Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules for email (SMTP/S,POP3)

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 5 Posters 17.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      isonski
      last edited by

      hello,

      im having problem with firewall rulings with regards to email ports… i blocked all ports and managed to get port 80 (http) to pass, but when i set the ports for email (110,465,25) it cant connect to the mail server... bellow are the rules i set:
      Status                Proto          Source        Port              Destination        Port            Gateway
      pass(disabled)      *                LAN net      *                  *                    *                  *
      block                  *                LAN net      *                  WAN address    *                  *
      pass                  TCP            LAN net      80 (HTTP)      WAN address    80 (HTTP)      *
      pass                  TCP/UDP      LAN net        110 (POP3)      WAN address    110 (POP3)      *
      pass                  TCP            LAN net        465 (SMTP/S)  WAN address    465 (SMTP/S)  *
      pass                  TCP            LAN net        25 (SMTP)        WAN address    25 (SMTP)      *

      if you'll notice, i've disabled the first rule (the default rule), and immediately set to block all ports (2nd rule), followed by the ports that i want to pass thru (succeeding rules)… so far, the only rule working is in port 80 (http), but email ports are not passing thru...

      based from what i read from the forums, rules are applied sequencially based on what is set first... i tried to re-shuffle the rules and setting the "block" rule at the end of the set, but i still cant get it to work...

      any tips or info regarding this is very much appreciated...

      TIA guys :)

      allison

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Delete your first two rules (the disabled pass and the block rule).
        Also set the "source port" to *
        When a connection is initiated , the source port is something completly ramdom between 1024 and 65535.
        (see my sig ;) )

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • I
          isonski
          last edited by

          hello again…

          thanx for the immediate reply to my post... :)

          i did as u instructed, removed the first two rules and set the source ports to "*", but emails still cant pass thru...

          wat else could i be missing out here...???

          thanks again :)

          allison

          1 Reply Last reply Reply Quote 0
          • P
            Perry
            last edited by

            If you only use the default rule does it work then?

            http://doc.m0n0.ch/handbook/examples.html
            might help you out?

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • I
              isonski
              last edited by

              hi Perry,

              thanx for ur reply… yes, it works when i restore the default firewall rule... but then again, by doing so all ports will be open... is there any other work around for this...???

              thanks again :)

              1 Reply Last reply Reply Quote 0
              • D
                dvserg
                last edited by

                Also may be pass tcp DNS and all ICMP ?
                Can you telnet from lan to any mail-server by ip on 25 and 110 port's?
                (For example from windows cmd 'telnet ip-mail-server 110')

                SquidGuardDoc EN  RU Tutorial
                Localization ru_PFSense

                1 Reply Last reply Reply Quote 0
                • I
                  isonski
                  last edited by

                  unfortunately, i cant telnet to the mail server on either ports 25 and 110… i can do so when i set the default rule again...

                  1 Reply Last reply Reply Quote 0
                  • Cry HavokC
                    Cry Havok
                    last edited by

                    You've got the rules listing the destination as the WAN IP of the pfsense host.  I assume this isn't what you want.  Either set it to any, or specify the remote server IP.

                    1 Reply Last reply Reply Quote 0
                    • P
                      Perry
                      last edited by

                      Cry Havok beat me to it :D

                      Read 14.1.4 and 14.1.5 in mono doc

                      /Perry
                      doc.pfsense.org

                      1 Reply Last reply Reply Quote 0
                      • D
                        dvserg
                        last edited by

                        pass      TCP/UDP      LAN net        110 (POP3)      WAN address    110 (POP3)      *
                        pass      TCP/UDP      LAN net        *    *    110 (POP3)      *

                        SquidGuardDoc EN  RU Tutorial
                        Localization ru_PFSense

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.