Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Assistance in blocking SMTP in LAN

    Scheduled Pinned Locked Moved Firewalling
    25 Posts 4 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rands.rodriguez
      last edited by

      Hi there, i would like to know if this one is correct. I tried to read some of the forum post but most of them are in text based instruction. Sorry for that. Before we used TMG and now we changed to pfSense.

      I just want to know if this one is right. I want to block LAN SMTP except our mail server which is 192.168.0.5.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        No. Edit the first (block) rule and set up as Source - NOT - your mailserver; Destination - NOT - your mailserver. Delete the second one below.

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          Note: If 192.168.0.5 SMTP server is actually on the LAN (e.g. LAN is 192.168.0.0/24) then traffic from other clients on the LAN (e.g. 192.168.0.99) to 192.168.0.5 will not go to pfSense, it will traverse directly across the LAN switch. If the traffic does not go through pfSense, then pfSense cannot block it.

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            How about block all SMTP to with destination your server then invert the sense?

            1 Reply Last reply Reply Quote 0
            • R
              rands.rodriguez
              last edited by

              Hi there!

              Thanks for the immediate reply! :) Upon configuring..

              I changed it to this mode. Is this the correct setting? :)

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                @phil.davis:

                Note: If 192.168.0.5 SMTP server is actually on the LAN (e.g. LAN is 192.168.0.0/24) then traffic from other clients on the LAN (e.g. 192.168.0.99) to 192.168.0.5 will not go to pfSense, it will traverse directly across the LAN switch. If the traffic does not go through pfSense, then pfSense cannot block it.

                I, perhaps in error, was assuming he meant preventing SMTP traffic directed outside his network.

                1 Reply Last reply Reply Quote 0
                • R
                  rands.rodriguez
                  last edited by

                  I wanted to block all SMTP initiated in the clients except my mail server to avoid spamming.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    Ahhhh…
                    Two rules then.

                    1st rule.  Pass all SMTP originating from your servers ip.  192.168.0.5 /31
                    2nd rule.  Block all SMTP originating on that entire subnet there.  192.168.0.0/16

                    no inverting senses needed in that case.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kejianshi
                      last edited by

                      Should be like this I guess.

                      Ahhhh…
                      Two rules then.

                      1st rule.  Pass all SMTP originating from your servers ip.  192.168.0.5 /31
                      2nd rule.  Block all SMTP originating on that entire subnet there.  192.168.0.0/24

                      no inverting senses needed in that case.

                      But I don't know how many interfaces you have on this with clients, but the interface with the mail server will get both rules.  The pass rule and then the block rule.  The others just get a block rule.  Except WAN.  But every "LAN" interface has to be accounted for.

                      1 Reply Last reply Reply Quote 0
                      • R
                        rands.rodriguez
                        last edited by

                        @kejianshi:

                        Should be like this I guess.

                        Ahhhh…
                        Two rules then.

                        1st rule.  Pass all SMTP originating from your servers ip.  192.168.0.5 /31
                        2nd rule.  Block all SMTP originating on that entire subnet there.  192.168.0.0/24

                        no inverting senses needed in that case.

                        But I don't know how many interfaces you have on this with clients, but the interface with the mail server will get both rules.  The pass rule and then the block rule.  The others just get a block rule.  Except WAN.  But every "LAN" interface has to be accounted for.

                        So my first picture was correct? right?

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi
                          last edited by

                          No.
                          Right below the anti-lockout rule, add another pass rule.

                          Pass SMTP source single host/alias 192.168.0.5 /31 to any

                          Then your block rule as it was.

                          1 Reply Last reply Reply Quote 0
                          • R
                            rands.rodriguez
                            last edited by

                            Ahh.. You mean this one? :)

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              These rules are ran in order as they appear in that list.

                              So, 1st you want to let 192.168.0.5 /31 pass to anywhere it wants.
                              Then your want to block SMTP with SOURCE the entire subnet (This is ok, because 192.168.0.5 /31 already passed its traffic)
                              Lastly, pass everything (we have already passed 192.168.0.5 /31 and blocked SMTP everywhere else.  You are covered)

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                OK - Last one just needs one tiny change.

                                In your block rule, make SOURCE network 192.168.0.0 /24

                                1 Reply Last reply Reply Quote 0
                                • R
                                  rands.rodriguez
                                  last edited by

                                  @kejianshi:

                                  These rules are ran in order as they appear in that list.

                                  So, 1st you want to let 192.168.0.5 /31 pass to anywhere it wants.
                                  Then your want to block SMTP with SOURCE the entire subnet (This is ok, because 192.168.0.5 /31 already passed its traffic)
                                  Lastly, pass everything (we have already passed 192.168.0.5 /31 and blocked SMTP everywhere else.  You are covered)

                                  This is interesting :) thanks for this info :) now i know a bit how this work :)

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    I'm assuming 192.168.0.0 / 24 is your entire network?  Is this correct?  No others?

                                    Because if you have others, you will have to apply the block rule to each interface those other subnets are on.

                                    If you only have just this 1 LAN and 1 WAN (just two network ports) you are done.

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      rands.rodriguez
                                      last edited by

                                      I changed the block rule to this network… Is this correct?  :) What's the diffrence in the SOURCE * and SOURCE NETWORK 192.168.0.0

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        rands.rodriguez
                                        last edited by

                                        @kejianshi:

                                        I'm assuming 192.168.0.0 / 24 is your entire network?  Is this correct?  No others?

                                        Because if you have others, you will have to apply the block rule to each interface those other subnets are on.

                                        If you only have just this 1 LAN and 1 WAN (just two network ports) you are done.

                                        I have 2 WAN (2nd WAN is useless) and 3 Networks

                                        192.168.0.0 –---[SW]–----[AP] 192.168.1.0
                                                                    |–----[AP] 192.168.2.0

                                        They connected to a switch and going to an AP (Linksys)

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kejianshi
                                          last edited by

                                          • means any.

                                          192.168.0.0 /24 means any of the 256 possible in that /24 network.

                                          There is every possibility that * and 192.168.0.0 /24 are the same for you, but if its stipulated as a 192.168.0.0 /24 I know for sure 100% its only affecting those computers in only that network range without having to guess of my idea of any and pfsense's idea of any were the same.

                                          I'd hate to make a rule too general and break SMTP more than you intend to break it.

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            kejianshi
                                            last edited by

                                            did you give that one port a /24 or a /16?

                                            Or do you have 2 more port interfaces set up, each with a /24?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.