Rules not blocking access - please help!

cuddleintx

Our mail server is getting hammered and now they are sending spam messages to our customer's pagers via our web server. I have tried everything I can think of to stop these spammers! I have RBLs setup on my mail server, but I would like to block their access at the IP level before they even touch the mail server.

I have blocked (or thought I blocked) all IPs from Asia, Amsterdam, etc. If I go to my mail server and do a netstat -a command it shows a ton of connections from say, China IPs that start with 43.x.x.x that say "TIME_WAIT" that means they got through pfsense and got to my mail server. Here's how I have the rules setup in pfsense.

Proto    Source        Port  Destination  Port  Gateway  Description
*  43.0.0.0/8  *  *      *      *    Block Asia

And the RED X to the far left is BOLD, meaning it is active blocked.

Any ideas how these IPs are getting past pfsense to my mail server? Thanks for your help!
Lee

GruensFroeschli

On which interface did you set this rule?
Is the rule above the allow rule?

cuddleintx

The interface is the WAN interface (coming from our ISP's router)

cuddleintx

Thank you, thank you, thank you GruensFroeschli!

I figured out what it was…I had the block rules BELOW the allow rules. I moved the blocked rules above the pass rules and it now blocks access from these IPs.

Geez! I'm still learning here...