Firewall rules for email (SMTP/S,POP3)

isonski

hello,

im having problem with firewall rulings with regards to email ports… i blocked all ports and managed to get port 80 (http) to pass, but when i set the ports for email (110,465,25) it cant connect to the mail server... bellow are the rules i set:
Status                Proto          Source        Port              Destination        Port            Gateway
pass(disabled)      *                LAN net      *                  *                    *                  *
block                  *                LAN net      *                  WAN address    *                  *
pass                  TCP            LAN net      80 (HTTP)      WAN address    80 (HTTP)      *
pass                  TCP/UDP      LAN net        110 (POP3)      WAN address    110 (POP3)      *
pass                  TCP            LAN net        465 (SMTP/S)  WAN address    465 (SMTP/S)  *
pass                  TCP            LAN net        25 (SMTP)        WAN address    25 (SMTP)      *

if you'll notice, i've disabled the first rule (the default rule), and immediately set to block all ports (2nd rule), followed by the ports that i want to pass thru (succeeding rules)… so far, the only rule working is in port 80 (http), but email ports are not passing thru...

based from what i read from the forums, rules are applied sequencially based on what is set first... i tried to re-shuffle the rules and setting the "block" rule at the end of the set, but i still cant get it to work...

any tips or info regarding this is very much appreciated...

TIA guys :)

allison

GruensFroeschli

Delete your first two rules (the disabled pass and the block rule).
Also set the "source port" to *
When a connection is initiated , the source port is something completly ramdom between 1024 and 65535.
(see my sig ;) )

isonski

hello again…

thanx for the immediate reply to my post... :)

i did as u instructed, removed the first two rules and set the source ports to "*", but emails still cant pass thru...

wat else could i be missing out here...???

thanks again :)

allison

Perry

If you only use the default rule does it work then?

http://doc.m0n0.ch/handbook/examples.html
might help you out?

isonski

hi Perry,

thanx for ur reply… yes, it works when i restore the default firewall rule... but then again, by doing so all ports will be open... is there any other work around for this...???

thanks again :)

dvserg

Also may be pass tcp DNS and all ICMP ?
Can you telnet from lan to any mail-server by ip on 25 and 110 port's?
(For example from windows cmd 'telnet ip-mail-server 110')

isonski

unfortunately, i cant telnet to the mail server on either ports 25 and 110… i can do so when i set the default rule again...

Cry Havok

You've got the rules listing the destination as the WAN IP of the pfsense host.  I assume this isn't what you want.  Either set it to any, or specify the remote server IP.

Perry

Cry Havok beat me to it :D

Read 14.1.4 and 14.1.5 in mono doc

dvserg

pass      TCP/UDP      LAN net        110 (POP3)      WAN address    110 (POP3)      *
pass      TCP/UDP      LAN net        *    *    110 (POP3)      *