Rule to Limit SMTP outbound?
Not sure if this question belongs here or in the NAT section but basically I would like OUTBOUND SMTP traffic enabled only for our mail server. Anything else trying to go out using SMTP should be blocked. What is the best way to do this? Thank you.
Add some rules on the LAN, before the default allow:
allow smtp from mail server to any
deny smtp from lan subnet to any
Thank you for your assistance as always.
allow smtp from mail server to any
What about a partial allow to any, like:
allow to any IP, destination port smtp (=25) , limit 1 connection every 5 secondes.
[sorry for the non-official way of writing]
Understand that I use / abuse the fact that most mail clients break - make the connection for every mail sended.
I use this for my public access (hotspot) Wifi network.
Clients can send mail to their smtp mail server, but bulking just won't work.
Those options are under the 'Advanced Options' button on the firewall rule.
I am!(having the same problems but I added the following rule before the LAN default allow and all systems can still connect to mail servers by running a telnet test on port 25 of the internet address.<br /><br />Block TCP LAN net * WAN address 25 (SMTP) * test <br /><br />I even cleared the states.)
Are you trying to prevent reflection by doing this?
This is what the states shows:
172.20.30.187:4386 -> 206.13.x.131:53569 -> 69.12.x.215:25 ESTABLISHED:ESTABLISHED
I also tried the following rule in LAN
Block TCP LAN net * WAN address 25 (SMTP) * test
- LAN net * * * * Default LAN -> any
Why destination wan adress?
Trying to block all systems on the network from making smtp connections to outside hosts or servers so only my Exchange server is allowed to make outbound smtp connections.
Then you want a block rule that blocks everything NOT exchange IP address (source ip) on LAN.
had a virus once which installed an smtp server on a machine and spammed the hell out of our customers. I want to prevent all internal hosts from being able to act as smtp server except for my Exchange server.
What is I have 3 addresses which I need to allow..3 internal IP's?
Create an host alias at firewall>aliases with all your smtp allowed senders like "smtpallowedhosts"
Then create 2 firewallrules at the lan tab:
pass protocol tcp, source smtpallowedhosts, destination any, port 25, default gateway
block protocol tcp, source any, destination any, port 25, default gateway
That will do the trick. Alternatively you could have 3 pass rules with the IPs of the smtp senders but aliases are much more elegant ;)
Great. The key here was that I chose the Wan address and should have used Any. I used the aliases.
Ok, this is exactly what I need to do but obviously I have something wrong. I only need to allow one internal LAN IP to send mail and I want to block all other LAN IPs from using SMTP. So, here are my rules I created on the LAN interface.
Pass Protocol TCP, source 192.168.0.x, port 25, destination any, port 25, default gateway
Block protocol TCP, source any, port 25, destination any, port 25, default gateway
Pass *, source LAN net, port *, destination *, port *, gateway *
Why wouldn't this work?
Set the source port to *, the destination is 25. There is a reason that field is behind a checkbox with this warning:
Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any").
Hint: you can leave the 'to' field empty if you only want to filter a single port
NOTE: You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!
Thank you very much! Had to set the source port on both the allow and the deny to get things working.