Assistance in blocking SMTP in LAN



  • Hi there, i would like to know if this one is correct. I tried to read some of the forum post but most of them are in text based instruction. Sorry for that. Before we used TMG and now we changed to pfSense.

    I just want to know if this one is right. I want to block LAN SMTP except our mail server which is 192.168.0.5.


  • Banned

    No. Edit the first (block) rule and set up as Source - NOT - your mailserver; Destination - NOT - your mailserver. Delete the second one below.



  • Note: If 192.168.0.5 SMTP server is actually on the LAN (e.g. LAN is 192.168.0.0/24) then traffic from other clients on the LAN (e.g. 192.168.0.99) to 192.168.0.5 will not go to pfSense, it will traverse directly across the LAN switch. If the traffic does not go through pfSense, then pfSense cannot block it.



  • How about block all SMTP to with destination your server then invert the sense?



  • Hi there!

    Thanks for the immediate reply! :) Upon configuring..

    I changed it to this mode. Is this the correct setting? :)



  • @phil.davis:

    Note: If 192.168.0.5 SMTP server is actually on the LAN (e.g. LAN is 192.168.0.0/24) then traffic from other clients on the LAN (e.g. 192.168.0.99) to 192.168.0.5 will not go to pfSense, it will traverse directly across the LAN switch. If the traffic does not go through pfSense, then pfSense cannot block it.

    I, perhaps in error, was assuming he meant preventing SMTP traffic directed outside his network.



  • I wanted to block all SMTP initiated in the clients except my mail server to avoid spamming.



  • Ahhhh…
    Two rules then.

    1st rule.  Pass all SMTP originating from your servers ip.  192.168.0.5 /31
    2nd rule.  Block all SMTP originating on that entire subnet there.  192.168.0.0/16

    no inverting senses needed in that case.



  • Should be like this I guess.

    Ahhhh…
    Two rules then.

    1st rule.  Pass all SMTP originating from your servers ip.  192.168.0.5 /31
    2nd rule.  Block all SMTP originating on that entire subnet there.  192.168.0.0/24

    no inverting senses needed in that case.

    But I don't know how many interfaces you have on this with clients, but the interface with the mail server will get both rules.  The pass rule and then the block rule.  The others just get a block rule.  Except WAN.  But every "LAN" interface has to be accounted for.



  • @kejianshi:

    Should be like this I guess.

    Ahhhh…
    Two rules then.

    1st rule.  Pass all SMTP originating from your servers ip.  192.168.0.5 /31
    2nd rule.  Block all SMTP originating on that entire subnet there.  192.168.0.0/24

    no inverting senses needed in that case.

    But I don't know how many interfaces you have on this with clients, but the interface with the mail server will get both rules.  The pass rule and then the block rule.  The others just get a block rule.  Except WAN.  But every "LAN" interface has to be accounted for.

    So my first picture was correct? right?



  • No.
    Right below the anti-lockout rule, add another pass rule.

    Pass SMTP source single host/alias 192.168.0.5 /31 to any

    Then your block rule as it was.



  • Ahh.. You mean this one? :)



  • These rules are ran in order as they appear in that list.

    So, 1st you want to let 192.168.0.5 /31 pass to anywhere it wants.
    Then your want to block SMTP with SOURCE the entire subnet (This is ok, because 192.168.0.5 /31 already passed its traffic)
    Lastly, pass everything (we have already passed 192.168.0.5 /31 and blocked SMTP everywhere else.  You are covered)



  • OK - Last one just needs one tiny change.

    In your block rule, make SOURCE network 192.168.0.0 /24



  • @kejianshi:

    These rules are ran in order as they appear in that list.

    So, 1st you want to let 192.168.0.5 /31 pass to anywhere it wants.
    Then your want to block SMTP with SOURCE the entire subnet (This is ok, because 192.168.0.5 /31 already passed its traffic)
    Lastly, pass everything (we have already passed 192.168.0.5 /31 and blocked SMTP everywhere else.  You are covered)

    This is interesting :) thanks for this info :) now i know a bit how this work :)



  • I'm assuming 192.168.0.0 / 24 is your entire network?  Is this correct?  No others?

    Because if you have others, you will have to apply the block rule to each interface those other subnets are on.

    If you only have just this 1 LAN and 1 WAN (just two network ports) you are done.



  • I changed the block rule to this network… Is this correct?  :) What's the diffrence in the SOURCE * and SOURCE NETWORK 192.168.0.0



  • @kejianshi:

    I'm assuming 192.168.0.0 / 24 is your entire network?  Is this correct?  No others?

    Because if you have others, you will have to apply the block rule to each interface those other subnets are on.

    If you only have just this 1 LAN and 1 WAN (just two network ports) you are done.

    I have 2 WAN (2nd WAN is useless) and 3 Networks

    192.168.0.0 –---[SW]–----[AP] 192.168.1.0
                                |–----[AP] 192.168.2.0

    They connected to a switch and going to an AP (Linksys)



    • means any.

    192.168.0.0 /24 means any of the 256 possible in that /24 network.

    There is every possibility that * and 192.168.0.0 /24 are the same for you, but if its stipulated as a 192.168.0.0 /24 I know for sure 100% its only affecting those computers in only that network range without having to guess of my idea of any and pfsense's idea of any were the same.

    I'd hate to make a rule too general and break SMTP more than you intend to break it.



  • did you give that one port a /24 or a /16?

    Or do you have 2 more port interfaces set up, each with a /24?



  • I might move the 192.168.1.0 and 192.168.2.0 in the 192.168.0.0 network since they have low client count and normally theyre being used in mobile phones. :)

    But for the block and pass rule, did we do it right? :)

    Yeah all networks are in /24



  • Yes - Its done correctly I think (says the tired man doing 5 things at once)

    I like your setup as it is.  I wouldn't change it.

    Except, you need to put the block rule (just the block rule) on the other 2 interfaces.

    Want to do that now?  Its easy.  Just make sure its above the pass rule.



  • Thanks kejianshi for providing me assistance. I'm really new to this firewall.  I might mess it up if I had a wrong configuration. :-) I'm having a problem that one of the client is sending spam to the Internet that causes us to be in RBL and low IP reputation. I hope I did it right.



  • Well, after you make this rule, look at your firewall logs for SMTP port 25 blocked.
    Then you will know which of your computers PROBABLY has a spamming virus/trojan and wipe it and reinstall its OS.
    The IP will be in the firewall logs.

    You can then go to the computers, open command prompt and type "ipconfig" for windows or "ifconfig" for linux and check the computer's IP

    Do that till you find the one that matches the IP being blocked in the firewall logs.

    Don't forget to put the block rule on the interfaces for 192.168.1.0/24 and interface for 192.168.2.0/24 also.

    Wireless clients can spam just as well as wired clients, better sometimes if someone nearby your office is stealing your WIFI.



  • Yes.. At the moment I'm looking at the logs on our firewall and found 1 machine that is infected… Over time mode.. :-) thanks again.. You're a big help.