[ previous ] [ next ] [ threads ]
 
 From:  Michael Brown <knightmb at knightmb dot dyndns dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  one pass rule in the firewall overrides all other block rules
 Date:  Sun, 28 May 2006 11:35:00 -0500
I'm trying to figure out if this is normal behavior or not. I have the 
firewall set to allow a port in (SMTP) for the mail server. Lately, I 
had been getting a lot of spam from a certain IP range, but after trying 
to get the ISP to resolve it, I just decided to block the entire range 
until such time.  I added a block rule in the firewall list and moved it 
above the "allow" rule for port 25.  For some reason after applying the 
rules and days later, spam still comes in from that IP.  So I did an 
experiment with a port tool by allowing a certain port in and having a 
friend outside of my network test the port to see if it would allow him 
in.  With no rules to allow the port, it blocks it no problems.  With a 
rule to allow the port in, everything works.  With a rule to block only 
his IP address or even his range it still allows him in which I don't 
understand. I thought the rules were evaluated from top to bottom. I 
even tried swapping them around thinking maybe only the last one counts, 
but it still didn't work.  It looks like any rules set to allow 
overrides all other block rules.  Is this normal or am I missing something?

Thanks,
Michael

Filter XML Section Below

<filter>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>83.97.228.0/24</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #1</descr>
        </rule>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>58.224.0.0/12</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #2</descr>
        </rule>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>201.26.196.0/24</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #3</descr>
        </rule>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>200.233.236.0/24</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #4</descr>
        </rule>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>83.195.197.0/24</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #5</descr>
        </rule>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>84.220.134.0/24</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #6</descr>
        </rule>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>83.33.71.0/24</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #7</descr>
        </rule>
        <rule>
            <type>reject</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <address>62.14.200.0/24</address>
                <port>25</port>
            </source>
            <destination>
                <any/>
                <port>25</port>
            </destination>
            <descr>Block Spam Servers #8</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.3</address>
                <port>25</port>
            </destination>
            <descr>NAT Belldandy Mail Server SMTP</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.2</address>
                <port>21</port>
            </destination>
            <descr>NAT Skuld FTP Server</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.3</address>
                <port>143</port>
            </destination>
            <descr>NAT Belldandy Mail Server IMAP</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.2</address>
                <port>443</port>
            </destination>
            <descr>NAT Skuld Secure Web Server</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.3</address>
                <port>110</port>
            </destination>
            <descr>NAT Belldandy Mail Server POP3</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.2</address>
                <port>80</port>
            </destination>
            <descr>NAT Skuld Web Server</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.2</address>
                <port>10000</port>
            </destination>
            <descr>NAT Skuld Webmin 10000</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.3</address>
                <port>10000</port>
            </destination>
            <descr>NAT Belldandy Webmin 10001</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.4</address>
                <port>10000</port>
            </destination>
            <descr>NAT Urd Webmin 10002</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.2</address>
                <port>3306</port>
            </destination>
            <descr>NAT MySQL</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp/udp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.150</address>
                <port>5120-5300</port>
            </destination>
            <descr>NWN Server OOA</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.150</address>
                <port>21</port>
            </destination>
            <descr>NWN Server FTP</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.64</address>
                <port>5800-5900</port>
            </destination>
            <descr>NAT TightVNC to Merlin</descr>
        </rule>
        <rule>
            <interface>wan</interface>
            <protocol>tcp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.0.64</address>
                <port>6881</port>
            </destination>
            <descr>NAT Bit Torrent Inbound</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>pptp</interface>
            <source>
                <network>pptp</network>
            </source>
            <destination>
                <any/>
            </destination>
            <log/>
            <descr>VPN</descr>
        </rule>
        <rule>
            <type>pass</type>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>Default LAN -&gt; any</descr>
        </rule>
        <tcpidletimeout/>
    </filter>