inbound on WAN.
    I would disable and reset states first before I deleted the rule.



  • Thanks so much, trying it now..

    @podilarius:

    The permit rule so that your mail server can send mail would be on the LAN interface. Remove the rule on the WAN and the port forward in NAT, and that will stop inbound on WAN.
    I would disable and reset states first before I deleted the rule.


  • LAYER 8 Global Moderator

    "but I don't want it open from the outside."

    Then why did you setup a port forward?  Only reason for a port forward is when you want unsolicited traffic from the outside to go to some box on the inside.

    What your asking in a default setup would of already been allowed.  Default rules allow anything on lan to go to anything on internet, and there would be NO allowed unsolicited inbound traffic.

    So any box on your network would be allowed to talk to anything on 25 on the internet.  If you want to limited that, then yes on your LAN you would create a rule to only allow your exchange box to talk out on 25, and create a specific rule to block everything on 25 right under that rule.  Then under that rule you would have your default allow again.  So exchange talking on 25 ok, anything else on 25 blocked.  If talking on say 80 would be open.

    You should have no portforwards in what you asked for.


Log in to reply