# ipfw not blocking specific IP?



## sinbad (Mar 21, 2013)

When I check my maillog I see the some attacker tries to login to postfix using non existing email account and fails due to 'Relay access denied'. it's always from the same IP address and it's been going on for few days.

I've added a rule to my IPFW ruleset with the hopes to block it but I still see the IP in the log.

*I*f I run [cmd=]ipfw list[/cmd] my rules read:


```
00001 check-state
00002 allow ip from any to any via lo0
00003 allow tcp from any to any established
00100 allow tcp from any to 199.48.xxx.xxx dst-port 1500 in setup keep-state
00101 allow tcp from any to 199.48.xxx.xxx dst-port 80 in setup keep-state
00102 allow tcp from any to 199.48.xxx.xxx dst-port 443 in setup keep-state
00103 allow tcp from any to 199.48.xxx.xxx dst-port 25 in setup keep-state
00104 allow tcp from any to 199.48.xxx.xxx dst-port 465 in setup keep-state
00105 allow tcp from any to 199.48.xxx.xxx dst-port 110 in setup keep-state
00106 allow tcp from any to 199.48.xxx.xxx dst-port 143 in setup keep-state
00107 allow tcp from any to 199.48.xxx.xxx dst-port 5666 in setup keep-state
00108 allow tcp from any to 199.48.xxx.xxx dst-port 587 in setup keep-state
00109 deny ip from 61.8.13.38 to any
00200 allow udp from 199.48.xxx.xxx to any out keep-state
00201 allow tcp from 199.48.xxx.xxx to any out setup keep-state
00400 allow icmp from 199.48.xxx.xxx to any icmptypes 0,3,8,11,12,13,14
00401 allow icmp from any to 199.48.xxx.xxx icmptypes 0,3,8,11,12,13,14
00500 allow tcp from any to any out via re1 setup keep-state
00999 deny ip from any to any
65535 deny ip from any to any
```

*I*s there anything wrong in my setup? *S*houldn't the firewall block the IP before I see it in the postfix log?

*T*hanks for any help.


----------



## qsecofr (Mar 21, 2013)

There's a section specific to firewalls.  This question probably belongs there.

If it were me, and I knew the IP address I wanted to block, then I'd add the rule to deny ahead of even check-state.  I'd log it too, so I could see the rule being effective.  And I'd maybe make it a table because if there's one IP to be blocked, there'll be more eventually.

Without more info it's difficult to see which rule accepts the packet that you intend to deny.  Logging really does help, IMO.


----------



## wblock@ (Mar 21, 2013)

Thread moved.


----------



## throAU (Mar 22, 2013)

With ipfw, first match wins.

You have an allow from any line for SMTP first, hence the packet comes in, matches rule 103, and then further firewall processing doesn't happen.

Move the deny rule (109) to the top of your rule-set, or at least before rule 103.


----------

