Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Rule to Limit SMTP outbound?

    Firewalling
    7
    19
    7057
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pinoyboy last edited by

      Not sure if this question belongs here or in the NAT section but basically I would like OUTBOUND SMTP traffic enabled only for our mail server.  Anything else trying to go out using SMTP should be blocked.  What is the best way to do this?  Thank you.

      1 Reply Last reply Reply Quote 0
      • dotdash
        dotdash last edited by

        Add some rules on the LAN, before the default allow:
        allow smtp from mail server to any
        deny smtp from lan subnet to any

        1 Reply Last reply Reply Quote 0
        • P
          pinoyboy last edited by

          Thank you for your assistance as always.

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan last edited by

            @dotdash:

            allow smtp from mail server to any

            What about a partial allow to any, like:
            allow to any IP, destination port smtp (=25) , limit 1 connection every 5 secondes.
            [sorry for the non-official way of writing]

            Understand that I use / abuse the fact that most mail clients break - make the connection for every mail sended.

            I use this for my public access (hotspot) Wifi network.
            Clients can send mail to their smtp mail server, but bulking just won't work.

            1 Reply Last reply Reply Quote 0
            • dotdash
              dotdash last edited by

              Those options are under the 'Advanced Options' button on the firewall rule.

              1 Reply Last reply Reply Quote 0
              • K
                kapara last edited by

                I am![](having the same problems but I added the following rule before the LAN default allow and all systems can still connect to mail servers by running a telnet test on port 25 of the internet address.<br /><br />Block TCP  LAN net  *  WAN address  25 (SMTP)  *     test <br /><br />I even cleared the states.)

                1 Reply Last reply Reply Quote 0
                • H
                  hoba last edited by

                  Are you trying to prevent reflection by doing this?

                  1 Reply Last reply Reply Quote 0
                  • K
                    kapara last edited by

                    This is what the states shows:

                    172.20.30.187:4386 -> 206.13.x.131:53569 -> 69.12.x.215:25 ESTABLISHED:ESTABLISHED

                    I also tried the following rule in LAN

                    Block TCP  LAN net  *  WAN address  25 (SMTP)  *     test

                    • LAN net  *  *  *  *     Default LAN -> any
                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba last edited by

                      Why destination wan adress?

                      1 Reply Last reply Reply Quote 0
                      • K
                        kapara last edited by

                        Trying to block all systems on the network from making smtp connections to outside hosts or servers so only my Exchange server is allowed to make outbound smtp connections.

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich last edited by

                          Then you want a block rule that blocks everything NOT exchange IP address (source ip) on LAN.

                          1 Reply Last reply Reply Quote 0
                          • K
                            kapara last edited by

                            had a virus once which installed an smtp server on a machine and spammed the hell out of our customers.  I want to prevent all internal hosts from being able to act as smtp server except for my Exchange server.

                            1 Reply Last reply Reply Quote 0
                            • K
                              kapara last edited by

                              What is I have 3 addresses which I need to allow..3 internal IP's?

                              1 Reply Last reply Reply Quote 0
                              • H
                                hoba last edited by

                                Create an host alias at firewall>aliases with all your smtp allowed senders like "smtpallowedhosts"

                                Then create 2 firewallrules at the lan tab:

                                pass protocol tcp, source smtpallowedhosts, destination any, port 25, default gateway
                                block protocol tcp, source any, destination any, port 25, default gateway

                                That will do the trick. Alternatively you could have 3 pass rules with the IPs of the smtp senders but aliases are much more elegant  ;)

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kapara last edited by

                                  Trying now…

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kapara last edited by

                                    Great.  The key here was that I chose the Wan address and should have used Any.  I used the aliases.

                                    Thanks guys.

                                    Mark

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      natec63 last edited by

                                      Ok, this is exactly what I need to do but obviously I have something wrong.  I only need to allow one internal LAN IP to send mail and I want to block all other LAN IPs from using SMTP.  So, here are my rules I created on the LAN interface.

                                      Pass  Protocol TCP, source 192.168.0.x, port 25, destination any, port 25, default gateway
                                      Block protocol TCP, source any, port 25,  destination any, port 25, default gateway

                                      Pass *, source LAN net, port *, destination *, port *, gateway *

                                      Why wouldn't this work?

                                      pfSense 1.2-RC2

                                      1 Reply Last reply Reply Quote 0
                                      • dotdash
                                        dotdash last edited by

                                        Set the source port to *, the destination is 25. There is a reason that field is behind a checkbox with this warning:
                                        Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any").
                                        Hint: you can leave the 'to' field empty if you only want to filter a single port
                                        NOTE: You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          natec63 last edited by

                                          Thank you very much!  Had to set the source port on both the allow and the deny to get things working.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post

                                          Products

                                          • Platform Overview
                                          • TNSR
                                          • pfSense
                                          • Appliances

                                          Services

                                          • Training
                                          • Professional Services

                                          Support

                                          • Subscription Plans
                                          • Contact Support
                                          • Product Lifecycle
                                          • Documentation

                                          News

                                          • Media Coverage
                                          • Press
                                          • Events

                                          Resources

                                          • Blog
                                          • FAQ
                                          • Find a Partner
                                          • Resource Library
                                          • Security Information

                                          Company

                                          • About Us
                                          • Careers
                                          • Partners
                                          • Contact Us
                                          • Legal
                                          Our Mission

                                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                          Subscribe to our Newsletter

                                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                          © 2021 Rubicon Communications, LLC | Privacy Policy