I need to create a firewall rule to allow SMTP in on port 25 only from these IPs and to block everything else

216.104.20.0/24
150.70.149.32/27
150.70.224.0/20
150.70.160.0/20
150.70.176.0/20

So under the default data filter I created five different rules all allowing port 25 in from these IP addresses, however I think it's my block
rule which is incorrect:

It reads:

Block Immediatley
Branch to Other Filter Set None
Direction In
Protocol TCP

Source Any
Subnet Mask 255.255.255.255(/32)
Operator !=
Start Port 25
End Port 25

Destination 192.168.0.100 (Server IP Address)
Subnet Mask 255.255.255.0 (/24)
Operator =
Start Port
End Port
Keep State
Fragments Don't Care

It seems my block rule blocks everything, another thing whilst I am on the matter, if I am blocking port 25 where should I be placing the start port and end port? Within the Source or the Destination?

Hope someone clever can help!

Cheers
Gary

Here is how I approach this scenario:

Under NAT in either Port Redirection or Open Ports the port 25 traffic is forwarded to 192.168.0.100

Under IP Object, I set and Index for each of the email providers.

Friendly Name
WAN
IP Range

Under IP Group, I great an Index called "Incoming SMTP" Interface Any (handy for VPN intercompany mail) and add in the trusted indexees.

Under Service Type Object, I create and Index called SMTP

Name SMTP
Protocol TCP
Source Port = 1 - 65535
Destination Port = 25 - 25

Firewall >> Filter Setup

Index 2 "Default Data Filter"

Extend this as follows:

Index 2

Comments: Block SMTP

Direction: WAN > LAN
Source IP: Any
Destination IP: Any
Service Type: SMTP
Fragments Don't Care

Application
Filter: Block If No Further Match

Index 3

Comments: Trusted SMTP

Direction: WAN > LAN
Source IP: Incoming SMTP (choose the IP Group created earlier)
Destination IP: Any
Service Type: SMTP
Fragments Don't Care

Application
Filter: Pass Immediately

I think that's it. Seems long winded to start with, but it does make on-going changes much easier to handle in the future imo.

Regards, Neal

Hi Neal

Many thanks for your reply, unfortunatley the Draytek router I am using is very old, it is a Vigor 2600 plus series annex A using firmware version 2.5.6_UK so many of the options you advise are unavailable.

I already have port redirection enabled for port 25 but I don't have the option of "IP Object" so i'm a little stuck

Gary

On that old one it's easy and the UK guides are still relevant

http://draytek.co.uk/support/kb_vigor_filtering.html

You'd need two rules to start with, give one these settings:

Comment: Block SMTP
Pass or Block: Block if no further match
Direction: IN
Protocol: TCP
Source: Any - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25

In the next rules you can set up which sites to allow:
Comment: Allow SMTP #1
Pass or Block: Pass Immediately
Direction: IN
Protocol: TCP
Source: 216.104.20.0/24 - Operator "=" - Start port & End Port left blank
Destination: your local SMTP server or Any - Operator "=" - Start port & End port 25

You'd need six rules in total which is why the later router's objectiness is good but it'll work

Looks like you were close but you need to leave the source port blank and specify the destination port because source port will almost always be a pseudoport