I'm trying to figure out if this is normal behavior or not. I have the
firewall set to allow a port in (SMTP) for the mail server. Lately, I
had been getting a lot of spam from a certain IP range, but after trying
to get the ISP to resolve it, I just decided to block the entire range
until such time. I added a block rule in the firewall list and moved it
above the "allow" rule for port 25. For some reason after applying the
rules and days later, spam still comes in from that IP. So I did an
experiment with a port tool by allowing a certain port in and having a
friend outside of my network test the port to see if it would allow him
in. With no rules to allow the port, it blocks it no problems. With a
rule to allow the port in, everything works. With a rule to block only
his IP address or even his range it still allows him in which I don't
understand. I thought the rules were evaluated from top to bottom. I
even tried swapping them around thinking maybe only the last one counts,
but it still didn't work. It looks like any rules set to allow
overrides all other block rules. Is this normal or am I missing something?
Thanks,
Michael
Filter XML Section Below
<filter>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>83.97.228.0/24</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #1</descr>
</rule>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>58.224.0.0/12</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #2</descr>
</rule>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>201.26.196.0/24</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #3</descr>
</rule>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>200.233.236.0/24</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #4</descr>
</rule>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>83.195.197.0/24</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #5</descr>
</rule>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>84.220.134.0/24</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #6</descr>
</rule>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>83.33.71.0/24</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #7</descr>
</rule>
<rule>
<type>reject</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<address>62.14.200.0/24</address>
<port>25</port>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>Block Spam Servers #8</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.3</address>
<port>25</port>
</destination>
<descr>NAT Belldandy Mail Server SMTP</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.2</address>
<port>21</port>
</destination>
<descr>NAT Skuld FTP Server</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.3</address>
<port>143</port>
</destination>
<descr>NAT Belldandy Mail Server IMAP</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.2</address>
<port>443</port>
</destination>
<descr>NAT Skuld Secure Web Server</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.3</address>
<port>110</port>
</destination>
<descr>NAT Belldandy Mail Server POP3</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.2</address>
<port>80</port>
</destination>
<descr>NAT Skuld Web Server</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.2</address>
<port>10000</port>
</destination>
<descr>NAT Skuld Webmin 10000</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.3</address>
<port>10000</port>
</destination>
<descr>NAT Belldandy Webmin 10001</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.4</address>
<port>10000</port>
</destination>
<descr>NAT Urd Webmin 10002</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.2</address>
<port>3306</port>
</destination>
<descr>NAT MySQL</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.150</address>
<port>5120-5300</port>
</destination>
<descr>NWN Server OOA</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.150</address>
<port>21</port>
</destination>
<descr>NWN Server FTP</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.64</address>
<port>5800-5900</port>
</destination>
<descr>NAT TightVNC to Merlin</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.64</address>
<port>6881</port>
</destination>
<descr>NAT Bit Torrent Inbound</descr>
</rule>
<rule>
<type>pass</type>
<interface>pptp</interface>
<source>
<network>pptp</network>
</source>
<destination>
<any/>
</destination>
<log/>
<descr>VPN</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
<descr>Default LAN -> any</descr>
</rule>
<tcpidletimeout/>
</filter> | 