# How to block all outgoing port 25 except internal mail server.



## sattech2000 (Apr 14, 2011)

Our ISP set up and installed an OpenBSD Firewall at the border doing NAT translation. Iâ€™m running a linux mailserver internally. It seems about every six months someone brings an infected laptop into the building that starts sending out spam and gets us blacklisted. Iâ€™m looking for something that will block all outgoing port 25 except from the mail server. Notification (email or ?) would be a big bonus. 

I have been playing around with 

```
pass out quick on $ext_if proto tcp from $emailserver to any port 25 flags S/SA synproxy state
block out on $ext_if proto tcp from any to any port 25
```
however everytime I run that rule the email server returns "no route to host" when I try to telnet to outside servers.  

Iâ€™m fairly new to the OpenBsd world so any suggestions on an overall monitoring or logging that could be setup on the firewall would be great also.
Thank you
Randy


Something like this from the cisco world.

```
access-list acl_out permit tcp host X.X.X.X any eq 25
access-list acl_out deny tcp any any eq 25
access-list acl_out permit ip any any
```


----------



## phoenix (Apr 14, 2011)

Note:  This is a *Free*BSD user support forum, not an *Open*BSD user support forum.  While both systems support pf(4), there are differences in their support, the syntax used, and the files used.

While FreeBSD users can provide help on PF rules, you're best bet would be to check an OpenBSD support forum, if you will be using OpenBSD.


----------



## DutchDaemon (Apr 14, 2011)

Note that synproxy is not used on outbound connections; modulate is, though.


----------



## gkontos (Apr 14, 2011)

sattech2000 said:
			
		

> ```
> access-list acl_out permit tcp host X.X.X.X any eq 25
> access-list acl_out deny tcp any any eq 25
> access-list acl_out permit ip any any
> ```


This is a bad implementation in the CISCO world! Never allow unrestricted outbound access. And don't use permit and denies on the same access list. Instead use something like this:

```
access-list extended acl_out permit tcp object-group mail_relay any eq 25
access-list extended acl_out permit tcp object-group inside_network any object-group tcp_service
access-list extended acl_out permit udp object-group inside_network any object-group udp_service
```
Similarly:

```
block log all
pass out log on $ext_if proto tcp from $mail_relay to any port 25 modulate state
pass out log on $ext_if proto tcp from any to any port $tcp_service  modulate state
pass out log on $ext_if proto udp from any to any port $udp_service  modulate state
```
Regards


----------



## SirDice (Apr 15, 2011)

If you really want to protect your network, do not allow _any_ workstation direct internet access. So block all outgoing connections from clients. If they need access to the world wide web force them all through a proxy. And for email force them all to the company's mailserver.


----------



## mamalos (Apr 16, 2011)

It all depends on the rest of your rules.

If you have a rule that allows all outgoing traffic (default accept policy), then you have to block the specific traffic your self, using a rule like:

```
# pass out all except for clients' port 25
block out quick on $ext_if inet proto tcp from ! $mailserver port 25 to any modulate state
pass out quick on $ext_if inet proto tcp from any to any modulate state
```

Otherwise, if you are using a default deny policy, then you have to specifically allow only the specific traffic to go out, so you may use something like the following:

```
block out all
pass out quick on $ext_if inet proto tcp from $mailserver port 25 to any port 25 modulate state
```

These, of course, are just examples. You should read and comprehend the rest of your /etc/pf.conf file.

Good luck, and as phoenix suggested, since you're using OpenBSD, you should better consult an OpenBSD specific resource to get a deeper understanding on your OS.


----------

