Firewall/NAT

I have a couple workstations that keep spamming and getting us on blacklist.

How do I configure a rule to deny any outbound smtp except from my server?

Are the workstations and mail server on the same network?

Yes they are.  Small network.

You should be able to do this with a single firewall rule. I'll assume the workstations and mail server are on the LAN interface.

Action: Block
Interface: LAN
Protocol: TCP
Source: Check the "not" box, Type: Single host or alias, Address: IP address of mail server
Destination: Any
Destination Port: from: SMTP
Description: Block all outbound SMTP Except from Mail Server


This rule must be placed above the Default LAN to any rule.

OK...
I must have done something wrong.... it's blocking all smtp port 25 now.

Is the "not" box checked?
For Source, is Single host or alias set?
Do you have the correct IP address of the mail server in place for the Source address?

Did you apply changes?

Post a screen capture of the LAN Firewall Rules if you can.

OK... here's a couple screen shots.

One thing that catches my eye is  that in the rule you have Source 192.168.1.3/31

That is likely in error. Try 192.168.1.3/24

No, that /31 is correct for a single host, not a network...

And that should work.  But lets try simple.  Put in a rule to allow 192.168.1.3 out on 25.  Then put in a block all on port 25, right under it.  You mail server will hit the pass rule and go out, but the rest won't.  Also, block 587, 465, 475, and 2525 which are secure and legacy smtp ports.  http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#Ports

Fred - editing /31 to /24 defaults back to /31.  So I assume Lee is correct in that.

Lee - thanks, will try and report results

OK... Lee's suggestion worked.

Thanks for the help.

Looks like a bug to me.

In v 1.8.1 selecting Single host or alias does not allow input of a subnet mask.

No idea what version the OP is running.

A proper subnet mask for single host is /31...  A /32 is noting...  A /30 is 2 address, and neither are usable.

Handy tool here...
http://www.subnet-calculator.com/

 

Well, I know how to calculate netmasks and a /30 is four addresses, two of which are usable.

And as you said, the /31 rule he stared with should have worked but didn't.

The problem is that you're still blocking port 25 for the host 192.168.1.3. Everything that isn't explicitly allowed to pass will be blocked by default. Because of this you don't have to add a blocking rule. Instead add a rule that allows traffic from host 192.168.1.3 via port 25 to WAN.

By the way: I'm pretty sure that the dropdown list for the subnet mask is not disabled because BlueSky has JavaScript disabled. The script behind this formular will just ignore the subnet mask (because you want to match a single host, the subnet does not matter).