Firewall rules for email (SMTP/S,POP3)



  • hello,

    im having problem with firewall rulings with regards to email ports… i blocked all ports and managed to get port 80 (http) to pass, but when i set the ports for email (110,465,25) it cant connect to the mail server... bellow are the rules i set:
    Status                Proto          Source        Port              Destination        Port            Gateway
    pass(disabled)      *                LAN net      *                  *                    *                  *
    block                  *                LAN net      *                  WAN address    *                  *
    pass                  TCP            LAN net      80 (HTTP)      WAN address    80 (HTTP)      *
    pass                  TCP/UDP      LAN net        110 (POP3)      WAN address    110 (POP3)      *
    pass                  TCP            LAN net        465 (SMTP/S)  WAN address    465 (SMTP/S)  *
    pass                  TCP            LAN net        25 (SMTP)        WAN address    25 (SMTP)      *

    if you'll notice, i've disabled the first rule (the default rule), and immediately set to block all ports (2nd rule), followed by the ports that i want to pass thru (succeeding rules)… so far, the only rule working is in port 80 (http), but email ports are not passing thru...

    based from what i read from the forums, rules are applied sequencially based on what is set first... i tried to re-shuffle the rules and setting the "block" rule at the end of the set, but i still cant get it to work...

    any tips or info regarding this is very much appreciated...

    TIA guys :)

    allison



  • Delete your first two rules (the disabled pass and the block rule).
    Also set the "source port" to *
    When a connection is initiated , the source port is something completly ramdom between 1024 and 65535.
    (see my sig ;) )



  • hello again…

    thanx for the immediate reply to my post... :)

    i did as u instructed, removed the first two rules and set the source ports to "*", but emails still cant pass thru...

    wat else could i be missing out here...???

    thanks again :)

    allison



  • If you only use the default rule does it work then?

    http://doc.m0n0.ch/handbook/examples.html
    might help you out?



  • hi Perry,

    thanx for ur reply… yes, it works when i restore the default firewall rule... but then again, by doing so all ports will be open... is there any other work around for this...???

    thanks again :)



  • Also may be pass tcp DNS and all ICMP ?
    Can you telnet from lan to any mail-server by ip on 25 and 110 port's?
    (For example from windows cmd 'telnet ip-mail-server 110')



  • unfortunately, i cant telnet to the mail server on either ports 25 and 110… i can do so when i set the default rule again...



  • You've got the rules listing the destination as the WAN IP of the pfsense host.  I assume this isn't what you want.  Either set it to any, or specify the remote server IP.



  • Cry Havok beat me to it :D

    Read 14.1.4 and 14.1.5 in mono doc



  • pass      TCP/UDP      LAN net        110 (POP3)      WAN address    110 (POP3)      *
    pass      TCP/UDP      LAN net        *    *    110 (POP3)      *


Log in to reply