OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • How to apply rules to NAT Port Forward
« previous next »
  • Print
Pages: [1]

Author Topic: How to apply rules to NAT Port Forward  (Read 2229 times)

gdur

  • Full Member
  • ***
  • Posts: 124
  • Karma: 2
    • View Profile
How to apply rules to NAT Port Forward
« on: October 14, 2020, 11:04:15 am »
It appears that NAT Port Forward (WAN to LAN) is executed before any rule, as a rule on WAN to block unwanted traffic to this forward has no effect and therefor need to use the local firewall of the receiving machine to block this traffic which I find not an elegant way to do, I'd rather stop this traffic at WAN level. There are 3 options which may cater this but the documentation doesn't provide a clear enough (at least to me) explanation. The 3 options I'm looking at are;
Set local tag:   Set a tag that other NAT rules and filters can check for.
Match local tag: Check for a tag set by another rule.
and
Filter rule association: Associate this with a regular firewall rule.
Where the last one only provides 2 options; None or Pass(???).
What I want to achieve:
I'm making use of an external antispam mail service. This service forwards checked e-mail to my firewall WAN on a specific port and reaches the internal mail server on the SMTP port. Having all the possible source IP addresses I'd like to filter on these to allow access while rejecting all others.
How can this be done?
Thanks for all possible help!!!
Logged

Gauss23

  • Hero Member
  • *****
  • Posts: 766
  • Karma: 39
    • View Profile
    • BackendMedia
Re: How to apply rules to NAT Port Forward
« Reply #1 on: October 14, 2020, 12:38:39 pm »
Why don´t you just set the source to the list of known IPs in your port forward rule?

You can create an alias for that list of IPs
Logged
„The S in IoT stands for Security!“ :)

gdur

  • Full Member
  • ***
  • Posts: 124
  • Karma: 2
    • View Profile
[SOLVED] Re: How to apply rules to NAT Port Forward
« Reply #2 on: October 14, 2020, 03:05:25 pm »
Aha, missed this one. Works like charm. Is the associated rule somewhere visible? The log live view uses the label WAN: default block IPv4 (last block all rule in WAN) and rule 101 in my case and it appears that unwanted visitors trying to access the specific Port Forward rule are blocked because of this last block rule. Here I'm loosing track on what is happening behind the scenes as there are other circumstances using the same rule to block other unwanted traffic. What mechanics are behind this?

I would suggest to display a little more (and not misleading) information along this option as default it shows an advanced button along with the text "Show source address and port range". The word "Show" is misleading in this case, better leave it out. "Source addres(ses) and/or port range, may use Aliases" should be a better fit. Also the button "Advanced" is something one rather stays away from to start with, so better remove this button what makes it more in line with the rules page, I think this would be more consistent.

Anyway, thanks a lot for your help, much appreciated!!!
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • How to apply rules to NAT Port Forward
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2