pfSense Support Subscription

Author Topic: Closing port 25 from outside  (Read 800 times)

0 Members and 1 Guest are viewing this topic.

Offline maidelba

  • Newbie
  • *
  • Posts: 2
    • View Profile
Closing port 25 from outside
« on: July 26, 2012, 12:54:57 pm »
We're on PFSense 1.2.2 and I can't figure out something.  I have our firewall set to permit port 25 so my internal server can forward mail to the outside, but I don't want it open from the outside.
Is there a way to do this?

Here's my current rules:
NAT: Port forward
   Proto   Ext. port range   NAT IP   Int. port range   Description   

       WAN    TCP    25 (SMTP)    10.23.23.24   
(ext.: any)    25 (SMTP)    Mail foward for exchange server

Firewall Rules:
TCP    *    *    10.23.23.24    25 (SMTP)    *         NAT Mail foward for exchange server

Thanks!
Mitch

Offline podilarius

  • Hero Member
  • *****
  • Posts: 1763
    • View Profile
Re: Closing port 25 from outside
« Reply #1 on: July 26, 2012, 02:08:07 pm »
The permit rule so that your mail server can send mail would be on the LAN interface. Remove the rule on the WAN and the port forward in NAT, and that will stop inbound on WAN.
I would disable and reset states first before I deleted the rule.

Offline maidelba

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Closing port 25 from outside
« Reply #2 on: July 26, 2012, 04:16:00 pm »
Thanks so much, trying it now..

The permit rule so that your mail server can send mail would be on the LAN interface. Remove the rule on the WAN and the port forward in NAT, and that will stop inbound on WAN.
I would disable and reset states first before I deleted the rule.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2886
    • View Profile
Re: Closing port 25 from outside
« Reply #3 on: July 26, 2012, 04:17:35 pm »
"but I don't want it open from the outside."

Then why did you setup a port forward?  Only reason for a port forward is when you want unsolicited traffic from the outside to go to some box on the inside.

What your asking in a default setup would of already been allowed.  Default rules allow anything on lan to go to anything on internet, and there would be NO allowed unsolicited inbound traffic.

So any box on your network would be allowed to talk to anything on 25 on the internet.  If you want to limited that, then yes on your LAN you would create a rule to only allow your exchange box to talk out on 25, and create a specific rule to block everything on 25 right under that rule.  Then under that rule you would have your default allow again.  So exchange talking on 25 ok, anything else on 25 blocked.  If talking on say 80 would be open.

You should have no portforwards in what you asked for.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html