Assistance in blocking SMTP in LAN
-
Hi there, i would like to know if this one is correct. I tried to read some of the forum post but most of them are in text based instruction. Sorry for that. Before we used TMG and now we changed to pfSense.
I just want to know if this one is right. I want to block LAN SMTP except our mail server which is 192.168.0.5.
-
No. Edit the first (block) rule and set up as Source - NOT - your mailserver; Destination - NOT - your mailserver. Delete the second one below.
-
Note: If 192.168.0.5 SMTP server is actually on the LAN (e.g. LAN is 192.168.0.0/24) then traffic from other clients on the LAN (e.g. 192.168.0.99) to 192.168.0.5 will not go to pfSense, it will traverse directly across the LAN switch. If the traffic does not go through pfSense, then pfSense cannot block it.
-
How about block all SMTP to with destination your server then invert the sense?
-
Hi there!
Thanks for the immediate reply! :) Upon configuring..
I changed it to this mode. Is this the correct setting? :)
-
Note: If 192.168.0.5 SMTP server is actually on the LAN (e.g. LAN is 192.168.0.0/24) then traffic from other clients on the LAN (e.g. 192.168.0.99) to 192.168.0.5 will not go to pfSense, it will traverse directly across the LAN switch. If the traffic does not go through pfSense, then pfSense cannot block it.
I, perhaps in error, was assuming he meant preventing SMTP traffic directed outside his network.
-
I wanted to block all SMTP initiated in the clients except my mail server to avoid spamming.
-
Ahhhh…
Two rules then.1st rule. Pass all SMTP originating from your servers ip. 192.168.0.5 /31
2nd rule. Block all SMTP originating on that entire subnet there. 192.168.0.0/16no inverting senses needed in that case.
-
Should be like this I guess.
Ahhhh…
Two rules then.1st rule. Pass all SMTP originating from your servers ip. 192.168.0.5 /31
2nd rule. Block all SMTP originating on that entire subnet there. 192.168.0.0/24no inverting senses needed in that case.
But I don't know how many interfaces you have on this with clients, but the interface with the mail server will get both rules. The pass rule and then the block rule. The others just get a block rule. Except WAN. But every "LAN" interface has to be accounted for.
-
Should be like this I guess.
Ahhhh…
Two rules then.1st rule. Pass all SMTP originating from your servers ip. 192.168.0.5 /31
2nd rule. Block all SMTP originating on that entire subnet there. 192.168.0.0/24no inverting senses needed in that case.
But I don't know how many interfaces you have on this with clients, but the interface with the mail server will get both rules. The pass rule and then the block rule. The others just get a block rule. Except WAN. But every "LAN" interface has to be accounted for.
So my first picture was correct? right?
-
No.
Right below the anti-lockout rule, add another pass rule.Pass SMTP source single host/alias 192.168.0.5 /31 to any
Then your block rule as it was.
-
Ahh.. You mean this one? :)
-
These rules are ran in order as they appear in that list.
So, 1st you want to let 192.168.0.5 /31 pass to anywhere it wants.
Then your want to block SMTP with SOURCE the entire subnet (This is ok, because 192.168.0.5 /31 already passed its traffic)
Lastly, pass everything (we have already passed 192.168.0.5 /31 and blocked SMTP everywhere else. You are covered) -
OK - Last one just needs one tiny change.
In your block rule, make SOURCE network 192.168.0.0 /24
-
These rules are ran in order as they appear in that list.
So, 1st you want to let 192.168.0.5 /31 pass to anywhere it wants.
Then your want to block SMTP with SOURCE the entire subnet (This is ok, because 192.168.0.5 /31 already passed its traffic)
Lastly, pass everything (we have already passed 192.168.0.5 /31 and blocked SMTP everywhere else. You are covered)This is interesting :) thanks for this info :) now i know a bit how this work :)
-
I'm assuming 192.168.0.0 / 24 is your entire network? Is this correct? No others?
Because if you have others, you will have to apply the block rule to each interface those other subnets are on.
If you only have just this 1 LAN and 1 WAN (just two network ports) you are done.
-
I changed the block rule to this network… Is this correct? :) What's the diffrence in the SOURCE * and SOURCE NETWORK 192.168.0.0
-
I'm assuming 192.168.0.0 / 24 is your entire network? Is this correct? No others?
Because if you have others, you will have to apply the block rule to each interface those other subnets are on.
If you only have just this 1 LAN and 1 WAN (just two network ports) you are done.
I have 2 WAN (2nd WAN is useless) and 3 Networks
192.168.0.0 –---[SW]–----[AP] 192.168.1.0
|–----[AP] 192.168.2.0They connected to a switch and going to an AP (Linksys)
-
- means any.
192.168.0.0 /24 means any of the 256 possible in that /24 network.
There is every possibility that * and 192.168.0.0 /24 are the same for you, but if its stipulated as a 192.168.0.0 /24 I know for sure 100% its only affecting those computers in only that network range without having to guess of my idea of any and pfsense's idea of any were the same.
I'd hate to make a rule too general and break SMTP more than you intend to break it.
-
did you give that one port a /24 or a /16?
Or do you have 2 more port interfaces set up, each with a /24?