Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 1777 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to block a subnet from accessing the transparent SMTP proxy?

JonEtkins
I'm trying to block a particular subnet which is originating a bunch of what I consider SPAM.  (I'm puzzled why they don't appear in the RBL's I use, but that's a discussion for another day.)

Since Astaro's Mail Security doesn't appear to provide any way to blacklist based on originating IP address, I am attempting to block them at the packet filter, but my attempts have been unsuccessful.

I have created a network definition definition:

Name: nationwideassociatesinc.com
Type: Network
Interface: >
IPv4 Address: 64.18.137.192
Netmask: /27(255.255.255.224)

and added that to my "Known Offenders" Network Group.

My firewall rule #1 is

Source: Known offenders
Service: Any
Destination: Any
Action: Drop and log

and #2 is 

Source: Known offenders
Service: Any
Destination: WAN(Address)
Action: Drop and log

yet these a-holes continue to get through.

I'm running the SMTP proxy in transparent mode, and I guess the problem is somehow related to the sequence of events within ASG.  Any ideas or suggestions how to block this traffic?


This thread was automatically locked due to age.
  • 0
    A basic concept for traffic arriving at an interface is: DNATs are considered first, then Proxies, and, finally, Packet Filter rules and Routes.  So, the trick is to use a DNAT instead of a PF rule, and just send the packets to a non-existant address.

    Did that work?

    Cheers - Bob
    PS  I usually recommend that the SMTP Proxy NOT be run in transparent mode, but, if this a home-use machine, then there's probably no security risk.
  • 0
    Brilliant, thanks Bob.  But now you've piqued my interest - why the recommendation against transparent mode?
  • 0
    Normally, the only thing that initiates an outbound email is a mail server, and those should be listed in 'Allowed hosts/networks' on the 'Relaying' tab.  If you're dealing with a home network, then that's likely not the case.

    If you have 'Transparent mode' selected, then any PC on your network that gets a Trojan can become a spambot, and your IP will be blacklisted faster than you can imagine.  The same thing can happen if you put your Internal network into 'Allowed hosts/networks'.

    Cheers - Bob