Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rule to Limit SMTP outbound?

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 7 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pinoyboy
      last edited by

      Not sure if this question belongs here or in the NAT section but basically I would like OUTBOUND SMTP traffic enabled only for our mail server.  Anything else trying to go out using SMTP should be blocked.  What is the best way to do this?  Thank you.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        Add some rules on the LAN, before the default allow:
        allow smtp from mail server to any
        deny smtp from lan subnet to any

        1 Reply Last reply Reply Quote 0
        • P
          pinoyboy
          last edited by

          Thank you for your assistance as always.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            @dotdash:

            allow smtp from mail server to any

            What about a partial allow to any, like:
            allow to any IP, destination port smtp (=25) , limit 1 connection every 5 secondes.
            [sorry for the non-official way of writing]

            Understand that I use / abuse the fact that most mail clients break - make the connection for every mail sended.

            I use this for my public access (hotspot) Wifi network.
            Clients can send mail to their smtp mail server, but bulking just won't work.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              Those options are under the 'Advanced Options' button on the firewall rule.

              1 Reply Last reply Reply Quote 0
              • K
                kapara
                last edited by

                I am![](having the same problems but I added the following rule before the LAN default allow and all systems can still connect to mail servers by running a telnet test on port 25 of the internet address.<br /><br />Block TCP  LAN net  *  WAN address  25 (SMTP)  *     test <br /><br />I even cleared the states.)

                Skype ID:  Marinhd

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by

                  Are you trying to prevent reflection by doing this?

                  1 Reply Last reply Reply Quote 0
                  • K
                    kapara
                    last edited by

                    This is what the states shows:

                    172.20.30.187:4386 -> 206.13.x.131:53569 -> 69.12.x.215:25 ESTABLISHED:ESTABLISHED

                    I also tried the following rule in LAN

                    Block TCP  LAN net  *  WAN address  25 (SMTP)  *     test

                    • LAN net  *  *  *  *     Default LAN -> any

                    Skype ID:  Marinhd

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba
                      last edited by

                      Why destination wan adress?

                      1 Reply Last reply Reply Quote 0
                      • K
                        kapara
                        last edited by

                        Trying to block all systems on the network from making smtp connections to outside hosts or servers so only my Exchange server is allowed to make outbound smtp connections.

                        Skype ID:  Marinhd

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich
                          last edited by

                          Then you want a block rule that blocks everything NOT exchange IP address (source ip) on LAN.

                          1 Reply Last reply Reply Quote 0
                          • K
                            kapara
                            last edited by

                            had a virus once which installed an smtp server on a machine and spammed the hell out of our customers.  I want to prevent all internal hosts from being able to act as smtp server except for my Exchange server.

                            Skype ID:  Marinhd

                            1 Reply Last reply Reply Quote 0
                            • K
                              kapara
                              last edited by

                              What is I have 3 addresses which I need to allow..3 internal IP's?

                              Skype ID:  Marinhd

                              1 Reply Last reply Reply Quote 0
                              • H
                                hoba
                                last edited by

                                Create an host alias at firewall>aliases with all your smtp allowed senders like "smtpallowedhosts"

                                Then create 2 firewallrules at the lan tab:

                                pass protocol tcp, source smtpallowedhosts, destination any, port 25, default gateway
                                block protocol tcp, source any, destination any, port 25, default gateway

                                That will do the trick. Alternatively you could have 3 pass rules with the IPs of the smtp senders but aliases are much more elegant  ;)

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kapara
                                  last edited by

                                  Trying now…

                                  Skype ID:  Marinhd

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kapara
                                    last edited by

                                    Great.  The key here was that I chose the Wan address and should have used Any.  I used the aliases.

                                    Thanks guys.

                                    Mark

                                    Skype ID:  Marinhd

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      natec63
                                      last edited by

                                      Ok, this is exactly what I need to do but obviously I have something wrong.  I only need to allow one internal LAN IP to send mail and I want to block all other LAN IPs from using SMTP.  So, here are my rules I created on the LAN interface.

                                      Pass  Protocol TCP, source 192.168.0.x, port 25, destination any, port 25, default gateway
                                      Block protocol TCP, source any, port 25,  destination any, port 25, default gateway

                                      Pass *, source LAN net, port *, destination *, port *, gateway *

                                      Why wouldn't this work?

                                      pfSense 1.2-RC2

                                      1 Reply Last reply Reply Quote 0
                                      • dotdashD
                                        dotdash
                                        last edited by

                                        Set the source port to *, the destination is 25. There is a reason that field is behind a checkbox with this warning:
                                        Specify the port or port range for the source of the packet for this rule. This is usually not equal to the destination port range (and is often "any").
                                        Hint: you can leave the 'to' field empty if you only want to filter a single port
                                        NOTE: You will not need to enter anything here in 99.99999% of the circumstances. If you're unsure, do not enter anything here!

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          natec63
                                          last edited by

                                          Thank you very much!  Had to set the source port on both the allow and the deny to get things working.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.