Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Brasse]

I have set up NAT to the Mail server something like this:


However, i have had some problems with clients that have viruses / trojans that sends spam, and i want to block all SMTP traffic to or from the internet, except for the "real" mail server.

I have tried to create a rule, below those rules, like this:
Name: smtp_deny
Action: Reject
Service: smtp
Source interface: any
Source Network: all-nets
Destination Interface: any
Destination Network: all-nets

But there are still traffic going through.
How should i set this up ?

[Fatman]

You may need to be a little more careful with your interface and network designations.  IP Rule 10 that you have listed would NAT traffic from the LAN to the WAN on any service, so if that rule appeared first it would be used instead.  Try moving that reject rule to position #1.

If Rule 10 was meant to be a NAT loopback then change the destination interface to core and the destination network to wan1_ip.

If Rule 10 was just meant to be a default allow outbound traffic then I wouldn't place it between your SAT and it's matching Allow.

If I was going to nitpick your rules though, my first concern would be never using the any interface, instead creating interface groups where multiple interfaces are intended.

The goal with IP rules is to write rules as specific as possible, because then you find the wrong rule being consulted less.  This is good both from a troubleshooting/maintenance and a security standpoint.

[Brasse]

OK thank you! I got it to work at last.

Ok, i am using those IP-rules because i need to be able to access LAN-servers from the outside, and i followed a guide (from dlink, PDF) that i found.

And rule 10 i think is meant to be NAT loopback, please correct me if i am wrong.

I am used to simpler consumer products and to configure this is a pretty big step.